Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-03-2021 15:59
Static task
static1
Behavioral task
behavioral1
Sample
923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe
Resource
win10v20201028
General
-
Target
923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe
-
Size
708KB
-
MD5
0bac9429a64f56d2cbef1953de008fb9
-
SHA1
6b949c0ce5244ab1bf5f18877756d0a2bbfbe058
-
SHA256
923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388
-
SHA512
7c9c33bd2b1d24fd614a7bd45447bd6c4b4457029dee1e53e221aa4767cc3addf4a5914ce95153040dd6ed421454e20efedab4e33a16315d843aec3eff6fedfe
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 3 IoCs
Processes:
jXPgV9Tkn9aBf5hGhZhY.exeperfsession.exeIdle.exepid process 3932 jXPgV9Tkn9aBf5hGhZhY.exe 3164 perfsession.exe 4088 Idle.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
perfsession.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\perfsession = "\"C:\\Program Files (x86)\\Windows Portable Devices\\perfsession.exe\"" perfsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\PerfLogs\\fontdrvhost.exe\"" perfsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\PerfLogs\\Idle.exe\"" perfsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\"" perfsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Boot\\ru-RU\\conhost.exe\"" perfsession.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\odt\\winlogon.exe\"" perfsession.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ipinfo.io 17 ipinfo.io -
Drops file in Program Files directory 2 IoCs
Processes:
perfsession.exedescription ioc process File created C:\Program Files (x86)\Windows Portable Devices\perfsession.exe perfsession.exe File created C:\Program Files (x86)\Windows Portable Devices\cb477ef3b523cb26b519d5f7fa28b6e2c987480e perfsession.exe -
Drops file in Windows directory 1 IoCs
Processes:
perfsession.exedescription ioc process File created C:\Windows\WinSxS\amd64_multipoint-wms.wind..updateagent.interop_31bf3856ad364e35_10.0.15063.0_none_0a09a415fe7d69de\sppsvc.exe perfsession.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3928 schtasks.exe 1348 schtasks.exe 684 schtasks.exe 196 schtasks.exe 204 schtasks.exe 1344 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exejXPgV9Tkn9aBf5hGhZhY.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings 923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings jXPgV9Tkn9aBf5hGhZhY.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
perfsession.exeIdle.exepid process 3164 perfsession.exe 4088 Idle.exe 4088 Idle.exe 4088 Idle.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Idle.exepid process 4088 Idle.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
perfsession.exeIdle.exedescription pid process Token: SeDebugPrivilege 3164 perfsession.exe Token: SeDebugPrivilege 4088 Idle.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Idle.exepid process 4088 Idle.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exeWScript.execmd.exejXPgV9Tkn9aBf5hGhZhY.exeWScript.execmd.exeperfsession.exedescription pid process target process PID 732 wrote to memory of 976 732 923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe WScript.exe PID 732 wrote to memory of 976 732 923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe WScript.exe PID 732 wrote to memory of 976 732 923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe WScript.exe PID 976 wrote to memory of 3024 976 WScript.exe cmd.exe PID 976 wrote to memory of 3024 976 WScript.exe cmd.exe PID 976 wrote to memory of 3024 976 WScript.exe cmd.exe PID 3024 wrote to memory of 3932 3024 cmd.exe jXPgV9Tkn9aBf5hGhZhY.exe PID 3024 wrote to memory of 3932 3024 cmd.exe jXPgV9Tkn9aBf5hGhZhY.exe PID 3024 wrote to memory of 3932 3024 cmd.exe jXPgV9Tkn9aBf5hGhZhY.exe PID 3932 wrote to memory of 1500 3932 jXPgV9Tkn9aBf5hGhZhY.exe WScript.exe PID 3932 wrote to memory of 1500 3932 jXPgV9Tkn9aBf5hGhZhY.exe WScript.exe PID 3932 wrote to memory of 1500 3932 jXPgV9Tkn9aBf5hGhZhY.exe WScript.exe PID 1500 wrote to memory of 2820 1500 WScript.exe cmd.exe PID 1500 wrote to memory of 2820 1500 WScript.exe cmd.exe PID 1500 wrote to memory of 2820 1500 WScript.exe cmd.exe PID 2820 wrote to memory of 3164 2820 cmd.exe perfsession.exe PID 2820 wrote to memory of 3164 2820 cmd.exe perfsession.exe PID 3164 wrote to memory of 684 3164 perfsession.exe schtasks.exe PID 3164 wrote to memory of 684 3164 perfsession.exe schtasks.exe PID 3164 wrote to memory of 196 3164 perfsession.exe schtasks.exe PID 3164 wrote to memory of 196 3164 perfsession.exe schtasks.exe PID 3164 wrote to memory of 204 3164 perfsession.exe schtasks.exe PID 3164 wrote to memory of 204 3164 perfsession.exe schtasks.exe PID 3164 wrote to memory of 1344 3164 perfsession.exe schtasks.exe PID 3164 wrote to memory of 1344 3164 perfsession.exe schtasks.exe PID 3164 wrote to memory of 3928 3164 perfsession.exe schtasks.exe PID 3164 wrote to memory of 3928 3164 perfsession.exe schtasks.exe PID 3164 wrote to memory of 1348 3164 perfsession.exe schtasks.exe PID 3164 wrote to memory of 1348 3164 perfsession.exe schtasks.exe PID 3164 wrote to memory of 4088 3164 perfsession.exe Idle.exe PID 3164 wrote to memory of 4088 3164 perfsession.exe Idle.exe PID 2820 wrote to memory of 3492 2820 cmd.exe reg.exe PID 2820 wrote to memory of 3492 2820 cmd.exe reg.exe PID 2820 wrote to memory of 3492 2820 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe"C:\Users\Admin\AppData\Local\Temp\923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\crtperf\s7tY9N5Vu2JbdeMgRZyLmMeBhrxbEn.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\crtperf\9Bd2oT30CpEapbf1aohTD2mmclwl3I.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\crtperf\jXPgV9Tkn9aBf5hGhZhY.exejXPgV9Tkn9aBf5hGhZhY.exe -p9f982c3f55b750de44de811e814eaa444bd044954⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\crtperf\VX2MLDIq1AG04NfaPzzEEk4y5o5pV1.vbe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\crtperf\jC3Q5eptk85KSFNLSvpEDblw9MYLej.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\crtperf\perfsession.exe"C:\crtperf\perfsession.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Boot\ru-RU\conhost.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "perfsession" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\perfsession.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\PerfLogs\fontdrvhost.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\PerfLogs\Idle.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\PerfLogs\Idle.exe"C:\PerfLogs\Idle.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f7⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\Idle.exeMD5
2234e10e2a409322aa675934c2c19c5a
SHA15b20e1997baae3d3fd90f6753394b19ce3e7c7eb
SHA256daa0d6dae5666e62ace429dca609c881349461cbdbee8b4859e3f1af760f5401
SHA512d7b2de83256faab99f651174085ddbc46f6145c05266efb75cf571a0dc8e2ca5ffaacefd26ff4e18d8a2a6e7493d76d084697be790f8b971559c8fed0db29911
-
C:\PerfLogs\Idle.exeMD5
2234e10e2a409322aa675934c2c19c5a
SHA15b20e1997baae3d3fd90f6753394b19ce3e7c7eb
SHA256daa0d6dae5666e62ace429dca609c881349461cbdbee8b4859e3f1af760f5401
SHA512d7b2de83256faab99f651174085ddbc46f6145c05266efb75cf571a0dc8e2ca5ffaacefd26ff4e18d8a2a6e7493d76d084697be790f8b971559c8fed0db29911
-
C:\crtperf\9Bd2oT30CpEapbf1aohTD2mmclwl3I.batMD5
389ac74526071c22e30f903311f25884
SHA14dd6cb5078eaf72622ef4ec4c31c50c4948fb6dc
SHA2567c4ea03056f62f1176ca88bf79ff4448b5ae283b178c6dad11c82ecaac02a860
SHA512dc0e15de6b8e0bba1c3985f87c71a33cd594c52f5c5b757426ca08e02322fd0fe17fa1b2d0e5359f42548237b7a3efadce2bb2f8474c07ef30d6fefccfbc21c5
-
C:\crtperf\VX2MLDIq1AG04NfaPzzEEk4y5o5pV1.vbeMD5
68b77c6e83d2b50e560f02942c25a29c
SHA1a84ea5f3742cc39f4b15afd131aff981864f58d2
SHA25687f71300540cdfce6e88e6136069243a4a91b1ec48efc26537bf4f0164c3caef
SHA5121678bd019636db00ac78164452a2d242d10f838130b74a883befdc9d33b17e30fd43f244a1423fc8d569d49f742d59cfafcde4b28bf4044b8768f4abd169e40e
-
C:\crtperf\jC3Q5eptk85KSFNLSvpEDblw9MYLej.batMD5
1120e57823fc486c8ee3709e53ae606e
SHA10d388c42ea2a351611f681427729cf687d3d6823
SHA256132374a8f45f67c3fcfc08c1b683c825cee9b83abc5be329e857b319cea1255b
SHA5128a5b189019d4337b79eecaccbfb6533d30d40964c6afdb479caded1011c6c258018c3e78357e44a3d86e343e5af5d99212906aa290b15f8d239263ad87359997
-
C:\crtperf\jXPgV9Tkn9aBf5hGhZhY.exeMD5
856695bb2cbef85df5d05757333cf045
SHA17cc48c87226d04140698e4fdcc5ad07597b88708
SHA25683e0395c6c8f0d3d58031a41b8a6d38c157dce1df6f60e9271c293fb1f69c841
SHA51274fb71549cc353e7bf839a9fa3ef6df15d54e99055683716c84e58ac9b4dafc682a12ddad3f76ae77f24ef370e56570c720813b596af0b0db3ec4c84bad91210
-
C:\crtperf\jXPgV9Tkn9aBf5hGhZhY.exeMD5
856695bb2cbef85df5d05757333cf045
SHA17cc48c87226d04140698e4fdcc5ad07597b88708
SHA25683e0395c6c8f0d3d58031a41b8a6d38c157dce1df6f60e9271c293fb1f69c841
SHA51274fb71549cc353e7bf839a9fa3ef6df15d54e99055683716c84e58ac9b4dafc682a12ddad3f76ae77f24ef370e56570c720813b596af0b0db3ec4c84bad91210
-
C:\crtperf\perfsession.exeMD5
2234e10e2a409322aa675934c2c19c5a
SHA15b20e1997baae3d3fd90f6753394b19ce3e7c7eb
SHA256daa0d6dae5666e62ace429dca609c881349461cbdbee8b4859e3f1af760f5401
SHA512d7b2de83256faab99f651174085ddbc46f6145c05266efb75cf571a0dc8e2ca5ffaacefd26ff4e18d8a2a6e7493d76d084697be790f8b971559c8fed0db29911
-
C:\crtperf\perfsession.exeMD5
2234e10e2a409322aa675934c2c19c5a
SHA15b20e1997baae3d3fd90f6753394b19ce3e7c7eb
SHA256daa0d6dae5666e62ace429dca609c881349461cbdbee8b4859e3f1af760f5401
SHA512d7b2de83256faab99f651174085ddbc46f6145c05266efb75cf571a0dc8e2ca5ffaacefd26ff4e18d8a2a6e7493d76d084697be790f8b971559c8fed0db29911
-
C:\crtperf\s7tY9N5Vu2JbdeMgRZyLmMeBhrxbEn.vbeMD5
3b08eca2158ad110d0a5361140f613c3
SHA1d10f50168d28ceec6deeeba9a4014789c97e2aaf
SHA2561b9a6bce7edd0c06e62356b5b40a1db7880ffb1455e1b01e3b1d466f94ed5c5e
SHA512f4bbf6cedd89277978e42bfb1df2488c51dab8e2bac9490ed8b49fe8e813293cd9fc1a8288bed5c7c7f73765bc758281768a9f53eb701ce24168b9cbdc465c8d
-
memory/196-31-0x0000000000000000-mapping.dmp
-
memory/204-32-0x0000000000000000-mapping.dmp
-
memory/684-30-0x0000000000000000-mapping.dmp
-
memory/976-4-0x0000000000000000-mapping.dmp
-
memory/1344-33-0x0000000000000000-mapping.dmp
-
memory/1348-35-0x0000000000000000-mapping.dmp
-
memory/1500-19-0x0000000000000000-mapping.dmp
-
memory/2820-22-0x0000000000000000-mapping.dmp
-
memory/3024-15-0x0000000000000000-mapping.dmp
-
memory/3164-26-0x00007FFD72180000-0x00007FFD72B6C000-memory.dmpFilesize
9.9MB
-
memory/3164-29-0x000001CA528E0000-0x000001CA528E2000-memory.dmpFilesize
8KB
-
memory/3164-27-0x000001CA52540000-0x000001CA52541000-memory.dmpFilesize
4KB
-
memory/3164-23-0x0000000000000000-mapping.dmp
-
memory/3492-41-0x0000000000000000-mapping.dmp
-
memory/3928-34-0x0000000000000000-mapping.dmp
-
memory/3932-16-0x0000000000000000-mapping.dmp
-
memory/4088-36-0x0000000000000000-mapping.dmp
-
memory/4088-39-0x00007FFD72180000-0x00007FFD72B6C000-memory.dmpFilesize
9.9MB
-
memory/4088-43-0x0000019CEDC40000-0x0000019CEDC42000-memory.dmpFilesize
8KB
-
memory/4088-44-0x0000019CEB990000-0x0000019CEB991000-memory.dmpFilesize
4KB