Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-06-2021 02:02
Static task
static1
Behavioral task
behavioral1
Sample
d091285362e6cfcf60690c8a4dcd695e.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d091285362e6cfcf60690c8a4dcd695e.exe
Resource
win10v20210408
General
-
Target
d091285362e6cfcf60690c8a4dcd695e.exe
-
Size
97KB
-
MD5
d091285362e6cfcf60690c8a4dcd695e
-
SHA1
0ad0bcc57498a5c2d1251f6fef81806be70aec04
-
SHA256
a8f36e203ba22b243837f95a371fbad43ef4162e2cf6f01ab78714fed88e7bb3
-
SHA512
4844a9844f302fa81d17ae1229574905eec70203a9708cc36434f75a2791c7905c76824da89e2c10e55aef72207341340fddc500b80575fb2fe1873308e22400
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
kd4ka2tc.5oq.exea2w304xa.nbb.exeMicrosoft.exeDecoder.exepid process 3736 kd4ka2tc.5oq.exe 3236 a2w304xa.nbb.exe 704 Microsoft.exe 2976 Decoder.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Microsoft.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59634f1056072fe0355f6437f8fc6428.exe Microsoft.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59634f1056072fe0355f6437f8fc6428.exe Microsoft.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Microsoft.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\59634f1056072fe0355f6437f8fc6428 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe\" .." Microsoft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\59634f1056072fe0355f6437f8fc6428 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe\" .." Microsoft.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 api.ipify.org 14 api.ipify.org 18 ip-api.com 22 freegeoip.app 23 freegeoip.app -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Decoder.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Decoder.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Decoder.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3140 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
kd4ka2tc.5oq.exeDecoder.exeMicrosoft.exepid process 3736 kd4ka2tc.5oq.exe 3736 kd4ka2tc.5oq.exe 2976 Decoder.exe 2976 Decoder.exe 2976 Decoder.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe 704 Microsoft.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Microsoft.exepid process 704 Microsoft.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
d091285362e6cfcf60690c8a4dcd695e.exekd4ka2tc.5oq.exeDecoder.exeMicrosoft.exedescription pid process Token: SeDebugPrivilege 564 d091285362e6cfcf60690c8a4dcd695e.exe Token: SeDebugPrivilege 3736 kd4ka2tc.5oq.exe Token: SeDebugPrivilege 2976 Decoder.exe Token: SeDebugPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe Token: 33 704 Microsoft.exe Token: SeIncBasePriorityPrivilege 704 Microsoft.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
d091285362e6cfcf60690c8a4dcd695e.exea2w304xa.nbb.exekd4ka2tc.5oq.execmd.exeMicrosoft.exedescription pid process target process PID 564 wrote to memory of 3736 564 d091285362e6cfcf60690c8a4dcd695e.exe kd4ka2tc.5oq.exe PID 564 wrote to memory of 3736 564 d091285362e6cfcf60690c8a4dcd695e.exe kd4ka2tc.5oq.exe PID 564 wrote to memory of 3236 564 d091285362e6cfcf60690c8a4dcd695e.exe a2w304xa.nbb.exe PID 564 wrote to memory of 3236 564 d091285362e6cfcf60690c8a4dcd695e.exe a2w304xa.nbb.exe PID 564 wrote to memory of 3236 564 d091285362e6cfcf60690c8a4dcd695e.exe a2w304xa.nbb.exe PID 3236 wrote to memory of 704 3236 a2w304xa.nbb.exe Microsoft.exe PID 3236 wrote to memory of 704 3236 a2w304xa.nbb.exe Microsoft.exe PID 3236 wrote to memory of 704 3236 a2w304xa.nbb.exe Microsoft.exe PID 3736 wrote to memory of 2976 3736 kd4ka2tc.5oq.exe Decoder.exe PID 3736 wrote to memory of 2976 3736 kd4ka2tc.5oq.exe Decoder.exe PID 3736 wrote to memory of 2976 3736 kd4ka2tc.5oq.exe Decoder.exe PID 3736 wrote to memory of 3580 3736 kd4ka2tc.5oq.exe cmd.exe PID 3736 wrote to memory of 3580 3736 kd4ka2tc.5oq.exe cmd.exe PID 3580 wrote to memory of 3140 3580 cmd.exe timeout.exe PID 3580 wrote to memory of 3140 3580 cmd.exe timeout.exe PID 704 wrote to memory of 3176 704 Microsoft.exe netsh.exe PID 704 wrote to memory of 3176 704 Microsoft.exe netsh.exe PID 704 wrote to memory of 3176 704 Microsoft.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe"C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe"C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\system32\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
PID:3140
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe"C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Users\Admin\AppData\Roaming\Microsoft.exe"C:\Users\Admin\AppData\Roaming\Microsoft.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft.exe" "Microsoft.exe" ENABLE4⤵PID:3176
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c29c0d495ed13e703f433d53bdffdab8
SHA174ed36e6b6027b61abcfe2956670ffd9de7fd71a
SHA25620309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b
SHA512fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426
-
MD5
c29c0d495ed13e703f433d53bdffdab8
SHA174ed36e6b6027b61abcfe2956670ffd9de7fd71a
SHA25620309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b
SHA512fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426
-
MD5
73712247036b6a24d16502c57a3e5679
SHA165ca9edadb0773fc34db7dfefe9e6416f1ac17fa
SHA2568bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0
SHA512548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de
-
MD5
4679d9734f3c814016da3e5300705979
SHA173d0709085f74c84d188131df65911931bc94c01
SHA256e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA51231eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb
-
MD5
4679d9734f3c814016da3e5300705979
SHA173d0709085f74c84d188131df65911931bc94c01
SHA256e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA51231eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb
-
MD5
eb2efc889c96765d41bcac7ae5586f93
SHA1f6129e5533d751f33bea71d2f114b2e217ecbb5c
SHA256b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0
SHA5125003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9
-
MD5
eb2efc889c96765d41bcac7ae5586f93
SHA1f6129e5533d751f33bea71d2f114b2e217ecbb5c
SHA256b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0
SHA5125003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9
-
MD5
4679d9734f3c814016da3e5300705979
SHA173d0709085f74c84d188131df65911931bc94c01
SHA256e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA51231eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb
-
MD5
4679d9734f3c814016da3e5300705979
SHA173d0709085f74c84d188131df65911931bc94c01
SHA256e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA51231eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb