Overview

overview

10

Static

static

8

197f0e170f...2a.exe

windows7_x64

9

197f0e170f...2a.exe

windows10_x64

9

302d77c6ec...56.exe

windows7_x64

8

302d77c6ec...56.exe

windows10_x64

8

466d872ddb...0d.exe

windows7_x64

8

466d872ddb...0d.exe

windows10_x64

10

6d13a07022...f4.exe

windows7_x64

8

6d13a07022...f4.exe

windows10_x64

8

8c1d1de824...ef.exe

windows7_x64

1

8c1d1de824...ef.exe

windows10_x64

1

a31f1894f1...b8.exe

windows7_x64

8

a31f1894f1...b8.exe

windows10_x64

9

a3802c3a05...6d.exe

windows7_x64

10

a3802c3a05...6d.exe

windows10_x64

10

Android APK

android_x86_64

10

c6c0d4969a...36.exe

windows7_x64

1

c6c0d4969a...36.exe

windows10_x64

1

d92ef7281e...1a.exe

windows7_x64

1

d92ef7281e...1a.exe

windows10_x64

1

dffb2eaccb...3a.exe

windows7_x64

8

dffb2eaccb...3a.exe

windows10_x64

8

e247b061c8...b1.exe

windows7_x64

8

e247b061c8...b1.exe

windows10_x64

8

Analysis

  • max time kernel
    145s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    24-11-2020 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d13a07022cd549f981cc929795c9c1b18c424a0faff27c1faa8990ca843c6f4.exe

  • Size

    1.1MB

  • MD5

    25ca92613089d713e77e03140bfc2e46

  • SHA1

    3918be6a75063293154ab39e8a8735bd79283213

  • SHA256

    6d13a07022cd549f981cc929795c9c1b18c424a0faff27c1faa8990ca843c6f4

  • SHA512

    106e96f3f312efe0c01a5784c35e766cfb6a8c1b50da876accbe92120ec84a579aab81651233b1c68492ba17f0860b2c18ef93203f50298aa56ec6c8862f4ba5

Score
8/10
discoveryspyware

Malware Config

Signatures

  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d13a07022cd549f981cc929795c9c1b18c424a0faff27c1faa8990ca843c6f4.exe
    "C:\Users\Admin\AppData\Local\Temp\6d13a07022cd549f981cc929795c9c1b18c424a0faff27c1faa8990ca843c6f4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:988
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo yAvKCDDZU
      2⤵
        PID:2460
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c cmd < jDEfkEXjdkpsYDsjiTiclOLsjvLnRCqj.ehVayaShFInxDvDcZMznplnRjeOTmcNkWvWdcUwBgiFyhXJ
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2992
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 ureO.aly
            4⤵
            • Runs ping.exe
            PID:3700
          • C:\Windows\SysWOW64\certutil.exe
            certutil -decode vgVzFIdoNRePPIlFBCwgNBVOGveDdCgG.tnZoBDBTJrNmSXwMUmbvQHUzuNoFMRl RU
            4⤵
              PID:824
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\SgrmBroker.com
              SgrmBroker.com RU
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2588
              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\SgrmBroker.com
                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\SgrmBroker.com RU
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:3480
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ftp.exe
                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ftp.exe
                  6⤵
                  • Executes dropped EXE
                  • Checks processor information in registry
                  • Suspicious use of WriteProcessMemory
                  PID:1424
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\dhaqkpwfb.exe"
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:796
                    • C:\Users\Admin\AppData\Local\Temp\dhaqkpwfb.exe
                      "C:\Users\Admin\AppData\Local\Temp\dhaqkpwfb.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:2540
                      • C:\Windows\SysWOW64\rundll32.exe
                        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3B4770~1.DLL,A C:\Users\Admin\AppData\Local\Temp\DHAQKP~1.EXE
                        9⤵
                        • Loads dropped DLL
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2880
                        • C:\Windows\SysWOW64\RUNDLL32.EXE
                          C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\3B4770~1.DLL,SyckfI0=
                          10⤵
                          • Blacklisted process makes network request
                          • Loads dropped DLL
                          • Checks processor information in registry
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of WriteProcessMemory
                          PID:868
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpB641.tmp.ps1"
                            11⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3220
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpC5E3.tmp.ps1"
                            11⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1812
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\eohhxnqu.exe"
                    7⤵
                      PID:1232
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\vtrpnwhteqks.exe"
                      7⤵
                        PID:2476
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1 -n 3
                  4⤵
                  • Runs ping.exe
                  PID:184

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/868-35-0x0000000004DC0000-0x0000000005418000-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/1424-18-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1424-15-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1812-60-0x0000000008060000-0x0000000008061000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1812-51-0x00000000705D0000-0x0000000070CBE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1812-57-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2540-26-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2880-30-0x0000000004E90000-0x00000000054E8000-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/3220-42-0x0000000008280000-0x0000000008281000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3220-45-0x0000000008A20000-0x0000000008A21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3220-46-0x0000000008A70000-0x0000000008A71000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3220-37-0x0000000070A50000-0x000000007113E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3220-44-0x00000000086E0000-0x00000000086E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3220-43-0x00000000082F0000-0x00000000082F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3220-38-0x0000000007230000-0x0000000007231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3220-41-0x0000000008210000-0x0000000008211000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3220-40-0x0000000007910000-0x0000000007911000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3220-39-0x0000000007990000-0x0000000007991000-memory.dmp

            Filesize

            4KB

            Download