1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae

Analysis

max time kernel
146s
max time network
146s
platform
windows10_x64
resource
win10v20201028
submitted
08-11-2020 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe
Size

392KB
MD5

57593773a392df0619b0052695fb5e6f
SHA1

376dc24d2cadd9f7c2ba6e639d929c4133a19a78
SHA256

1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae
SHA512

3e9207e778ce2d7ec6e09cab6c6f399cf6d4b5a2fed1c853cbc2755e7b33bbef611bad60befba409f775b6d6ca86be6b9dee0d7d6627a6057da023f1f773a199

Score

8^/10

persistence spyware vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1432	325.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/1432-23-0x000000001CAE0000-0x000000001CAE1000-memory.dmp	vmprotect
behavioral2/files/0x000500000001a4f4-32.dat	vmprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdates = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeApplication = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com
26	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 656 set thread context of 2580	656	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	72
PID 2580 set thread context of 3212	2580	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	76

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	325.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	325.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3944	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3488	taskkill.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe
1432	325.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2580	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe
3212	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	325.exe
Token: SeSecurityPrivilege	1752	msiexec.exe
Token: SeDebugPrivilege	3488	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3212	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3212	explorer.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 2580	656	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	72
PID 656 wrote to memory of 2580	656	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	72
PID 656 wrote to memory of 2580	656	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	72
PID 656 wrote to memory of 2580	656	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	72
PID 656 wrote to memory of 2580	656	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	72
PID 656 wrote to memory of 2580	656	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	72
PID 656 wrote to memory of 2580	656	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	72
PID 656 wrote to memory of 2580	656	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	72
PID 656 wrote to memory of 2580	656	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	72
PID 656 wrote to memory of 2580	656	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	72
PID 2580 wrote to memory of 3212	2580	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	76
PID 2580 wrote to memory of 3212	2580	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	76
PID 2580 wrote to memory of 3212	2580	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	76
PID 3212 wrote to memory of 1432	3212	explorer.exe	80
PID 3212 wrote to memory of 1432	3212	explorer.exe	80
PID 1432 wrote to memory of 2292	1432	325.exe	82
PID 1432 wrote to memory of 2292	1432	325.exe	82
PID 2292 wrote to memory of 3624	2292	cmd.exe	84
PID 2292 wrote to memory of 3624	2292	cmd.exe	84
PID 2292 wrote to memory of 1300	2292	cmd.exe	85
PID 2292 wrote to memory of 1300	2292	cmd.exe	85
PID 2292 wrote to memory of 2328	2292	cmd.exe	86
PID 2292 wrote to memory of 2328	2292	cmd.exe	86
PID 1432 wrote to memory of 1228	1432	325.exe	87
PID 1432 wrote to memory of 1228	1432	325.exe	87
PID 1228 wrote to memory of 2716	1228	cmd.exe	89
PID 1228 wrote to memory of 2716	1228	cmd.exe	89
PID 1228 wrote to memory of 3488	1228	cmd.exe	90
PID 1228 wrote to memory of 3488	1228	cmd.exe	90
PID 1432 wrote to memory of 1004	1432	325.exe	92
PID 1432 wrote to memory of 1004	1432	325.exe	92
PID 1004 wrote to memory of 3028	1004	cmd.exe	94
PID 1004 wrote to memory of 3028	1004	cmd.exe	94
PID 1004 wrote to memory of 3488	1004	cmd.exe	95
PID 1004 wrote to memory of 3488	1004	cmd.exe	95
PID 1004 wrote to memory of 3944	1004	cmd.exe	96
PID 1004 wrote to memory of 3944	1004	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe
"C:\Users\Admin\AppData\Local\Temp\1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:656
- C:\Users\Admin\AppData\Local\Temp\1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe
  "C:\Users\Admin\AppData\Local\Temp\1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Users\Admin\AppData\Local\Temp\325.exe
      "C:\Users\Admin\AppData\Local\Temp\325.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3624
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        
        PID:1300
      - C:\Windows\system32\findstr.exe
        
        findstr All
        6⤵
        
        PID:2328
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1228
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2716
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:3488
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2D2E.tmp.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1004
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3028
      - C:\Windows\system32\taskkill.exe
        
        TaskKill /F /IM 1432
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
      - C:\Windows\system32\timeout.exe
        
        Timeout /T 2 /Nobreak
        6⤵
        Delays execution with timeout.exe
        
        PID:3944

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1432-23-0x000000001CAE0000-0x000000001CAE1000-memory.dmp

Filesize
4KB

Download
memory/1432-13-0x0000000001F50000-0x0000000001FC0000-memory.dmp

Filesize
448KB

Download
memory/1432-14-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/1432-25-0x0000000001EC0000-0x0000000001EC5000-memory.dmp

Filesize
20KB

Download
memory/1432-22-0x000000001C9D0000-0x000000001C9D1000-memory.dmp

Filesize
4KB

Download
memory/1432-11-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1432-10-0x00007FFB84A80000-0x00007FFB8546C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3048-5-0x00000000005B0000-0x00000000005B5000-memory.dmp

Filesize
20KB

Download
memory/3212-2-0x0000000000820000-0x000000000082F000-memory.dmp

Filesize
60KB

Download