Analysis
-
max time kernel
130s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
28-07-2021 10:21
Static task
static1
General
-
Target
CODWCheats.exe
-
Size
9.4MB
-
MD5
2c7c0b89e187bac9cea3c0c285591852
-
SHA1
5999c0c5086ecd7f71de61b565068d12f3291ef7
-
SHA256
33314a958e790feedb53ae8cc727e2b8c737084f5ea5d66138924ae94aa571d4
-
SHA512
56b03915330e59347a6c2b81dcb99cb988a859787563d8bf2582d7823f642d532e5fa2f93606bf0e25bc47024ff2ee2c4a4248c31e8096d8f32080dd38c4e454
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 2520 created 3900 2520 WerFault.exe build_protected.exe PID 2884 created 2324 2884 WerFault.exe build_protected.exe -
suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Executes dropped EXE 4 IoCs
Processes:
build_protected.sfx.exebuild_protected.exebuild_protected.sfx.exebuild_protected.exepid process 2144 build_protected.sfx.exe 3900 build_protected.exe 2176 build_protected.sfx.exe 2324 build_protected.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
build_protected.exebuild_protected.exepid process 3900 build_protected.exe 3900 build_protected.exe 2324 build_protected.exe 2324 build_protected.exe 3900 build_protected.exe 2324 build_protected.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2520 3900 WerFault.exe build_protected.exe 2884 2324 WerFault.exe build_protected.exe -
Modifies registry class 2 IoCs
Processes:
CODWCheats.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance CODWCheats.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance CODWCheats.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
build_protected.exebuild_protected.exeWerFault.exeWerFault.exepid process 3900 build_protected.exe 2324 build_protected.exe 2324 build_protected.exe 3900 build_protected.exe 2520 WerFault.exe 2520 WerFault.exe 2520 WerFault.exe 2520 WerFault.exe 2520 WerFault.exe 2520 WerFault.exe 2520 WerFault.exe 2520 WerFault.exe 2520 WerFault.exe 2520 WerFault.exe 2520 WerFault.exe 2520 WerFault.exe 2520 WerFault.exe 2520 WerFault.exe 2520 WerFault.exe 2520 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
build_protected.exebuild_protected.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3900 build_protected.exe Token: SeDebugPrivilege 2324 build_protected.exe Token: SeRestorePrivilege 2520 WerFault.exe Token: SeBackupPrivilege 2520 WerFault.exe Token: SeDebugPrivilege 2520 WerFault.exe Token: SeDebugPrivilege 2884 WerFault.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
CODWCheats.exebuild_protected.exebuild_protected.exepid process 996 CODWCheats.exe 996 CODWCheats.exe 3900 build_protected.exe 2324 build_protected.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
CODWCheats.exebuild_protected.sfx.exebuild_protected.sfx.exedescription pid process target process PID 996 wrote to memory of 2144 996 CODWCheats.exe build_protected.sfx.exe PID 996 wrote to memory of 2144 996 CODWCheats.exe build_protected.sfx.exe PID 996 wrote to memory of 2144 996 CODWCheats.exe build_protected.sfx.exe PID 2144 wrote to memory of 3900 2144 build_protected.sfx.exe build_protected.exe PID 2144 wrote to memory of 3900 2144 build_protected.sfx.exe build_protected.exe PID 2144 wrote to memory of 3900 2144 build_protected.sfx.exe build_protected.exe PID 2176 wrote to memory of 2324 2176 build_protected.sfx.exe build_protected.exe PID 2176 wrote to memory of 2324 2176 build_protected.sfx.exe build_protected.exe PID 2176 wrote to memory of 2324 2176 build_protected.sfx.exe build_protected.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CODWCheats.exe"C:\Users\Admin\AppData\Local\Temp\CODWCheats.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\build_protected.sfx.exe"C:\Users\Admin\Desktop\build_protected.sfx.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\build_protected.exe"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 14524⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\build_protected.sfx.exe"C:\Users\Admin\Desktop\build_protected.sfx.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\build_protected.exe"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 22523⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\build_protected.exeMD5
d410f0078f4b4bb237a032ddb999236c
SHA183e6d1f3f77896c3e6569c1aefdb7c0f31d95d19
SHA256f891e70d5cc6ef34db84686341fac366c340614b580aa38cb2dd850d1de4a12d
SHA512f1a7c8035cf7a483c8909d6139a9db85cff4a28cfd6b393feb4438986003bce175199cfe08f149ebdda8333a7355d8d6043fd212b169c334dd635ab58b1f6558
-
C:\Users\Admin\AppData\Local\Temp\build_protected.exeMD5
d410f0078f4b4bb237a032ddb999236c
SHA183e6d1f3f77896c3e6569c1aefdb7c0f31d95d19
SHA256f891e70d5cc6ef34db84686341fac366c340614b580aa38cb2dd850d1de4a12d
SHA512f1a7c8035cf7a483c8909d6139a9db85cff4a28cfd6b393feb4438986003bce175199cfe08f149ebdda8333a7355d8d6043fd212b169c334dd635ab58b1f6558
-
C:\Users\Admin\AppData\Local\Temp\build_protected.exeMD5
d410f0078f4b4bb237a032ddb999236c
SHA183e6d1f3f77896c3e6569c1aefdb7c0f31d95d19
SHA256f891e70d5cc6ef34db84686341fac366c340614b580aa38cb2dd850d1de4a12d
SHA512f1a7c8035cf7a483c8909d6139a9db85cff4a28cfd6b393feb4438986003bce175199cfe08f149ebdda8333a7355d8d6043fd212b169c334dd635ab58b1f6558
-
C:\Users\Admin\AppData\Local\vni1in7g\Clipboard.txtMD5
809b24c010f6102183f6461cab36eb06
SHA1485c85d91a481083e5491a7773d5cf7fc40d9d89
SHA256b2df1a1b12de37c3b1159c28aa1fe7c7230666f70ad6d5f7b6c474307db26b10
SHA5120cc9c181aaef4f50b05f95607726a3e376518be6d538e12f39cd0ffa4be6c7e650fb64cdbe6e64428b879cf89ad70578abb092abd331a09fa5c095433153ace3
-
C:\Users\Admin\AppData\Local\vni1in7g\PC-Information.txtMD5
adf67656256c219d74e8cdc62f1f3c70
SHA13a61bfb05e8974f3a9cf55f1ee11c5cd0d9cc130
SHA256df0660fb4e811746bf87e98360849925ef5d3eb8a556087d02bcf7f2acfbdc6f
SHA512db7c1e3a9a332ba16f20d049dd7ba8e5d25ced80937f0663418607815646e6da271eb33f998a491ec7b716f15dd31a6ae25fead876412e0f5b7b907a5c3b458b
-
C:\Users\Admin\AppData\Local\vni1in7g\ProcessList.txtMD5
7207721d7dc793182b14f1c94c3812a3
SHA19dece2c35112c669bb1e307a1015989840a62b1f
SHA256bf81cc849fd2cd60f641a6bdf27598e810c8df9802b4cafbfef7e1f593dc1c5c
SHA51213542bd3be1443e78b3954ee636b6c522a1fbc786e789a1e4f8b578a0218cf2c4c233d0ca6d8bdddf7a01b17d489b5c7b1fd4244099e95a86fc89e4874be6f80
-
C:\Users\Admin\Desktop\build_protected.sfx.exeMD5
dcc5951f425b50188ada18222e646e0b
SHA1c01d710cece23698ce28b306f7fbf5cfc0648166
SHA256424b489aa9b6dab205472918e10bf07ec2388ac23a00e534b36e90994ee6e33b
SHA512757b543a5f7b74064f158922c931dc1e63c1cf22964a819f4ba5599876245fcfdcc017458c61b39384c8ec0310fabeb72ad6b73b35b58f831de64e704dbb9a16
-
C:\Users\Admin\Desktop\build_protected.sfx.exeMD5
dcc5951f425b50188ada18222e646e0b
SHA1c01d710cece23698ce28b306f7fbf5cfc0648166
SHA256424b489aa9b6dab205472918e10bf07ec2388ac23a00e534b36e90994ee6e33b
SHA512757b543a5f7b74064f158922c931dc1e63c1cf22964a819f4ba5599876245fcfdcc017458c61b39384c8ec0310fabeb72ad6b73b35b58f831de64e704dbb9a16
-
C:\Users\Admin\Desktop\build_protected.sfx.exeMD5
dcc5951f425b50188ada18222e646e0b
SHA1c01d710cece23698ce28b306f7fbf5cfc0648166
SHA256424b489aa9b6dab205472918e10bf07ec2388ac23a00e534b36e90994ee6e33b
SHA512757b543a5f7b74064f158922c931dc1e63c1cf22964a819f4ba5599876245fcfdcc017458c61b39384c8ec0310fabeb72ad6b73b35b58f831de64e704dbb9a16
-
memory/2144-116-0x0000000000000000-mapping.dmp
-
memory/2324-148-0x0000000007140000-0x0000000007141000-memory.dmpFilesize
4KB
-
memory/2324-143-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/2324-133-0x0000000000000000-mapping.dmp
-
memory/2324-140-0x00000000054B0000-0x00000000059AE000-memory.dmpFilesize
5.0MB
-
memory/3900-129-0x0000000003150000-0x0000000003151000-memory.dmpFilesize
4KB
-
memory/3900-141-0x0000000005990000-0x0000000005991000-memory.dmpFilesize
4KB
-
memory/3900-144-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/3900-128-0x0000000005880000-0x0000000005D7E000-memory.dmpFilesize
5.0MB
-
memory/3900-127-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/3900-126-0x0000000005D80000-0x0000000005D81000-memory.dmpFilesize
4KB
-
memory/3900-124-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/3900-121-0x0000000000000000-mapping.dmp