Analysis
-
max time kernel
14s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-03-2021 13:18
Static task
static1
Behavioral task
behavioral1
Sample
69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe
Resource
win7v20201028
General
-
Target
69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe
-
Size
2.4MB
-
MD5
e2ff2b8181e08ad9638e802775cac4a6
-
SHA1
2f4a054b49bd2550ae927f85e02292277e9f24b9
-
SHA256
69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0
-
SHA512
00515c0c873edee75118f5be067a954743924307d7be87a2787f2044d4783561ea96ae4fdf12983e8dbe6dd473c5961f44af3d6b3882ad6b4acc8c22c014d544
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Decoder.exepid process 2688 Decoder.exe -
Processes:
resource yara_rule behavioral2/memory/984-3-0x0000000000560000-0x0000000000561000-memory.dmp vmprotect -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org 13 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4040 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exepid process 984 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe 984 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exedescription pid process Token: SeDebugPrivilege 984 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.execmd.exedescription pid process target process PID 984 wrote to memory of 2688 984 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe Decoder.exe PID 984 wrote to memory of 2688 984 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe Decoder.exe PID 984 wrote to memory of 2688 984 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe Decoder.exe PID 984 wrote to memory of 524 984 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe cmd.exe PID 984 wrote to memory of 524 984 69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe cmd.exe PID 524 wrote to memory of 4040 524 cmd.exe timeout.exe PID 524 wrote to memory of 4040 524 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe"C:\Users\Admin\AppData\Local\Temp\69fa6aa34cf0ae63c618d3dc67f123f2bcc2e4e21f28caf45f799206beebfff0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Decoder.exeMD5
de81e7651c6e62b4c7195ac2e6befbc0
SHA11f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32
SHA256eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b
SHA5123cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b
-
C:\ProgramData\Decoder.exeMD5
de81e7651c6e62b4c7195ac2e6befbc0
SHA11f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32
SHA256eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b
SHA5123cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b
-
C:\Users\Admin\AppData\Local\Temp\.cmdMD5
73712247036b6a24d16502c57a3e5679
SHA165ca9edadb0773fc34db7dfefe9e6416f1ac17fa
SHA2568bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0
SHA512548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de
-
memory/524-12-0x0000000000000000-mapping.dmp
-
memory/984-6-0x000000001B750000-0x000000001B752000-memory.dmpFilesize
8KB
-
memory/984-7-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/984-2-0x00007FF901620000-0x00007FF90200C000-memory.dmpFilesize
9.9MB
-
memory/984-5-0x000000001B6B0000-0x000000001B721000-memory.dmpFilesize
452KB
-
memory/984-3-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/2688-10-0x0000000000000000-mapping.dmp
-
memory/2688-16-0x0000000073800000-0x0000000073EEE000-memory.dmpFilesize
6.9MB
-
memory/2688-17-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/4040-15-0x0000000000000000-mapping.dmp