Analysis
-
max time kernel
15s -
max time network
66s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-02-2021 18:14
Static task
static1
Behavioral task
behavioral1
Sample
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe
Resource
win7v20201028
General
-
Target
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe
-
Size
2.1MB
-
MD5
760ba691b33453c6fee622d5757cfdd0
-
SHA1
bdf715f38cd5609e036f95abf14d6ede8fd084da
-
SHA256
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d
-
SHA512
6a777757074ab9e2f49474230d74c6e96a48f6a08dc64cf279bc44269bd5df25cfd13d001caf9e8df51323a87445adc1b395d24816c178969e09e20ba3c7a373
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Decoder.exepid process 3428 Decoder.exe -
Processes:
resource yara_rule behavioral2/memory/1112-3-0x0000000000650000-0x0000000000651000-memory.dmp vmprotect C:\ProgramData\Decoder.exe vmprotect C:\ProgramData\Decoder.exe vmprotect behavioral2/memory/3428-17-0x00000000007F0000-0x00000000007F1000-memory.dmp vmprotect -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 10 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1424 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exepid process 1112 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1112 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exedescription pid process Token: SeDebugPrivilege 1112 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.execmd.exedescription pid process target process PID 1112 wrote to memory of 3428 1112 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe Decoder.exe PID 1112 wrote to memory of 3428 1112 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe Decoder.exe PID 1112 wrote to memory of 3428 1112 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe Decoder.exe PID 1112 wrote to memory of 400 1112 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe cmd.exe PID 1112 wrote to memory of 400 1112 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe cmd.exe PID 400 wrote to memory of 1424 400 cmd.exe timeout.exe PID 400 wrote to memory of 1424 400 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe"C:\Users\Admin\AppData\Local\Temp\d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Decoder.exeMD5
2e95885be2e46e197adcc0bc6245c2de
SHA1715785863d460d328bb8ec6356dd95e62fe160ce
SHA2567667a561f5535aa6ae7de40c0559b15ccb8a3ee1ae4bf9f1d36430768a41d5ee
SHA512f65f5276cc4e99353a990bb4a784fb542ea6dce4f1c4a9323eb58150efce7c63320d7e91814f731f5342f31794d9d2db284ad2f6bda28a506c2e1c6aab2e6c1f
-
C:\ProgramData\Decoder.exeMD5
2e95885be2e46e197adcc0bc6245c2de
SHA1715785863d460d328bb8ec6356dd95e62fe160ce
SHA2567667a561f5535aa6ae7de40c0559b15ccb8a3ee1ae4bf9f1d36430768a41d5ee
SHA512f65f5276cc4e99353a990bb4a784fb542ea6dce4f1c4a9323eb58150efce7c63320d7e91814f731f5342f31794d9d2db284ad2f6bda28a506c2e1c6aab2e6c1f
-
C:\Users\Admin\AppData\Local\Temp\.cmdMD5
73712247036b6a24d16502c57a3e5679
SHA165ca9edadb0773fc34db7dfefe9e6416f1ac17fa
SHA2568bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0
SHA512548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de
-
memory/400-12-0x0000000000000000-mapping.dmp
-
memory/1112-7-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/1112-6-0x000000001B690000-0x000000001B692000-memory.dmpFilesize
8KB
-
memory/1112-5-0x000000001BBA0000-0x000000001BC11000-memory.dmpFilesize
452KB
-
memory/1112-3-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/1112-2-0x00007FFC48AB0000-0x00007FFC4949C000-memory.dmpFilesize
9.9MB
-
memory/1424-15-0x0000000000000000-mapping.dmp
-
memory/3428-10-0x0000000000000000-mapping.dmp
-
memory/3428-16-0x0000000073290000-0x000000007397E000-memory.dmpFilesize
6.9MB
-
memory/3428-17-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB