Analysis
-
max time kernel
13s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 11:59
Static task
static1
Behavioral task
behavioral1
Sample
91cee6dd31c751aaefb0262491131d80.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
91cee6dd31c751aaefb0262491131d80.exe
Resource
win10v20201028
General
-
Target
91cee6dd31c751aaefb0262491131d80.exe
-
Size
448KB
-
MD5
4376d0d5d4d90a28dff32caf78aad03c
-
SHA1
56ba7c2f016235894fed7a7916b68e053f64ebba
-
SHA256
8b162f27e2d079c737d9006f8aadb746b97b863012870fffd443e1636c70e6fb
-
SHA512
95bbed9ba8277d462d979e8e48af6a9bd4f783f74461585fde9c5b4f5039f7ecd00a3c82a5725f2e4de0bc7ff95371064565afcb0306929e53bd07323552f918
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
.exepid process 1360 .exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
.exedescription ioc process Key created \registry\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce .exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\AD Network = "\"C:\\Users\\Admin\\AppData\\Local\\{D1824327-FBA0-5FD2-7211-69FE18DED2B8}\\.exe\" ?" .exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
91cee6dd31c751aaefb0262491131d80.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} 91cee6dd31c751aaefb0262491131d80.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971} 91cee6dd31c751aaefb0262491131d80.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\URL = "http://www.gigabase.ru/search?q={searchTerms}&uin=1000" 91cee6dd31c751aaefb0262491131d80.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\DisplayName = "Gigabase" 91cee6dd31c751aaefb0262491131d80.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}" 91cee6dd31c751aaefb0262491131d80.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
91cee6dd31c751aaefb0262491131d80.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.ctel.ru/" 91cee6dd31c751aaefb0262491131d80.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
91cee6dd31c751aaefb0262491131d80.exepid process 3980 91cee6dd31c751aaefb0262491131d80.exe 3980 91cee6dd31c751aaefb0262491131d80.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
91cee6dd31c751aaefb0262491131d80.exedescription pid process Token: SeManageVolumePrivilege 3980 91cee6dd31c751aaefb0262491131d80.exe Token: SeDebugPrivilege 3980 91cee6dd31c751aaefb0262491131d80.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
91cee6dd31c751aaefb0262491131d80.exedescription pid process target process PID 3980 wrote to memory of 1360 3980 91cee6dd31c751aaefb0262491131d80.exe .exe PID 3980 wrote to memory of 1360 3980 91cee6dd31c751aaefb0262491131d80.exe .exe PID 3980 wrote to memory of 1360 3980 91cee6dd31c751aaefb0262491131d80.exe .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91cee6dd31c751aaefb0262491131d80.exe"C:\Users\Admin\AppData\Local\Temp\91cee6dd31c751aaefb0262491131d80.exe"1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\{D1824327-FBA0-5FD2-7211-69FE18DED2B8}\.exe>2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\{D1824327-FBA0-5FD2-7211-69FE18DED2B8}\.cfgMD5
20165a79bcccf30bbef992c7820b2829
SHA100445acf5c6cc679e76d47b519132cb9485fd445
SHA2567104e9fd4c65275f9e5c9557188f11f56faf9e9e54543a4c8e42284830a3bc6a
SHA512eb968a59eb2fe7440596e8d57fb64b79b8ae2ddc79f8812200248653165d3b1285ffcd5d0381fd0980fecad9b76ccea613c515dfb1f1e15d850d6e3eacb0052f
-
C:\Users\Admin\AppData\Local\{D1824327-FBA0-5FD2-7211-69FE18DED2B8}\.exeMD5
bc946336443689a1d2fe120208a8d2d4
SHA1fd732b24c336a8f96ffb330daa49a231075389e9
SHA256673e38d55492d70c2a5120e65cee5b820e51a4564e3530daab61d0a85cd54fb1
SHA512652db4d08a6d9562e8964e7d89e27efb72f8b2e268abe326a524332d765c8d32b576033beaafec3f48e0fa41c193e42f78dec4473f4cdcc3b5e23ee1ed3e9669
-
C:\Users\Admin\AppData\Local\{D1824327-FBA0-5FD2-7211-69FE18DED2B8}\.exeMD5
bc946336443689a1d2fe120208a8d2d4
SHA1fd732b24c336a8f96ffb330daa49a231075389e9
SHA256673e38d55492d70c2a5120e65cee5b820e51a4564e3530daab61d0a85cd54fb1
SHA512652db4d08a6d9562e8964e7d89e27efb72f8b2e268abe326a524332d765c8d32b576033beaafec3f48e0fa41c193e42f78dec4473f4cdcc3b5e23ee1ed3e9669
-
memory/1360-1-0x0000000000000000-mapping.dmp
-
memory/1360-4-0x00000000007F7000-0x00000000007F8000-memory.dmpFilesize
4KB
-
memory/3980-0-0x0000000000937000-0x0000000000938000-memory.dmpFilesize
4KB