923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388

Analysis

max time kernel
139s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
02-03-2021 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe
Size

708KB
MD5

0bac9429a64f56d2cbef1953de008fb9
SHA1

6b949c0ce5244ab1bf5f18877756d0a2bbfbe058
SHA256

923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388
SHA512

7c9c33bd2b1d24fd614a7bd45447bd6c4b4457029dee1e53e221aa4767cc3addf4a5914ce95153040dd6ed421454e20efedab4e33a16315d843aec3eff6fedfe

Score

8^/10

evasion persistence spyware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Executes dropped EXE 3 IoCs

Processes:

jXPgV9Tkn9aBf5hGhZhY.exeperfsession.exeIdle.exe

pid process

3932 jXPgV9Tkn9aBf5hGhZhY.exe
3164 perfsession.exe
4088 Idle.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3932	jXPgV9Tkn9aBf5hGhZhY.exe
3164	perfsession.exe
4088	Idle.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

perfsession.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\perfsession = "\"C:\\Program Files (x86)\\Windows Portable Devices\\perfsession.exe\""	perfsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\PerfLogs\\fontdrvhost.exe\""	perfsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\PerfLogs\\Idle.exe\""	perfsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\""	perfsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Boot\\ru-RU\\conhost.exe\""	perfsession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\odt\\winlogon.exe\""	perfsession.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ipinfo.io
17 ipinfo.io

flow	ioc
18	ipinfo.io
17	ipinfo.io

Drops file in Program Files directory 2 IoCs

Processes:

perfsession.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\perfsession.exe	perfsession.exe
File created	C:\Program Files (x86)\Windows Portable Devices\cb477ef3b523cb26b519d5f7fa28b6e2c987480e	perfsession.exe

Drops file in Windows directory 1 IoCs

Processes:

perfsession.exe

description	ioc	process
File created	C:\Windows\WinSxS\amd64_multipoint-wms.wind..updateagent.interop_31bf3856ad364e35_10.0.15063.0_none_0a09a415fe7d69de\sppsvc.exe	perfsession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3928 schtasks.exe
1348 schtasks.exe
684 schtasks.exe
196 schtasks.exe
204 schtasks.exe
1344 schtasks.exe

pid	process
3928	schtasks.exe
1348	schtasks.exe
684	schtasks.exe
196	schtasks.exe
204	schtasks.exe
1344	schtasks.exe

Modifies registry class 2 IoCs

Processes:

923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exejXPgV9Tkn9aBf5hGhZhY.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	jXPgV9Tkn9aBf5hGhZhY.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3492 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

perfsession.exeIdle.exe

pid process

3164 perfsession.exe
4088 Idle.exe
4088 Idle.exe
4088 Idle.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Idle.exe

pid process

4088 Idle.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

perfsession.exeIdle.exe

description pid process

Token: SeDebugPrivilege 3164 perfsession.exe
Token: SeDebugPrivilege 4088 Idle.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Idle.exe

pid process

4088 Idle.exe

pid	process
3492	reg.exe

pid	process
3164	perfsession.exe
4088	Idle.exe
4088	Idle.exe
4088	Idle.exe

pid	process
4088	Idle.exe

description	pid	process
Token: SeDebugPrivilege	3164	perfsession.exe
Token: SeDebugPrivilege	4088	Idle.exe

pid	process
4088	Idle.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exeWScript.execmd.exejXPgV9Tkn9aBf5hGhZhY.exeWScript.execmd.exeperfsession.exe

description	pid	process	target process
PID 732 wrote to memory of 976	732	923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe	WScript.exe
PID 732 wrote to memory of 976	732	923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe	WScript.exe
PID 732 wrote to memory of 976	732	923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe	WScript.exe
PID 976 wrote to memory of 3024	976	WScript.exe	cmd.exe
PID 976 wrote to memory of 3024	976	WScript.exe	cmd.exe
PID 976 wrote to memory of 3024	976	WScript.exe	cmd.exe
PID 3024 wrote to memory of 3932	3024	cmd.exe	jXPgV9Tkn9aBf5hGhZhY.exe
PID 3024 wrote to memory of 3932	3024	cmd.exe	jXPgV9Tkn9aBf5hGhZhY.exe
PID 3024 wrote to memory of 3932	3024	cmd.exe	jXPgV9Tkn9aBf5hGhZhY.exe
PID 3932 wrote to memory of 1500	3932	jXPgV9Tkn9aBf5hGhZhY.exe	WScript.exe
PID 3932 wrote to memory of 1500	3932	jXPgV9Tkn9aBf5hGhZhY.exe	WScript.exe
PID 3932 wrote to memory of 1500	3932	jXPgV9Tkn9aBf5hGhZhY.exe	WScript.exe
PID 1500 wrote to memory of 2820	1500	WScript.exe	cmd.exe
PID 1500 wrote to memory of 2820	1500	WScript.exe	cmd.exe
PID 1500 wrote to memory of 2820	1500	WScript.exe	cmd.exe
PID 2820 wrote to memory of 3164	2820	cmd.exe	perfsession.exe
PID 2820 wrote to memory of 3164	2820	cmd.exe	perfsession.exe
PID 3164 wrote to memory of 684	3164	perfsession.exe	schtasks.exe
PID 3164 wrote to memory of 684	3164	perfsession.exe	schtasks.exe
PID 3164 wrote to memory of 196	3164	perfsession.exe	schtasks.exe
PID 3164 wrote to memory of 196	3164	perfsession.exe	schtasks.exe
PID 3164 wrote to memory of 204	3164	perfsession.exe	schtasks.exe
PID 3164 wrote to memory of 204	3164	perfsession.exe	schtasks.exe
PID 3164 wrote to memory of 1344	3164	perfsession.exe	schtasks.exe
PID 3164 wrote to memory of 1344	3164	perfsession.exe	schtasks.exe
PID 3164 wrote to memory of 3928	3164	perfsession.exe	schtasks.exe
PID 3164 wrote to memory of 3928	3164	perfsession.exe	schtasks.exe
PID 3164 wrote to memory of 1348	3164	perfsession.exe	schtasks.exe
PID 3164 wrote to memory of 1348	3164	perfsession.exe	schtasks.exe
PID 3164 wrote to memory of 4088	3164	perfsession.exe	Idle.exe
PID 3164 wrote to memory of 4088	3164	perfsession.exe	Idle.exe
PID 2820 wrote to memory of 3492	2820	cmd.exe	reg.exe
PID 2820 wrote to memory of 3492	2820	cmd.exe	reg.exe
PID 2820 wrote to memory of 3492	2820	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe
"C:\Users\Admin\AppData\Local\Temp\923d327c5db900ff77e57f6d27dae11f2ea2d703d62d68d4f16ed172fcf45388.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\crtperf\s7tY9N5Vu2JbdeMgRZyLmMeBhrxbEn.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\crtperf\9Bd2oT30CpEapbf1aohTD2mmclwl3I.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\crtperf\jXPgV9Tkn9aBf5hGhZhY.exe
jXPgV9Tkn9aBf5hGhZhY.exe -p9f982c3f55b750de44de811e814eaa444bd04495
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\crtperf\VX2MLDIq1AG04NfaPzzEEk4y5o5pV1.vbe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\crtperf\jC3Q5eptk85KSFNLSvpEDblw9MYLej.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\crtperf\perfsession.exe
"C:\crtperf\perfsession.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:684

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Boot\ru-RU\conhost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:196

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:204

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "perfsession" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\perfsession.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1344

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\PerfLogs\fontdrvhost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:3928

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\PerfLogs\Idle.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1348

C:\PerfLogs\Idle.exe
"C:\PerfLogs\Idle.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
7⤵
- Modifies registry key
PID:3492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Idle.exe
MD5
2234e10e2a409322aa675934c2c19c5a

SHA1
5b20e1997baae3d3fd90f6753394b19ce3e7c7eb

SHA256
daa0d6dae5666e62ace429dca609c881349461cbdbee8b4859e3f1af760f5401

SHA512
d7b2de83256faab99f651174085ddbc46f6145c05266efb75cf571a0dc8e2ca5ffaacefd26ff4e18d8a2a6e7493d76d084697be790f8b971559c8fed0db29911

Download Submit
C:\PerfLogs\Idle.exe
MD5
2234e10e2a409322aa675934c2c19c5a

SHA1
5b20e1997baae3d3fd90f6753394b19ce3e7c7eb

SHA256
daa0d6dae5666e62ace429dca609c881349461cbdbee8b4859e3f1af760f5401

SHA512
d7b2de83256faab99f651174085ddbc46f6145c05266efb75cf571a0dc8e2ca5ffaacefd26ff4e18d8a2a6e7493d76d084697be790f8b971559c8fed0db29911

Download Submit
C:\crtperf\9Bd2oT30CpEapbf1aohTD2mmclwl3I.bat
MD5
389ac74526071c22e30f903311f25884

SHA1
4dd6cb5078eaf72622ef4ec4c31c50c4948fb6dc

SHA256
7c4ea03056f62f1176ca88bf79ff4448b5ae283b178c6dad11c82ecaac02a860

SHA512
dc0e15de6b8e0bba1c3985f87c71a33cd594c52f5c5b757426ca08e02322fd0fe17fa1b2d0e5359f42548237b7a3efadce2bb2f8474c07ef30d6fefccfbc21c5

Download Submit
C:\crtperf\VX2MLDIq1AG04NfaPzzEEk4y5o5pV1.vbe
MD5
68b77c6e83d2b50e560f02942c25a29c

SHA1
a84ea5f3742cc39f4b15afd131aff981864f58d2

SHA256
87f71300540cdfce6e88e6136069243a4a91b1ec48efc26537bf4f0164c3caef

SHA512
1678bd019636db00ac78164452a2d242d10f838130b74a883befdc9d33b17e30fd43f244a1423fc8d569d49f742d59cfafcde4b28bf4044b8768f4abd169e40e

Download Submit
C:\crtperf\jC3Q5eptk85KSFNLSvpEDblw9MYLej.bat
MD5
1120e57823fc486c8ee3709e53ae606e

SHA1
0d388c42ea2a351611f681427729cf687d3d6823

SHA256
132374a8f45f67c3fcfc08c1b683c825cee9b83abc5be329e857b319cea1255b

SHA512
8a5b189019d4337b79eecaccbfb6533d30d40964c6afdb479caded1011c6c258018c3e78357e44a3d86e343e5af5d99212906aa290b15f8d239263ad87359997

Download Submit
C:\crtperf\jXPgV9Tkn9aBf5hGhZhY.exe
MD5
856695bb2cbef85df5d05757333cf045

SHA1
7cc48c87226d04140698e4fdcc5ad07597b88708

SHA256
83e0395c6c8f0d3d58031a41b8a6d38c157dce1df6f60e9271c293fb1f69c841

SHA512
74fb71549cc353e7bf839a9fa3ef6df15d54e99055683716c84e58ac9b4dafc682a12ddad3f76ae77f24ef370e56570c720813b596af0b0db3ec4c84bad91210

Download Submit
C:\crtperf\jXPgV9Tkn9aBf5hGhZhY.exe
MD5
856695bb2cbef85df5d05757333cf045

SHA1
7cc48c87226d04140698e4fdcc5ad07597b88708

SHA256
83e0395c6c8f0d3d58031a41b8a6d38c157dce1df6f60e9271c293fb1f69c841

SHA512
74fb71549cc353e7bf839a9fa3ef6df15d54e99055683716c84e58ac9b4dafc682a12ddad3f76ae77f24ef370e56570c720813b596af0b0db3ec4c84bad91210

Download Submit
C:\crtperf\perfsession.exe
MD5
2234e10e2a409322aa675934c2c19c5a

SHA1
5b20e1997baae3d3fd90f6753394b19ce3e7c7eb

SHA256
daa0d6dae5666e62ace429dca609c881349461cbdbee8b4859e3f1af760f5401

SHA512
d7b2de83256faab99f651174085ddbc46f6145c05266efb75cf571a0dc8e2ca5ffaacefd26ff4e18d8a2a6e7493d76d084697be790f8b971559c8fed0db29911

Download Submit
C:\crtperf\perfsession.exe
MD5
2234e10e2a409322aa675934c2c19c5a

SHA1
5b20e1997baae3d3fd90f6753394b19ce3e7c7eb

SHA256
daa0d6dae5666e62ace429dca609c881349461cbdbee8b4859e3f1af760f5401

SHA512
d7b2de83256faab99f651174085ddbc46f6145c05266efb75cf571a0dc8e2ca5ffaacefd26ff4e18d8a2a6e7493d76d084697be790f8b971559c8fed0db29911

Download Submit
C:\crtperf\s7tY9N5Vu2JbdeMgRZyLmMeBhrxbEn.vbe
MD5
3b08eca2158ad110d0a5361140f613c3

SHA1
d10f50168d28ceec6deeeba9a4014789c97e2aaf

SHA256
1b9a6bce7edd0c06e62356b5b40a1db7880ffb1455e1b01e3b1d466f94ed5c5e

SHA512
f4bbf6cedd89277978e42bfb1df2488c51dab8e2bac9490ed8b49fe8e813293cd9fc1a8288bed5c7c7f73765bc758281768a9f53eb701ce24168b9cbdc465c8d

Download Submit
memory/196-31-0x0000000000000000-mapping.dmp

Download
memory/204-32-0x0000000000000000-mapping.dmp

Download
memory/684-30-0x0000000000000000-mapping.dmp

Download
memory/976-4-0x0000000000000000-mapping.dmp

Download
memory/1344-33-0x0000000000000000-mapping.dmp

Download
memory/1348-35-0x0000000000000000-mapping.dmp

Download
memory/1500-19-0x0000000000000000-mapping.dmp

Download
memory/2820-22-0x0000000000000000-mapping.dmp

Download
memory/3024-15-0x0000000000000000-mapping.dmp

Download
memory/3164-26-0x00007FFD72180000-0x00007FFD72B6C000-memory.dmp

Filesize
9.9MB

Download
memory/3164-29-0x000001CA528E0000-0x000001CA528E2000-memory.dmp

Filesize
8KB

Download
memory/3164-27-0x000001CA52540000-0x000001CA52541000-memory.dmp

Filesize
4KB

Download
memory/3164-23-0x0000000000000000-mapping.dmp

Download
memory/3492-41-0x0000000000000000-mapping.dmp

Download
memory/3928-34-0x0000000000000000-mapping.dmp

Download
memory/3932-16-0x0000000000000000-mapping.dmp

Download
memory/4088-36-0x0000000000000000-mapping.dmp

Download
memory/4088-39-0x00007FFD72180000-0x00007FFD72B6C000-memory.dmp

Filesize
9.9MB

Download
memory/4088-43-0x0000019CEDC40000-0x0000019CEDC42000-memory.dmp

Filesize
8KB

Download
memory/4088-44-0x0000019CEB990000-0x0000019CEB991000-memory.dmp

Filesize
4KB

Download