Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8Analysis
-
max time kernel
1519s -
max time network
1524s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-12-2020 14:18
Static task
static1
Behavioral task
behavioral1
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
General
-
Target
Downloads3/IgqbCYuTw.bin.exe
-
Size
831KB
-
MD5
a53b06d097028f1e72d5cc2047a4a3cb
-
SHA1
1a48ac9fe688ecc2e92d4ee5c0bcd1d3cc85587e
-
SHA256
0e00f18b21735e6e76c96cb5f0930d71bd78c4347e100260547c12e931ff15ff
-
SHA512
391ca5003bf5a6165ec1e3dda7ba7f24ed936f4a811bc76808843fd5cf4ce46013fa9fdf4e074fab4825b6e0472cf8f014a7c4c615fafa9f600ebc12eef3f7af
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
2588071077.exepid process 772 2588071077.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2588071077.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2588071077.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2588071077.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4072 taskkill.exe 3524 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
2588071077.exepid process 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe 772 2588071077.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4072 taskkill.exe Token: SeDebugPrivilege 3524 taskkill.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
IgqbCYuTw.bin.execmd.exe2588071077.execmd.exedescription pid process target process PID 984 wrote to memory of 772 984 IgqbCYuTw.bin.exe 2588071077.exe PID 984 wrote to memory of 772 984 IgqbCYuTw.bin.exe 2588071077.exe PID 984 wrote to memory of 772 984 IgqbCYuTw.bin.exe 2588071077.exe PID 984 wrote to memory of 776 984 IgqbCYuTw.bin.exe cmd.exe PID 984 wrote to memory of 776 984 IgqbCYuTw.bin.exe cmd.exe PID 984 wrote to memory of 776 984 IgqbCYuTw.bin.exe cmd.exe PID 776 wrote to memory of 4072 776 cmd.exe taskkill.exe PID 776 wrote to memory of 4072 776 cmd.exe taskkill.exe PID 776 wrote to memory of 4072 776 cmd.exe taskkill.exe PID 772 wrote to memory of 212 772 2588071077.exe cmd.exe PID 772 wrote to memory of 212 772 2588071077.exe cmd.exe PID 772 wrote to memory of 212 772 2588071077.exe cmd.exe PID 212 wrote to memory of 3524 212 cmd.exe taskkill.exe PID 212 wrote to memory of 3524 212 cmd.exe taskkill.exe PID 212 wrote to memory of 3524 212 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Downloads3\IgqbCYuTw.bin.exe"C:\Users\Admin\AppData\Local\Temp\Downloads3\IgqbCYuTw.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\ProgramData\Arkei-72727c5d-8d0e-47bb-8579-8067735277ff\2588071077.exe"C:\ProgramData\Arkei-72727c5d-8d0e-47bb-8579-8067735277ff\2588071077.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 2588071077.exe /f & erase C:\ProgramData\Arkei-72727c5d-8d0e-47bb-8579-8067735277ff\2588071077.exe & exit3⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im 2588071077.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im IgqbCYuTw.bin.exe /f & erase C:\Users\Admin\AppData\Local\Temp\Downloads3\IgqbCYuTw.bin.exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im IgqbCYuTw.bin.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Arkei-72727c5d-8d0e-47bb-8579-8067735277ff\2588071077.exeMD5
a53b06d097028f1e72d5cc2047a4a3cb
SHA11a48ac9fe688ecc2e92d4ee5c0bcd1d3cc85587e
SHA2560e00f18b21735e6e76c96cb5f0930d71bd78c4347e100260547c12e931ff15ff
SHA512391ca5003bf5a6165ec1e3dda7ba7f24ed936f4a811bc76808843fd5cf4ce46013fa9fdf4e074fab4825b6e0472cf8f014a7c4c615fafa9f600ebc12eef3f7af
-
C:\ProgramData\Arkei-72727c5d-8d0e-47bb-8579-8067735277ff\2588071077.exeMD5
a53b06d097028f1e72d5cc2047a4a3cb
SHA11a48ac9fe688ecc2e92d4ee5c0bcd1d3cc85587e
SHA2560e00f18b21735e6e76c96cb5f0930d71bd78c4347e100260547c12e931ff15ff
SHA512391ca5003bf5a6165ec1e3dda7ba7f24ed936f4a811bc76808843fd5cf4ce46013fa9fdf4e074fab4825b6e0472cf8f014a7c4c615fafa9f600ebc12eef3f7af
-
memory/212-7-0x0000000000000000-mapping.dmp
-
memory/772-2-0x0000000000000000-mapping.dmp
-
memory/776-5-0x0000000000000000-mapping.dmp
-
memory/3524-8-0x0000000000000000-mapping.dmp
-
memory/4072-6-0x0000000000000000-mapping.dmp