Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-07-2021 10:23
Static task
static1
Behavioral task
behavioral1
Sample
usfive_20210703-095023.exe
Resource
win7v20210410
General
-
Target
usfive_20210703-095023.exe
-
Size
466KB
-
MD5
d6b6f1ab249f9528546460eee71d431b
-
SHA1
3110e71aab808c5dffe7be938187681f1a5da029
-
SHA256
80dfb1cf38ee1f0a1714327db6ba9f6ddb8195aedf6c7f63a73cfafe66896aad
-
SHA512
f26a6e4b134f58031eb53ae84798c9c2a7adec6bac79f90932429aac35ec805c5f6814515be358d578717bd6506ddb476e91ec4f420992a17b68fca0f26cd969
Malware Config
Extracted
raccoon
7ea5512058d479def2eeb58bd2231423ad2fdf37
-
url4cnc
https://telete.in/h_electricryptors2
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 1720 created 2680 1720 WerFault.exe 78 -
DarkVNC Payload 3 IoCs
resource yara_rule behavioral2/memory/2680-128-0x0000000000AB0000-0x0000000000B38000-memory.dmp darkvnc behavioral2/memory/2680-129-0x0000000000400000-0x000000000060F000-memory.dmp darkvnc behavioral2/memory/4084-131-0x0000012939F30000-0x0000012939FFA000-memory.dmp darkvnc -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2680 anHQDYXTle.exe -
Loads dropped DLL 6 IoCs
pid Process 516 usfive_20210703-095023.exe 516 usfive_20210703-095023.exe 516 usfive_20210703-095023.exe 516 usfive_20210703-095023.exe 516 usfive_20210703-095023.exe 516 usfive_20210703-095023.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2680 set thread context of 4084 2680 anHQDYXTle.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1720 2680 WerFault.exe 78 -
Delays execution with timeout.exe 1 IoCs
pid Process 1580 timeout.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2680 anHQDYXTle.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1720 WerFault.exe Token: SeBackupPrivilege 1720 WerFault.exe Token: SeDebugPrivilege 1720 WerFault.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 516 wrote to memory of 2680 516 usfive_20210703-095023.exe 78 PID 516 wrote to memory of 2680 516 usfive_20210703-095023.exe 78 PID 516 wrote to memory of 2680 516 usfive_20210703-095023.exe 78 PID 516 wrote to memory of 3312 516 usfive_20210703-095023.exe 79 PID 516 wrote to memory of 3312 516 usfive_20210703-095023.exe 79 PID 516 wrote to memory of 3312 516 usfive_20210703-095023.exe 79 PID 3312 wrote to memory of 1580 3312 cmd.exe 81 PID 3312 wrote to memory of 1580 3312 cmd.exe 81 PID 3312 wrote to memory of 1580 3312 cmd.exe 81 PID 2680 wrote to memory of 4084 2680 anHQDYXTle.exe 82 PID 2680 wrote to memory of 4084 2680 anHQDYXTle.exe 82 PID 2680 wrote to memory of 4084 2680 anHQDYXTle.exe 82 PID 2680 wrote to memory of 4084 2680 anHQDYXTle.exe 82 PID 2680 wrote to memory of 4084 2680 anHQDYXTle.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\usfive_20210703-095023.exe"C:\Users\Admin\AppData\Local\Temp\usfive_20210703-095023.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\anHQDYXTle.exe"C:\Users\Admin\AppData\Local\Temp\anHQDYXTle.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe3⤵PID:4084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 4883⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\usfive_20210703-095023.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:1580
-
-