Analysis
-
max time kernel
94s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-05-2021 11:37
Static task
static1
Behavioral task
behavioral1
Sample
TI.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
TI.exe
Resource
win10v20210410
General
-
Target
TI.exe
-
Size
392KB
-
MD5
aecd8738094fcc9cdf76c8d538deda58
-
SHA1
84b0a144d7ff0c069f0e2f651b9e00e51ce9b559
-
SHA256
fa8bcb532dc59bca85334cee54152785e4f3ee8d7d9d6ca3680443beeb61ee58
-
SHA512
16745c8fee729f4480317b2c058552a20b085bc0934e67be6590cd26e41c479733d8a9442ce0e686b0ef9fa86d79db6bcc1349d274f021240d7dd4a3e08fadac
Malware Config
Extracted
Protocol: smtp- Host:
casids.co.ke - Port:
587 - Username:
webmaster@casids.co.ke - Password:
Eightis88
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
sdiagnhost.exesdiagnhost.exesdiagnhost.exepid process 3488 sdiagnhost.exe 3928 sdiagnhost.exe 2416 sdiagnhost.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TI.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\Documents\\sdiagnhost.exe" TI.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 checkip.dyndns.org -
Suspicious use of SetThreadContext 2 IoCs
Processes:
sdiagnhost.exesdiagnhost.exedescription pid process target process PID 3488 set thread context of 3928 3488 sdiagnhost.exe sdiagnhost.exe PID 3928 set thread context of 2416 3928 sdiagnhost.exe sdiagnhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
TI.exesdiagnhost.exesdiagnhost.exepid process 1744 TI.exe 1744 TI.exe 1744 TI.exe 1744 TI.exe 1744 TI.exe 1744 TI.exe 3488 sdiagnhost.exe 3488 sdiagnhost.exe 3488 sdiagnhost.exe 3488 sdiagnhost.exe 3488 sdiagnhost.exe 3488 sdiagnhost.exe 2416 sdiagnhost.exe 2416 sdiagnhost.exe 2416 sdiagnhost.exe 2416 sdiagnhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
TI.exesdiagnhost.exesdiagnhost.exesdiagnhost.exedescription pid process Token: SeDebugPrivilege 1744 TI.exe Token: SeDebugPrivilege 3488 sdiagnhost.exe Token: SeDebugPrivilege 3928 sdiagnhost.exe Token: SeDebugPrivilege 2416 sdiagnhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
sdiagnhost.exepid process 2416 sdiagnhost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
TI.exesdiagnhost.exesdiagnhost.exedescription pid process target process PID 1744 wrote to memory of 3488 1744 TI.exe sdiagnhost.exe PID 1744 wrote to memory of 3488 1744 TI.exe sdiagnhost.exe PID 1744 wrote to memory of 3488 1744 TI.exe sdiagnhost.exe PID 3488 wrote to memory of 3928 3488 sdiagnhost.exe sdiagnhost.exe PID 3488 wrote to memory of 3928 3488 sdiagnhost.exe sdiagnhost.exe PID 3488 wrote to memory of 3928 3488 sdiagnhost.exe sdiagnhost.exe PID 3488 wrote to memory of 3928 3488 sdiagnhost.exe sdiagnhost.exe PID 3488 wrote to memory of 3928 3488 sdiagnhost.exe sdiagnhost.exe PID 3488 wrote to memory of 3928 3488 sdiagnhost.exe sdiagnhost.exe PID 3488 wrote to memory of 3928 3488 sdiagnhost.exe sdiagnhost.exe PID 3488 wrote to memory of 3928 3488 sdiagnhost.exe sdiagnhost.exe PID 3928 wrote to memory of 2416 3928 sdiagnhost.exe sdiagnhost.exe PID 3928 wrote to memory of 2416 3928 sdiagnhost.exe sdiagnhost.exe PID 3928 wrote to memory of 2416 3928 sdiagnhost.exe sdiagnhost.exe PID 3928 wrote to memory of 2416 3928 sdiagnhost.exe sdiagnhost.exe PID 3928 wrote to memory of 2416 3928 sdiagnhost.exe sdiagnhost.exe PID 3928 wrote to memory of 2416 3928 sdiagnhost.exe sdiagnhost.exe PID 3928 wrote to memory of 2416 3928 sdiagnhost.exe sdiagnhost.exe PID 3928 wrote to memory of 2416 3928 sdiagnhost.exe sdiagnhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TI.exe"C:\Users\Admin\AppData\Local\Temp\TI.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\sdiagnhost.exe"C:\Users\Admin\Documents\sdiagnhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\sdiagnhost.exe"C:\Users\Admin\Documents\sdiagnhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\sdiagnhost.exe"C:\Users\Admin\Documents\sdiagnhost.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sdiagnhost.exe.logMD5
853616fb417a9994016ac2fc5aca2e48
SHA14b14795567c65fc9887435ee4c83b0e7e36457a0
SHA256a8c36711d45141248581cd06dbc0d459cba692907d0aa9d38edbde6249645ba9
SHA5124582b69267e4fb1154d8ecdde55c676db7dba215c7223b8f0c04fb0bef96eea39e554b802c0d6958c7102683d3cc0efb085dda797665ed0a2a190066a7be7e4f
-
C:\Users\Admin\Documents\sdiagnhost.exeMD5
4da5361bce213230e566170cd5a62a02
SHA17b29f331fb8a527c76c0c66886a07a02caf6735f
SHA25690cd954a798c906238800b00597ff737714661049d7495da7b41600a37098b5d
SHA5125ee380e447d4e41100d6f2092a3fcebd7b4bb1b23cff66fddb38d05bf0586eee05be4e040a1a11f52603b81b318400d3275fcde2880e059942672aab3c6fd901
-
C:\Users\Admin\Documents\sdiagnhost.exeMD5
4da5361bce213230e566170cd5a62a02
SHA17b29f331fb8a527c76c0c66886a07a02caf6735f
SHA25690cd954a798c906238800b00597ff737714661049d7495da7b41600a37098b5d
SHA5125ee380e447d4e41100d6f2092a3fcebd7b4bb1b23cff66fddb38d05bf0586eee05be4e040a1a11f52603b81b318400d3275fcde2880e059942672aab3c6fd901
-
C:\Users\Admin\Documents\sdiagnhost.exeMD5
4da5361bce213230e566170cd5a62a02
SHA17b29f331fb8a527c76c0c66886a07a02caf6735f
SHA25690cd954a798c906238800b00597ff737714661049d7495da7b41600a37098b5d
SHA5125ee380e447d4e41100d6f2092a3fcebd7b4bb1b23cff66fddb38d05bf0586eee05be4e040a1a11f52603b81b318400d3275fcde2880e059942672aab3c6fd901
-
C:\Users\Admin\Documents\sdiagnhost.exeMD5
4da5361bce213230e566170cd5a62a02
SHA17b29f331fb8a527c76c0c66886a07a02caf6735f
SHA25690cd954a798c906238800b00597ff737714661049d7495da7b41600a37098b5d
SHA5125ee380e447d4e41100d6f2092a3fcebd7b4bb1b23cff66fddb38d05bf0586eee05be4e040a1a11f52603b81b318400d3275fcde2880e059942672aab3c6fd901
-
memory/1744-116-0x0000000003244000-0x0000000003246000-memory.dmpFilesize
8KB
-
memory/1744-115-0x0000000003241000-0x0000000003242000-memory.dmpFilesize
4KB
-
memory/1744-114-0x0000000003240000-0x0000000003241000-memory.dmpFilesize
4KB
-
memory/2416-132-0x0000000002B21000-0x0000000002B22000-memory.dmpFilesize
4KB
-
memory/2416-131-0x0000000002B20000-0x0000000002B21000-memory.dmpFilesize
4KB
-
memory/2416-129-0x00000000004251FE-mapping.dmp
-
memory/2416-128-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3488-117-0x0000000000000000-mapping.dmp
-
memory/3488-122-0x00000000026B4000-0x00000000026B6000-memory.dmpFilesize
8KB
-
memory/3488-121-0x00000000026B1000-0x00000000026B2000-memory.dmpFilesize
4KB
-
memory/3488-120-0x00000000026B0000-0x00000000026B1000-memory.dmpFilesize
4KB
-
memory/3928-127-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/3928-124-0x000000000042557E-mapping.dmp
-
memory/3928-123-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB