Overview

overview

10

Static

static

5aa41ad255...96.exe

windows7_x64

10

5aa41ad255...96.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    11-05-2021 10:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5aa41ad255b734cfb16c0de9c1cf6408f93f707ff315a61e2dea4fc1f7839296.exe

  • Size

    748KB

  • MD5

    e519f003d5410ef4f414ae0126c6d0bb

  • SHA1

    8975d4518af84e4010900ea9cba288e541918392

  • SHA256

    5aa41ad255b734cfb16c0de9c1cf6408f93f707ff315a61e2dea4fc1f7839296

  • SHA512

    6735c26fe7b3f3735ad047fc67b5a7ea96ae77149a5db0a8ecc694c9e6a363004297e7907d427fbdd8886f4d1dc000b95bf9d8d3a7e8c193e8bd4352a4e4601d

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs
    evasion
  • UAC bypass 3 TTPs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5aa41ad255b734cfb16c0de9c1cf6408f93f707ff315a61e2dea4fc1f7839296.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa41ad255b734cfb16c0de9c1cf6408f93f707ff315a61e2dea4fc1f7839296.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3872
    • C:\Users\Admin\XwckgwAA\eAkQIkgw.exe
      "C:\Users\Admin\XwckgwAA\eAkQIkgw.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1672
    • C:\ProgramData\Dwookgww\oWgsAMEo.exe
      "C:\ProgramData\Dwookgww\oWgsAMEo.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      PID:1992
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpack.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3536
      • C:\Users\Admin\AppData\Local\Temp\cpack.exe
        C:\Users\Admin\AppData\Local\Temp\cpack.exe
        3⤵
        • Executes dropped EXE
        PID:2096
    • C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      2⤵
      • Modifies registry key
      PID:1904
    • C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      2⤵
      • Modifies registry key
      PID:3016
    • C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      2⤵
      • Modifies registry key
      PID:3504
  • C:\ProgramData\gQooMsAg\MQUkUQYI.exe
    C:\ProgramData\gQooMsAg\MQUkUQYI.exe
    1⤵
    • Executes dropped EXE
    • Adds Run key to start application
    • Drops file in System32 directory
    PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

5
T1112

Hidden Files and Directories

1
T1158

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Dwookgww\oWgsAMEo.exe
    MD5

    59d20f8eed2e770bc1109b61619e1063

    SHA1

    5b392f3a943b163e98126fc37bcb54b6f0e5691c

    SHA256

    230174e9006391fa388116be59a629e18a85ecfc2ff549cf88fe92f3e9f69016

    SHA512

    e280934fdfeb939d9c656971a2404960b3f3d682e2341828c986e6f7a02932ccebb66ecdb8a4fcb3a44d114c3d47120902f73fcf15533c33ff41931c347737ce

    Download Submit
  • C:\ProgramData\Dwookgww\oWgsAMEo.exe
    MD5

    59d20f8eed2e770bc1109b61619e1063

    SHA1

    5b392f3a943b163e98126fc37bcb54b6f0e5691c

    SHA256

    230174e9006391fa388116be59a629e18a85ecfc2ff549cf88fe92f3e9f69016

    SHA512

    e280934fdfeb939d9c656971a2404960b3f3d682e2341828c986e6f7a02932ccebb66ecdb8a4fcb3a44d114c3d47120902f73fcf15533c33ff41931c347737ce

    Download Submit
  • C:\ProgramData\gQooMsAg\MQUkUQYI.exe
    MD5

    3e657712eca38725716bf607cb48a6a5

    SHA1

    d713c80cf2133cfaa7457709b83a3badd52ce17c

    SHA256

    a65d11064e9f9f26124142466a3307dadac5481cae2368103e13232932b67233

    SHA512

    582da8532f2f851fd0c586a76957c7f6dd788c8605aeaf4f988077693eeed23eb22d26df7e3cd3c647692eb3a408c48a9b993496340e0fd51de06b14342ac907

    Download Submit
  • C:\ProgramData\gQooMsAg\MQUkUQYI.exe
    MD5

    3e657712eca38725716bf607cb48a6a5

    SHA1

    d713c80cf2133cfaa7457709b83a3badd52ce17c

    SHA256

    a65d11064e9f9f26124142466a3307dadac5481cae2368103e13232932b67233

    SHA512

    582da8532f2f851fd0c586a76957c7f6dd788c8605aeaf4f988077693eeed23eb22d26df7e3cd3c647692eb3a408c48a9b993496340e0fd51de06b14342ac907

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cpack.exe
    MD5

    caad373422b474737f4d76fb82379581

    SHA1

    6804be1ae8bfd3858e0053915f75d4b611790bc5

    SHA256

    22c0d54e96431ebae4d40546f4efe6af61d1a9644710f93dc32ec2ca6cf2ba75

    SHA512

    dbaba0bc94aaeddb9811b0b9fd923f763ef8c7e290153e21e295230fdbe9c683dbf0b096eda3a3eb06e4ff9733cb3e9906737a1b5ee8e6af034680c198b95dd5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cpack.exe
    MD5

    caad373422b474737f4d76fb82379581

    SHA1

    6804be1ae8bfd3858e0053915f75d4b611790bc5

    SHA256

    22c0d54e96431ebae4d40546f4efe6af61d1a9644710f93dc32ec2ca6cf2ba75

    SHA512

    dbaba0bc94aaeddb9811b0b9fd923f763ef8c7e290153e21e295230fdbe9c683dbf0b096eda3a3eb06e4ff9733cb3e9906737a1b5ee8e6af034680c198b95dd5

    Download Submit
  • C:\Users\Admin\XwckgwAA\eAkQIkgw.exe
    MD5

    1c927dfd7f8ef84fc5a017e1e0b4498f

    SHA1

    e077871e9a943830fde5e22171961cd732cad1d4

    SHA256

    dd696907c72fc8b7e476dda1e95d8369b0e6cf59706792b911c14c69c7951da5

    SHA512

    3d2313f7d17471cbb49b9b073757dbef7d9e4f2741cdd2039993bd76db4b9ce8f73a48e610c262b5d5a78574d6b8ab236596a1976543bb377e2e1e18811ac2f4

    Download Submit
  • C:\Users\Admin\XwckgwAA\eAkQIkgw.exe
    MD5

    1c927dfd7f8ef84fc5a017e1e0b4498f

    SHA1

    e077871e9a943830fde5e22171961cd732cad1d4

    SHA256

    dd696907c72fc8b7e476dda1e95d8369b0e6cf59706792b911c14c69c7951da5

    SHA512

    3d2313f7d17471cbb49b9b073757dbef7d9e4f2741cdd2039993bd76db4b9ce8f73a48e610c262b5d5a78574d6b8ab236596a1976543bb377e2e1e18811ac2f4

    Download Submit
  • memory/1672-114-0x0000000000000000-mapping.dmp
    Download
  • memory/1904-123-0x0000000000000000-mapping.dmp
    Download
  • memory/1992-117-0x0000000000000000-mapping.dmp
    Download
  • memory/2096-126-0x0000000000000000-mapping.dmp
    Download
  • memory/2096-129-0x00000000000A0000-0x00000000000A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2096-131-0x000000001ABF0000-0x000000001ABF2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3016-124-0x0000000000000000-mapping.dmp
    Download
  • memory/3504-125-0x0000000000000000-mapping.dmp
    Download
  • memory/3536-122-0x0000000000000000-mapping.dmp
    Download