Overview
overview
10Static
static
80x00010000...55.exe
windows7_x64
10x00010000...55.exe
windows10_x64
10x00010000...47.exe
windows7_x64
10x00010000...47.exe
windows10_x64
10x00010000...70.exe
windows7_x64
80x00010000...70.exe
windows10_x64
80x00010000...13.exe
windows7_x64
80x00010000...13.exe
windows10_x64
80x00020000...73.exe
windows7_x64
10x00020000...73.exe
windows10_x64
10x00020000...83.exe
windows7_x64
100x00020000...83.exe
windows10_x64
100x00020000...36.exe
windows7_x64
80x00020000...36.exe
windows10_x64
80x00020000...40.exe
windows7_x64
70x00020000...40.exe
windows10_x64
70x00030000...09.exe
windows7_x64
100x00030000...09.exe
windows10_x64
100x00030000...22.exe
windows7_x64
100x00030000...22.exe
windows10_x64
100x00030000...26.exe
windows7_x64
100x00030000...26.exe
windows10_x64
0x00030000...34.exe
windows7_x64
100x00030000...34.exe
windows10_x64
100x00030000...06.exe
windows7_x64
100x00030000...06.exe
windows10_x64
100x00030000...41.exe
windows7_x64
100x00030000...41.exe
windows10_x64
100x00030000...45.exe
windows7_x64
10x00030000...45.exe
windows10_x64
10x00030000...48.exe
windows7_x64
80x00030000...48.exe
windows10_x64
8Analysis
-
max time kernel
131s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-11-2020 10:45
Behavioral task
behavioral1
Sample
0x000100000001ab86-55.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0x000100000001ab86-55.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
0x000100000001ab87-47.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
0x000100000001ab87-47.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
0x000100000001ab9c-70.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
0x000100000001ab9c-70.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
0x000100000001ad02-313.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
0x000100000001ad02-313.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
0x000200000001aca8-173.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
0x000200000001aca8-173.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
0x000200000001acb5-183.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
0x000200000001acb5-183.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
0x000200000001acdf-236.exe
Resource
win7v20201028
Behavioral task
behavioral14
Sample
0x000200000001acdf-236.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
0x000200000001ace9-240.exe
Resource
win7v20201028
Behavioral task
behavioral16
Sample
0x000200000001ace9-240.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
0x000300000001a5a2-209.exe
Resource
win7v20201028
Behavioral task
behavioral18
Sample
0x000300000001a5a2-209.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
0x000300000001ac90-122.exe
Resource
win7v20201028
Behavioral task
behavioral20
Sample
0x000300000001ac90-122.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
0x000300000001ac99-126.exe
Resource
win7v20201028
Behavioral task
behavioral22
Sample
0x000300000001ac99-126.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
0x000300000001ac9e-134.exe
Resource
win7v20201028
Behavioral task
behavioral24
Sample
0x000300000001ac9e-134.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
0x000300000001ac9e-206.exe
Resource
win7v20201028
Behavioral task
behavioral26
Sample
0x000300000001ac9e-206.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
0x000300000001ac9f-141.exe
Resource
win7v20201028
Behavioral task
behavioral28
Sample
0x000300000001ac9f-141.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
0x000300000001acec-245.exe
Resource
win7v20201028
Behavioral task
behavioral30
Sample
0x000300000001acec-245.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
0x000300000001aced-248.exe
Resource
win7v20201028
Behavioral task
behavioral32
Sample
0x000300000001aced-248.exe
Resource
win10v20201028
General
-
Target
0x000200000001ace9-240.exe
-
Size
602KB
-
MD5
637a8b78f4985a7807c6cdb238df4534
-
SHA1
01c47b02ec8b83a0a29590c2512c844318af8710
-
SHA256
87dc2c320339840a39ae63d4a53a406d2c091573c9f75aa28ea614b454fcfe95
-
SHA512
0eef7aec2cd0de345299bccda7cce486d65bde9d8d1dcfb6a90ffff79bb32d2be36452b064e4bd5da7aa5998e3398dca4bc1bf1ead863c324f7111a8ebfa0682
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
0x000200000001ace9-240.exepid process 648 0x000200000001ace9-240.exe 648 0x000200000001ace9-240.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule \ProgramData\nss3.dll js -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
0x000200000001ace9-240.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 0x000200000001ace9-240.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0x000200000001ace9-240.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2920 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
0x000200000001ace9-240.exepid process 648 0x000200000001ace9-240.exe 648 0x000200000001ace9-240.exe 648 0x000200000001ace9-240.exe 648 0x000200000001ace9-240.exe 648 0x000200000001ace9-240.exe 648 0x000200000001ace9-240.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2920 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0x000200000001ace9-240.execmd.exedescription pid process target process PID 648 wrote to memory of 2336 648 0x000200000001ace9-240.exe cmd.exe PID 648 wrote to memory of 2336 648 0x000200000001ace9-240.exe cmd.exe PID 648 wrote to memory of 2336 648 0x000200000001ace9-240.exe cmd.exe PID 2336 wrote to memory of 2920 2336 cmd.exe taskkill.exe PID 2336 wrote to memory of 2920 2336 cmd.exe taskkill.exe PID 2336 wrote to memory of 2920 2336 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000200000001ace9-240.exe"C:\Users\Admin\AppData\Local\Temp\0x000200000001ace9-240.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 0x000200000001ace9-240.exe /f & erase C:\Users\Admin\AppData\Local\Temp\0x000200000001ace9-240.exe & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 0x000200000001ace9-240.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
memory/648-0-0x0000000006440000-0x0000000006441000-memory.dmpFilesize
4KB
-
memory/2336-7-0x0000000000000000-mapping.dmp
-
memory/2920-8-0x0000000000000000-mapping.dmp