Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/05/2021, 15:04
Static task
static1
Behavioral task
behavioral1
Sample
2.exe
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
2.exe
-
Size
1.9MB
-
MD5
5fd5ef8825f390a3c7dac57659ee7079
-
SHA1
364c83ce8542086e50f4e62050a715613fcc361c
-
SHA256
9561ae1eae830aed3ade4c339faac7240320f6a01e203b5c0521a9ed09e686fd
-
SHA512
fc1a6e185b4abb0ee9e9c0eafd89cce54744a4b42bfbbf14bac37ce1cc85eb75358fb0d99e83c776694862854355d64d5743e7be0966fc97dec08500840a2454
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4168 Presto.exe.com 512 Presto.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Presto.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Presto.exe.com -
Delays execution with timeout.exe 1 IoCs
pid Process 2500 timeout.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4352 PING.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 512 Presto.exe.com 512 Presto.exe.com -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4804 wrote to memory of 3300 4804 2.exe 75 PID 4804 wrote to memory of 3300 4804 2.exe 75 PID 4804 wrote to memory of 3300 4804 2.exe 75 PID 3300 wrote to memory of 3440 3300 cmd.exe 77 PID 3300 wrote to memory of 3440 3300 cmd.exe 77 PID 3300 wrote to memory of 3440 3300 cmd.exe 77 PID 3440 wrote to memory of 4172 3440 cmd.exe 78 PID 3440 wrote to memory of 4172 3440 cmd.exe 78 PID 3440 wrote to memory of 4172 3440 cmd.exe 78 PID 3440 wrote to memory of 4168 3440 cmd.exe 79 PID 3440 wrote to memory of 4168 3440 cmd.exe 79 PID 3440 wrote to memory of 4168 3440 cmd.exe 79 PID 3440 wrote to memory of 4352 3440 cmd.exe 80 PID 3440 wrote to memory of 4352 3440 cmd.exe 80 PID 3440 wrote to memory of 4352 3440 cmd.exe 80 PID 4168 wrote to memory of 512 4168 Presto.exe.com 81 PID 4168 wrote to memory of 512 4168 Presto.exe.com 81 PID 4168 wrote to memory of 512 4168 Presto.exe.com 81 PID 512 wrote to memory of 1988 512 Presto.exe.com 85 PID 512 wrote to memory of 1988 512 Presto.exe.com 85 PID 512 wrote to memory of 1988 512 Presto.exe.com 85 PID 1988 wrote to memory of 2500 1988 cmd.exe 87 PID 1988 wrote to memory of 2500 1988 cmd.exe 87 PID 1988 wrote to memory of 2500 1988 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Osi.wks2⤵
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd3⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^LiUOCkNiYaUJhgUGDJZrloHmYxLqOcYNmCEuaoPGLxSLfVHkLUkImvvDmxPiAMzDxupLKNhcTaaPdWleNmgTpdgeuwGYzIyYqgdoLWBXGQOutGjDpMzqnmzrSiE$" Ero.wks4⤵PID:4172
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.comPresto.exe.com s4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com s5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com"6⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:2500
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:4352
-
-
-