Analysis
-
max time kernel
150s -
max time network
197s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-06-2021 02:02
Static task
static1
Behavioral task
behavioral1
Sample
d091285362e6cfcf60690c8a4dcd695e.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d091285362e6cfcf60690c8a4dcd695e.exe
Resource
win10v20210408
General
-
Target
d091285362e6cfcf60690c8a4dcd695e.exe
-
Size
97KB
-
MD5
d091285362e6cfcf60690c8a4dcd695e
-
SHA1
0ad0bcc57498a5c2d1251f6fef81806be70aec04
-
SHA256
a8f36e203ba22b243837f95a371fbad43ef4162e2cf6f01ab78714fed88e7bb3
-
SHA512
4844a9844f302fa81d17ae1229574905eec70203a9708cc36434f75a2791c7905c76824da89e2c10e55aef72207341340fddc500b80575fb2fe1873308e22400
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
pbdtnrkk.cav.exeh1uqkhud.0py.exeMicrosoft.exepid process 772 pbdtnrkk.cav.exe 1488 h1uqkhud.0py.exe 1636 Microsoft.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Microsoft.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59634f1056072fe0355f6437f8fc6428.exe Microsoft.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59634f1056072fe0355f6437f8fc6428.exe Microsoft.exe -
Loads dropped DLL 3 IoCs
Processes:
d091285362e6cfcf60690c8a4dcd695e.exeh1uqkhud.0py.exepid process 2024 d091285362e6cfcf60690c8a4dcd695e.exe 2024 d091285362e6cfcf60690c8a4dcd695e.exe 1488 h1uqkhud.0py.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Microsoft.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\59634f1056072fe0355f6437f8fc6428 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe\" .." Microsoft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\59634f1056072fe0355f6437f8fc6428 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe\" .." Microsoft.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.ipify.org 10 api.ipify.org 13 ip-api.com -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
d091285362e6cfcf60690c8a4dcd695e.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 d091285362e6cfcf60690c8a4dcd695e.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde d091285362e6cfcf60690c8a4dcd695e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pbdtnrkk.cav.exeMicrosoft.exepid process 772 pbdtnrkk.cav.exe 772 pbdtnrkk.cav.exe 772 pbdtnrkk.cav.exe 772 pbdtnrkk.cav.exe 772 pbdtnrkk.cav.exe 772 pbdtnrkk.cav.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 772 pbdtnrkk.cav.exe 772 pbdtnrkk.cav.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 772 pbdtnrkk.cav.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe 1636 Microsoft.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Microsoft.exepid process 1636 Microsoft.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
d091285362e6cfcf60690c8a4dcd695e.exepbdtnrkk.cav.exeMicrosoft.exedescription pid process Token: SeDebugPrivilege 2024 d091285362e6cfcf60690c8a4dcd695e.exe Token: SeDebugPrivilege 772 pbdtnrkk.cav.exe Token: SeDebugPrivilege 1636 Microsoft.exe Token: 33 1636 Microsoft.exe Token: SeIncBasePriorityPrivilege 1636 Microsoft.exe Token: 33 1636 Microsoft.exe Token: SeIncBasePriorityPrivilege 1636 Microsoft.exe Token: 33 1636 Microsoft.exe Token: SeIncBasePriorityPrivilege 1636 Microsoft.exe Token: 33 1636 Microsoft.exe Token: SeIncBasePriorityPrivilege 1636 Microsoft.exe Token: 33 1636 Microsoft.exe Token: SeIncBasePriorityPrivilege 1636 Microsoft.exe Token: 33 1636 Microsoft.exe Token: SeIncBasePriorityPrivilege 1636 Microsoft.exe Token: 33 1636 Microsoft.exe Token: SeIncBasePriorityPrivilege 1636 Microsoft.exe Token: 33 1636 Microsoft.exe Token: SeIncBasePriorityPrivilege 1636 Microsoft.exe Token: 33 1636 Microsoft.exe Token: SeIncBasePriorityPrivilege 1636 Microsoft.exe Token: 33 1636 Microsoft.exe Token: SeIncBasePriorityPrivilege 1636 Microsoft.exe Token: 33 1636 Microsoft.exe Token: SeIncBasePriorityPrivilege 1636 Microsoft.exe Token: 33 1636 Microsoft.exe Token: SeIncBasePriorityPrivilege 1636 Microsoft.exe Token: 33 1636 Microsoft.exe Token: SeIncBasePriorityPrivilege 1636 Microsoft.exe Token: 33 1636 Microsoft.exe Token: SeIncBasePriorityPrivilege 1636 Microsoft.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
d091285362e6cfcf60690c8a4dcd695e.exeh1uqkhud.0py.exeMicrosoft.exedescription pid process target process PID 2024 wrote to memory of 772 2024 d091285362e6cfcf60690c8a4dcd695e.exe pbdtnrkk.cav.exe PID 2024 wrote to memory of 772 2024 d091285362e6cfcf60690c8a4dcd695e.exe pbdtnrkk.cav.exe PID 2024 wrote to memory of 772 2024 d091285362e6cfcf60690c8a4dcd695e.exe pbdtnrkk.cav.exe PID 2024 wrote to memory of 772 2024 d091285362e6cfcf60690c8a4dcd695e.exe pbdtnrkk.cav.exe PID 2024 wrote to memory of 1488 2024 d091285362e6cfcf60690c8a4dcd695e.exe h1uqkhud.0py.exe PID 2024 wrote to memory of 1488 2024 d091285362e6cfcf60690c8a4dcd695e.exe h1uqkhud.0py.exe PID 2024 wrote to memory of 1488 2024 d091285362e6cfcf60690c8a4dcd695e.exe h1uqkhud.0py.exe PID 2024 wrote to memory of 1488 2024 d091285362e6cfcf60690c8a4dcd695e.exe h1uqkhud.0py.exe PID 1488 wrote to memory of 1636 1488 h1uqkhud.0py.exe Microsoft.exe PID 1488 wrote to memory of 1636 1488 h1uqkhud.0py.exe Microsoft.exe PID 1488 wrote to memory of 1636 1488 h1uqkhud.0py.exe Microsoft.exe PID 1488 wrote to memory of 1636 1488 h1uqkhud.0py.exe Microsoft.exe PID 1636 wrote to memory of 1084 1636 Microsoft.exe netsh.exe PID 1636 wrote to memory of 1084 1636 Microsoft.exe netsh.exe PID 1636 wrote to memory of 1084 1636 Microsoft.exe netsh.exe PID 1636 wrote to memory of 1084 1636 Microsoft.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe"C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe"1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe"C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe"C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Roaming\Microsoft.exe"C:\Users\Admin\AppData\Roaming\Microsoft.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft.exe" "Microsoft.exe" ENABLE4⤵PID:1084
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4679d9734f3c814016da3e5300705979
SHA173d0709085f74c84d188131df65911931bc94c01
SHA256e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA51231eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb
-
MD5
4679d9734f3c814016da3e5300705979
SHA173d0709085f74c84d188131df65911931bc94c01
SHA256e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA51231eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb
-
MD5
eb2efc889c96765d41bcac7ae5586f93
SHA1f6129e5533d751f33bea71d2f114b2e217ecbb5c
SHA256b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0
SHA5125003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9
-
MD5
eb2efc889c96765d41bcac7ae5586f93
SHA1f6129e5533d751f33bea71d2f114b2e217ecbb5c
SHA256b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0
SHA5125003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9
-
MD5
4679d9734f3c814016da3e5300705979
SHA173d0709085f74c84d188131df65911931bc94c01
SHA256e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA51231eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb
-
MD5
4679d9734f3c814016da3e5300705979
SHA173d0709085f74c84d188131df65911931bc94c01
SHA256e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA51231eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb
-
MD5
4679d9734f3c814016da3e5300705979
SHA173d0709085f74c84d188131df65911931bc94c01
SHA256e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA51231eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb
-
MD5
eb2efc889c96765d41bcac7ae5586f93
SHA1f6129e5533d751f33bea71d2f114b2e217ecbb5c
SHA256b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0
SHA5125003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9
-
MD5
4679d9734f3c814016da3e5300705979
SHA173d0709085f74c84d188131df65911931bc94c01
SHA256e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA51231eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb