Overview

overview

10

Static

static

TI.exe

windows7_x64

10

TI.exe

windows10_x64

10

Analysis

  • max time kernel
    94s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    11-05-2021 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TI.exe

  • Size

    392KB

  • MD5

    aecd8738094fcc9cdf76c8d538deda58

  • SHA1

    84b0a144d7ff0c069f0e2f651b9e00e51ce9b559

  • SHA256

    fa8bcb532dc59bca85334cee54152785e4f3ee8d7d9d6ca3680443beeb61ee58

  • SHA512

    16745c8fee729f4480317b2c058552a20b085bc0934e67be6590cd26e41c479733d8a9442ce0e686b0ef9fa86d79db6bcc1349d274f021240d7dd4a3e08fadac

Score
10/10
persistencespywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    casids.co.ke
  • Port:
    587
  • Username:
    webmaster@casids.co.ke
  • Password:
    Eightis88

Signatures

  • Executes dropped EXE 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TI.exe
    "C:\Users\Admin\AppData\Local\Temp\TI.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Users\Admin\Documents\sdiagnhost.exe
      "C:\Users\Admin\Documents\sdiagnhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3488
      • C:\Users\Admin\Documents\sdiagnhost.exe
        "C:\Users\Admin\Documents\sdiagnhost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3928
        • C:\Users\Admin\Documents\sdiagnhost.exe
          "C:\Users\Admin\Documents\sdiagnhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sdiagnhost.exe.log
    MD5

    853616fb417a9994016ac2fc5aca2e48

    SHA1

    4b14795567c65fc9887435ee4c83b0e7e36457a0

    SHA256

    a8c36711d45141248581cd06dbc0d459cba692907d0aa9d38edbde6249645ba9

    SHA512

    4582b69267e4fb1154d8ecdde55c676db7dba215c7223b8f0c04fb0bef96eea39e554b802c0d6958c7102683d3cc0efb085dda797665ed0a2a190066a7be7e4f

    Download Submit
  • C:\Users\Admin\Documents\sdiagnhost.exe
    MD5

    4da5361bce213230e566170cd5a62a02

    SHA1

    7b29f331fb8a527c76c0c66886a07a02caf6735f

    SHA256

    90cd954a798c906238800b00597ff737714661049d7495da7b41600a37098b5d

    SHA512

    5ee380e447d4e41100d6f2092a3fcebd7b4bb1b23cff66fddb38d05bf0586eee05be4e040a1a11f52603b81b318400d3275fcde2880e059942672aab3c6fd901

    Download Submit
  • C:\Users\Admin\Documents\sdiagnhost.exe
    MD5

    4da5361bce213230e566170cd5a62a02

    SHA1

    7b29f331fb8a527c76c0c66886a07a02caf6735f

    SHA256

    90cd954a798c906238800b00597ff737714661049d7495da7b41600a37098b5d

    SHA512

    5ee380e447d4e41100d6f2092a3fcebd7b4bb1b23cff66fddb38d05bf0586eee05be4e040a1a11f52603b81b318400d3275fcde2880e059942672aab3c6fd901

    Download Submit
  • C:\Users\Admin\Documents\sdiagnhost.exe
    MD5

    4da5361bce213230e566170cd5a62a02

    SHA1

    7b29f331fb8a527c76c0c66886a07a02caf6735f

    SHA256

    90cd954a798c906238800b00597ff737714661049d7495da7b41600a37098b5d

    SHA512

    5ee380e447d4e41100d6f2092a3fcebd7b4bb1b23cff66fddb38d05bf0586eee05be4e040a1a11f52603b81b318400d3275fcde2880e059942672aab3c6fd901

    Download Submit
  • C:\Users\Admin\Documents\sdiagnhost.exe
    MD5

    4da5361bce213230e566170cd5a62a02

    SHA1

    7b29f331fb8a527c76c0c66886a07a02caf6735f

    SHA256

    90cd954a798c906238800b00597ff737714661049d7495da7b41600a37098b5d

    SHA512

    5ee380e447d4e41100d6f2092a3fcebd7b4bb1b23cff66fddb38d05bf0586eee05be4e040a1a11f52603b81b318400d3275fcde2880e059942672aab3c6fd901

    Download Submit
  • memory/1744-116-0x0000000003244000-0x0000000003246000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1744-115-0x0000000003241000-0x0000000003242000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1744-114-0x0000000003240000-0x0000000003241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2416-132-0x0000000002B21000-0x0000000002B22000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2416-131-0x0000000002B20000-0x0000000002B21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2416-129-0x00000000004251FE-mapping.dmp
    Download
  • memory/2416-128-0x0000000000400000-0x000000000042A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/3488-117-0x0000000000000000-mapping.dmp
    Download
  • memory/3488-122-0x00000000026B4000-0x00000000026B6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3488-121-0x00000000026B1000-0x00000000026B2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3488-120-0x00000000026B0000-0x00000000026B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3928-127-0x0000000002E70000-0x0000000002E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3928-124-0x000000000042557E-mapping.dmp
    Download
  • memory/3928-123-0x0000000000400000-0x000000000042A000-memory.dmp
    Filesize

    168KB

    Download