Analysis Overview
SHA256
699724f6a8610c280586bf239477584de4e456b8e6f2aff27fce8c0b41bb56c9
Threat Level: Known bad
The file cd4ba6a5ecbcbaa727b4da9e16c9f960 was found to be: Known bad.
Malicious Activity Summary
Echelon
Executes dropped EXE
Reads user/profile data of web browsers
Looks up external IP address via web service
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-06-24 00:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-06-24 00:22
Reported
2021-06-24 00:24
Platform
win7v20210408
Max time kernel
55s
Max time network
57s
Command Line
Signatures
Echelon
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Borns.exe | N/A |
| N/A | N/A | C:\ProgramData\Decoder.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\ProgramData\Decoder.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\ProgramData\Decoder.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\ProgramData\Decoder.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\ProgramData\Decoder.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\ProgramData\Decoder.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Borns.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Borns.exe | N/A |
| N/A | N/A | C:\ProgramData\Decoder.exe | N/A |
| N/A | N/A | C:\ProgramData\Decoder.exe | N/A |
| N/A | N/A | C:\ProgramData\Decoder.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Borns.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Decoder.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe
"C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe"
C:\Users\Admin\AppData\Local\Temp\Borns.exe
"C:\Users\Admin\AppData\Local\Temp\Borns.exe"
C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
C:\Windows\system32\timeout.exe
timeout 4
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.165.85:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | f0553854.xsph.ru | udp |
| N/A | 141.8.192.151:80 | f0553854.xsph.ru | tcp |
| N/A | 8.8.8.8:53 | freegeoip.app | udp |
| N/A | 104.21.19.200:443 | freegeoip.app | tcp |
| N/A | 8.8.8.8:53 | f0521569.xsph.ru | udp |
| N/A | 141.8.192.151:80 | f0521569.xsph.ru | tcp |
Files
memory/980-60-0x0000000001330000-0x0000000001331000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Borns.exe
| MD5 | 884529a75c3268c5322822bac31a78b0 |
| SHA1 | ebe46ead5ea6c147aad4b746bf7db3d065291960 |
| SHA256 | 76cd69d4dc6d55742fe48e31ac983cc34e3fc7c8ff6e08dd451a87d5e613d2dd |
| SHA512 | fc2f43fd9dee0f4a2cde51539d6be525be3a98cba37e119b24df0a62e7993eccb4bdd075f1cd6ce8f4f3dfa0cfe013d6451531e518ec08bb1bfcd9e8549236ca |
memory/2000-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Borns.exe
| MD5 | 884529a75c3268c5322822bac31a78b0 |
| SHA1 | ebe46ead5ea6c147aad4b746bf7db3d065291960 |
| SHA256 | 76cd69d4dc6d55742fe48e31ac983cc34e3fc7c8ff6e08dd451a87d5e613d2dd |
| SHA512 | fc2f43fd9dee0f4a2cde51539d6be525be3a98cba37e119b24df0a62e7993eccb4bdd075f1cd6ce8f4f3dfa0cfe013d6451531e518ec08bb1bfcd9e8549236ca |
memory/980-65-0x000000001B060000-0x000000001B062000-memory.dmp
memory/2000-66-0x00000000012B0000-0x00000000012B1000-memory.dmp
memory/2000-68-0x000000001A940000-0x000000001A9B1000-memory.dmp
memory/2000-69-0x000000001AEF0000-0x000000001AEF2000-memory.dmp
C:\ProgramData\Decoder.exe
| MD5 | c29c0d495ed13e703f433d53bdffdab8 |
| SHA1 | 74ed36e6b6027b61abcfe2956670ffd9de7fd71a |
| SHA256 | 20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b |
| SHA512 | fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426 |
memory/328-70-0x0000000000000000-mapping.dmp
memory/684-72-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\.cmd
| MD5 | 73712247036b6a24d16502c57a3e5679 |
| SHA1 | 65ca9edadb0773fc34db7dfefe9e6416f1ac17fa |
| SHA256 | 8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0 |
| SHA512 | 548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de |
memory/436-74-0x0000000000000000-mapping.dmp
memory/328-75-0x0000000002091000-0x0000000002092000-memory.dmp
memory/328-76-0x00000000048B0000-0x0000000004946000-memory.dmp
memory/328-77-0x0000000004810000-0x00000000048A4000-memory.dmp
memory/328-78-0x0000000002092000-0x0000000002093000-memory.dmp
memory/328-79-0x0000000002093000-0x0000000002094000-memory.dmp
memory/328-80-0x0000000002094000-0x0000000002096000-memory.dmp
memory/328-81-0x0000000004DF0000-0x0000000004E60000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-06-24 00:22
Reported
2021-06-24 00:24
Platform
win10v20210410
Max time kernel
34s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Borns.exe | N/A |
| N/A | N/A | C:\ProgramData\Decoder.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\ProgramData\Decoder.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\ProgramData\Decoder.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Borns.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Borns.exe | N/A |
| N/A | N/A | C:\ProgramData\Decoder.exe | N/A |
| N/A | N/A | C:\ProgramData\Decoder.exe | N/A |
| N/A | N/A | C:\ProgramData\Decoder.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Borns.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Decoder.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe
"C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe"
C:\Users\Admin\AppData\Local\Temp\Borns.exe
"C:\Users\Admin\AppData\Local\Temp\Borns.exe"
C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
C:\Windows\system32\timeout.exe
timeout 4
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.224.49:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | f0553854.xsph.ru | udp |
| N/A | 141.8.192.151:80 | f0553854.xsph.ru | tcp |
| N/A | 8.8.8.8:53 | freegeoip.app | udp |
| N/A | 104.21.19.200:443 | freegeoip.app | tcp |
| N/A | 8.8.8.8:53 | f0521569.xsph.ru | udp |
| N/A | 141.8.192.151:80 | f0521569.xsph.ru | tcp |
Files
memory/2388-114-0x0000000000310000-0x0000000000311000-memory.dmp
memory/2388-116-0x0000000002720000-0x0000000002722000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Borns.exe
| MD5 | 884529a75c3268c5322822bac31a78b0 |
| SHA1 | ebe46ead5ea6c147aad4b746bf7db3d065291960 |
| SHA256 | 76cd69d4dc6d55742fe48e31ac983cc34e3fc7c8ff6e08dd451a87d5e613d2dd |
| SHA512 | fc2f43fd9dee0f4a2cde51539d6be525be3a98cba37e119b24df0a62e7993eccb4bdd075f1cd6ce8f4f3dfa0cfe013d6451531e518ec08bb1bfcd9e8549236ca |
memory/2472-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Borns.exe
| MD5 | 884529a75c3268c5322822bac31a78b0 |
| SHA1 | ebe46ead5ea6c147aad4b746bf7db3d065291960 |
| SHA256 | 76cd69d4dc6d55742fe48e31ac983cc34e3fc7c8ff6e08dd451a87d5e613d2dd |
| SHA512 | fc2f43fd9dee0f4a2cde51539d6be525be3a98cba37e119b24df0a62e7993eccb4bdd075f1cd6ce8f4f3dfa0cfe013d6451531e518ec08bb1bfcd9e8549236ca |
memory/2472-120-0x0000000000EA0000-0x0000000000EA1000-memory.dmp
memory/2472-122-0x000000001BB20000-0x000000001BB91000-memory.dmp
memory/2472-123-0x000000001BDA0000-0x000000001BDA2000-memory.dmp
memory/2172-124-0x0000000000000000-mapping.dmp
C:\ProgramData\Decoder.exe
| MD5 | c29c0d495ed13e703f433d53bdffdab8 |
| SHA1 | 74ed36e6b6027b61abcfe2956670ffd9de7fd71a |
| SHA256 | 20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b |
| SHA512 | fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426 |
memory/2476-126-0x0000000000000000-mapping.dmp
C:\ProgramData\Decoder.exe
| MD5 | c29c0d495ed13e703f433d53bdffdab8 |
| SHA1 | 74ed36e6b6027b61abcfe2956670ffd9de7fd71a |
| SHA256 | 20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b |
| SHA512 | fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426 |
C:\Users\Admin\AppData\Local\Temp\.cmd
| MD5 | 73712247036b6a24d16502c57a3e5679 |
| SHA1 | 65ca9edadb0773fc34db7dfefe9e6416f1ac17fa |
| SHA256 | 8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0 |
| SHA512 | 548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de |
memory/2676-129-0x0000000000000000-mapping.dmp
memory/2172-130-0x0000000004B10000-0x0000000004BA6000-memory.dmp
memory/2172-131-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
memory/2172-133-0x0000000004B02000-0x0000000004B03000-memory.dmp
memory/2172-132-0x0000000004B00000-0x0000000004B01000-memory.dmp
memory/2172-134-0x0000000004B03000-0x0000000004B04000-memory.dmp
memory/2172-135-0x0000000004A50000-0x0000000004AE4000-memory.dmp
memory/2172-136-0x0000000005F30000-0x0000000005F31000-memory.dmp
memory/2172-137-0x0000000006170000-0x0000000006171000-memory.dmp
memory/2172-138-0x0000000004B04000-0x0000000004B06000-memory.dmp
memory/2172-139-0x0000000005360000-0x00000000053D0000-memory.dmp