Overview

overview

10

Static

static

10

0caa6fb680...c6.exe

windows7_x64

10

0caa6fb680...c6.exe

windows10_x64

10

165ec181ff...71.exe

windows7_x64

9

165ec181ff...71.exe

windows10_x64

9

19f1fcac5e...22.exe

windows7_x64

1

19f1fcac5e...22.exe

windows10_x64

1

1a3642fa7d...de.exe

windows7_x64

9

1a3642fa7d...de.exe

windows10_x64

9

1d6d8960e8...5d.exe

windows7_x64

9

1d6d8960e8...5d.exe

windows10_x64

9

213f46a611...fc.exe

windows7_x64

9

213f46a611...fc.exe

windows10_x64

9

284c9bd06a...47.exe

windows7_x64

9

284c9bd06a...47.exe

windows10_x64

9

2b08cbe646...d4.exe

windows7_x64

9

2b08cbe646...d4.exe

windows10_x64

9

2c44be7232...76.exe

windows7_x64

6

2c44be7232...76.exe

windows10_x64

6

2e1deb95bf...f0.exe

windows7_x64

9

2e1deb95bf...f0.exe

windows10_x64

9

2f7a2890d3...2b.exe

windows7_x64

8

2f7a2890d3...2b.exe

windows10_x64

8

36fc7610e5...6f.exe

windows7_x64

9

36fc7610e5...6f.exe

windows10_x64

9

3842928b05...6a.exe

windows7_x64

8

3842928b05...6a.exe

windows10_x64

8

3af2caadbf...ae.exe

windows7_x64

9

3af2caadbf...ae.exe

windows10_x64

9

416baeb19a...40.exe

windows7_x64

7

416baeb19a...40.exe

windows10_x64

7

448a675cb7...2c.exe

windows7_x64

8

448a675cb7...2c.exe

windows10_x64

8

Resubmissions

17-01-2021 19:18

210117-5hwxlye88x 10

17-01-2021 17:05

210117-6jkt8jz44e 10

17-01-2021 10:25

210117-ncy8vksfgn 10

Analysis

  • max time kernel
    157s
  • max time network
    162s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-01-2021 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe

  • Size

    4.5MB

  • MD5

    c20351b808023b220b948a520e5eb163

  • SHA1

    6db7728a2ed6406b6d83761df9676e66f6895878

  • SHA256

    2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b

  • SHA512

    939433491c7df9f0fbe8017ac66f5b45b4011d4e3ae2d27fc1718751b9f14d5b1d04020ed4c2ee176be39d1145ec1c4584d6c0d54549bedf7fffdbfe7e20a390

Score
8/10
discoveryspyware

Malware Config

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe
    "C:\Users\Admin\AppData\Local\Temp\2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Windows\SysWOW64\CScript.exe
      "C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Jaoler\kader\Setup1.vbs" //e:vbscript //B //NOLOGO
      2⤵
      • Blocklisted process makes network request
      • Modifies system certificate store
      PID:3944
    • C:\Program Files (x86)\Jaoler\kader\1.exe
      "C:\Program Files (x86)\Jaoler\kader\1.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks processor information in registry
      • Suspicious use of FindShellTrayWindow
      PID:2896

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2896-9-0x00007FF7FB430000-0x00007FF7FBB4A000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/2896-10-0x00007FF7FB430000-0x00007FF7FBB4A000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/2896-11-0x00000188EC760000-0x00000188EC761000-memory.dmp

    Filesize

    4KB

    Download