Analysis
-
max time kernel
31s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-03-2021 16:05
Static task
static1
Behavioral task
behavioral1
Sample
9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.exe
Resource
win7v20201028
General
-
Target
9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.exe
-
Size
2.4MB
-
MD5
7e8b83017a23b0689d96153cff3082be
-
SHA1
3447cb1807e91723e417cd329095153cb3f7c092
-
SHA256
9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96
-
SHA512
324df76b9c4756c05e449115f7c08953cb9d9448906288d8c3842097ab5df5bc812c0f189e77dbd94ad03f4941f05823718b017d13bd371fd6a05654621cdcb4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Decoder.exepid process 1108 Decoder.exe -
Processes:
resource yara_rule behavioral2/memory/3996-3-0x0000000000400000-0x0000000000401000-memory.dmp vmprotect -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org 9 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3892 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.exepid process 3996 9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.exe 3996 9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.exedescription pid process Token: SeDebugPrivilege 3996 9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.execmd.exedescription pid process target process PID 3996 wrote to memory of 1108 3996 9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.exe Decoder.exe PID 3996 wrote to memory of 1108 3996 9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.exe Decoder.exe PID 3996 wrote to memory of 1108 3996 9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.exe Decoder.exe PID 3996 wrote to memory of 2128 3996 9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.exe cmd.exe PID 3996 wrote to memory of 2128 3996 9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.exe cmd.exe PID 2128 wrote to memory of 3892 2128 cmd.exe timeout.exe PID 2128 wrote to memory of 3892 2128 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.exe"C:\Users\Admin\AppData\Local\Temp\9e2dee304f08830bfa6613f4e2f3ed9747f0891e5edea6fdd24b621fab850a96.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Decoder.exeMD5
6bd60496fa24ada50ca869be53467c7c
SHA15afdeb2dade4a35e6d8feef1ef24e30075302d6c
SHA25625dfe0485d9e8fc9380bd7fc63cfca88c3b9b8fc23c75349a68ecfea056ba04b
SHA512bacd106d5f211a1c24ead24ef32266a68550c3be8dde75e7ef509e165590c058b590edb20c060f5a8ecaa3b785b0e9e2edd3e458146f042c1f12821f66735806
-
C:\ProgramData\Decoder.exeMD5
6bd60496fa24ada50ca869be53467c7c
SHA15afdeb2dade4a35e6d8feef1ef24e30075302d6c
SHA25625dfe0485d9e8fc9380bd7fc63cfca88c3b9b8fc23c75349a68ecfea056ba04b
SHA512bacd106d5f211a1c24ead24ef32266a68550c3be8dde75e7ef509e165590c058b590edb20c060f5a8ecaa3b785b0e9e2edd3e458146f042c1f12821f66735806
-
C:\Users\Admin\AppData\Local\Temp\.cmdMD5
73712247036b6a24d16502c57a3e5679
SHA165ca9edadb0773fc34db7dfefe9e6416f1ac17fa
SHA2568bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0
SHA512548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de
-
memory/1108-17-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1108-16-0x0000000073920000-0x000000007400E000-memory.dmpFilesize
6.9MB
-
memory/1108-10-0x0000000000000000-mapping.dmp
-
memory/2128-12-0x0000000000000000-mapping.dmp
-
memory/3892-14-0x0000000000000000-mapping.dmp
-
memory/3996-9-0x0000000002900000-0x0000000002971000-memory.dmpFilesize
452KB
-
memory/3996-2-0x00007FFC34B90000-0x00007FFC3557C000-memory.dmpFilesize
9.9MB
-
memory/3996-6-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/3996-5-0x000000001B4E0000-0x000000001B4E2000-memory.dmpFilesize
8KB
-
memory/3996-3-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB