Analysis
-
max time kernel
16s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-02-2021 16:54
Static task
static1
Behavioral task
behavioral1
Sample
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe
Resource
win7v20201028
General
-
Target
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe
-
Size
2.1MB
-
MD5
760ba691b33453c6fee622d5757cfdd0
-
SHA1
bdf715f38cd5609e036f95abf14d6ede8fd084da
-
SHA256
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d
-
SHA512
6a777757074ab9e2f49474230d74c6e96a48f6a08dc64cf279bc44269bd5df25cfd13d001caf9e8df51323a87445adc1b395d24816c178969e09e20ba3c7a373
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Decoder.exepid process 1532 Decoder.exe -
Processes:
resource yara_rule behavioral2/memory/644-3-0x0000000000BF0000-0x0000000000BF1000-memory.dmp vmprotect C:\ProgramData\Decoder.exe vmprotect C:\ProgramData\Decoder.exe vmprotect behavioral2/memory/1532-17-0x00000000000F0000-0x00000000000F1000-memory.dmp vmprotect -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org 10 api.ipify.org 14 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3800 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exepid process 644 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 644 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exedescription pid process Token: SeDebugPrivilege 644 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.execmd.exedescription pid process target process PID 644 wrote to memory of 1532 644 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe Decoder.exe PID 644 wrote to memory of 1532 644 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe Decoder.exe PID 644 wrote to memory of 1532 644 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe Decoder.exe PID 644 wrote to memory of 2128 644 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe cmd.exe PID 644 wrote to memory of 2128 644 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe cmd.exe PID 2128 wrote to memory of 3800 2128 cmd.exe timeout.exe PID 2128 wrote to memory of 3800 2128 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe"C:\Users\Admin\AppData\Local\Temp\d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Decoder.exeMD5
2e95885be2e46e197adcc0bc6245c2de
SHA1715785863d460d328bb8ec6356dd95e62fe160ce
SHA2567667a561f5535aa6ae7de40c0559b15ccb8a3ee1ae4bf9f1d36430768a41d5ee
SHA512f65f5276cc4e99353a990bb4a784fb542ea6dce4f1c4a9323eb58150efce7c63320d7e91814f731f5342f31794d9d2db284ad2f6bda28a506c2e1c6aab2e6c1f
-
C:\ProgramData\Decoder.exeMD5
2e95885be2e46e197adcc0bc6245c2de
SHA1715785863d460d328bb8ec6356dd95e62fe160ce
SHA2567667a561f5535aa6ae7de40c0559b15ccb8a3ee1ae4bf9f1d36430768a41d5ee
SHA512f65f5276cc4e99353a990bb4a784fb542ea6dce4f1c4a9323eb58150efce7c63320d7e91814f731f5342f31794d9d2db284ad2f6bda28a506c2e1c6aab2e6c1f
-
C:\Users\Admin\AppData\Local\Temp\.cmdMD5
73712247036b6a24d16502c57a3e5679
SHA165ca9edadb0773fc34db7dfefe9e6416f1ac17fa
SHA2568bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0
SHA512548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de
-
memory/644-5-0x0000000001460000-0x0000000001462000-memory.dmpFilesize
8KB
-
memory/644-9-0x0000000003070000-0x00000000030E1000-memory.dmpFilesize
452KB
-
memory/644-6-0x0000000001450000-0x0000000001451000-memory.dmpFilesize
4KB
-
memory/644-3-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB
-
memory/644-2-0x00007FFC34C00000-0x00007FFC355EC000-memory.dmpFilesize
9.9MB
-
memory/1532-10-0x0000000000000000-mapping.dmp
-
memory/1532-16-0x0000000073DC0000-0x00000000744AE000-memory.dmpFilesize
6.9MB
-
memory/1532-17-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/2128-12-0x0000000000000000-mapping.dmp
-
memory/3800-15-0x0000000000000000-mapping.dmp