Analysis
-
max time kernel
135s -
max time network
131s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-05-2020 12:10
Static task
static1
Behavioral task
behavioral1
Sample
report.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
report.exe
Resource
win10v200430
General
-
Target
report.exe
-
Size
359KB
-
MD5
2b6e4fef6c9a6a11b8d841bcf8c3b378
-
SHA1
14c13bc7d0ec2f9d71e235493bf3857b792628c0
-
SHA256
9821a9264d6d80673739f0a02ad46176f2eeab5e0fedddbafa5047ac10b21a94
-
SHA512
1faa40aa84ba1f5b64d67a292c85da562ae16fc464c1b29883593eb4f7c98f8abe42a300e169747b3aba524708d9e686b711ea1fc1748bb970136d24902bb178
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Makes http(s) request 4 IoCs
Contacts server via http/https, possibly for C2 communication.
description flow ioc HTTP URL 1549 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAZ%2FJIGKSEebzF%2FToS9iYaY%3D HTTP URL 1545 http://api.blockcypher.com/v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1588860734384 HTTP URL 1547 https://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1588860734915 HTTP URL 1549 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1432 report.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1432 wrote to memory of 792 1432 report.exe 24 PID 1432 wrote to memory of 792 1432 report.exe 24 PID 1432 wrote to memory of 792 1432 report.exe 24 PID 1432 wrote to memory of 792 1432 report.exe 24 PID 1432 wrote to memory of 1364 1432 report.exe 34 PID 1432 wrote to memory of 1364 1432 report.exe 34 PID 1432 wrote to memory of 1364 1432 report.exe 34 PID 1432 wrote to memory of 1364 1432 report.exe 34 PID 1432 wrote to memory of 1488 1432 report.exe 35 PID 1432 wrote to memory of 1488 1432 report.exe 35 PID 1432 wrote to memory of 1488 1432 report.exe 35 PID 1432 wrote to memory of 1488 1432 report.exe 35 -
Suspicious behavior: EnumeratesProcesses 151 IoCs
pid Process 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe 1432 report.exe -
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 1432 report.exe Token: SeIncreaseQuotaPrivilege 1552 WMIC.exe Token: SeSecurityPrivilege 1552 WMIC.exe Token: SeTakeOwnershipPrivilege 1552 WMIC.exe Token: SeLoadDriverPrivilege 1552 WMIC.exe Token: SeSystemProfilePrivilege 1552 WMIC.exe Token: SeSystemtimePrivilege 1552 WMIC.exe Token: SeProfSingleProcessPrivilege 1552 WMIC.exe Token: SeIncBasePriorityPrivilege 1552 WMIC.exe Token: SeCreatePagefilePrivilege 1552 WMIC.exe Token: SeBackupPrivilege 1552 WMIC.exe Token: SeRestorePrivilege 1552 WMIC.exe Token: SeShutdownPrivilege 1552 WMIC.exe Token: SeDebugPrivilege 1552 WMIC.exe Token: SeSystemEnvironmentPrivilege 1552 WMIC.exe Token: SeRemoteShutdownPrivilege 1552 WMIC.exe Token: SeUndockPrivilege 1552 WMIC.exe Token: SeManageVolumePrivilege 1552 WMIC.exe Token: 33 1552 WMIC.exe Token: 34 1552 WMIC.exe Token: 35 1552 WMIC.exe Token: SeIncreaseQuotaPrivilege 1552 WMIC.exe Token: SeSecurityPrivilege 1552 WMIC.exe Token: SeTakeOwnershipPrivilege 1552 WMIC.exe Token: SeLoadDriverPrivilege 1552 WMIC.exe Token: SeSystemProfilePrivilege 1552 WMIC.exe Token: SeSystemtimePrivilege 1552 WMIC.exe Token: SeProfSingleProcessPrivilege 1552 WMIC.exe Token: SeIncBasePriorityPrivilege 1552 WMIC.exe Token: SeCreatePagefilePrivilege 1552 WMIC.exe Token: SeBackupPrivilege 1552 WMIC.exe Token: SeRestorePrivilege 1552 WMIC.exe Token: SeShutdownPrivilege 1552 WMIC.exe Token: SeDebugPrivilege 1552 WMIC.exe Token: SeSystemEnvironmentPrivilege 1552 WMIC.exe Token: SeRemoteShutdownPrivilege 1552 WMIC.exe Token: SeUndockPrivilege 1552 WMIC.exe Token: SeManageVolumePrivilege 1552 WMIC.exe Token: 33 1552 WMIC.exe Token: 34 1552 WMIC.exe Token: 35 1552 WMIC.exe Token: SeBackupPrivilege 1656 vssvc.exe Token: SeRestorePrivilege 1656 vssvc.exe Token: SeAuditPrivilege 1656 vssvc.exe Token: SeDebugPrivilege 2004 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1364 mshta.exe 1364 mshta.exe -
Blacklisted process makes network request 3 IoCs
flow pid Process 1545 1364 mshta.exe 1547 1364 mshta.exe 1549 1364 mshta.exe -
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE report.exe File created C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta report.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE report.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE report.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE report.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE report.exe -
Deletes itself 1 IoCs
pid Process 1488 cmd.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp618.bmp" report.exe -
Kills process with taskkill 1 IoCs
pid Process 2004 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1516 PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\report.exe"C:\Users\Admin\AppData\Local\Temp\report.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
PID:1432 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:792
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta"2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Blacklisted process makes network request
PID:1364
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Deletes itself
PID:1488 -
C:\Windows\system32\taskkill.exetaskkill /f /im "report.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:2004
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:1516
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1656
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:1308