Analysis
-
max time kernel
114s -
max time network
43s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
30-07-2021 07:55
Static task
static1
Behavioral task
behavioral1
Sample
ximay.exe
Resource
win7v20210410
General
-
Target
ximay.exe
-
Size
871KB
-
MD5
f8a4090467dc96146cd516fa96a80171
-
SHA1
64dd6ec4ff2f57c43903fc8730dd6b0815e914bd
-
SHA256
3a601391e56cb1ebb50984f2b66b24f10122f66e09e8e21e877596504684a402
-
SHA512
ea3ad9052ecc0dbdf0dff7636d1bb2586726a0905860d04b58db3a385bf7c9478d9c78cd5d68ee99517bb97220e1f1a53cc07bd949511c8e4dd699cc2a3bb260
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
1.exe2.exepid process 1212 1.exe 1392 2.exe -
Loads dropped DLL 7 IoCs
Processes:
ximay.exeWerFault.exepid process 1640 ximay.exe 1640 ximay.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 wtfismyip.com 7 wtfismyip.com 8 api.ipify.org 9 api.ipify.org 12 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1372 1392 WerFault.exe 2.exe -
Processes:
1.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 1.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
2.exeWerFault.exe1.exepid process 1392 2.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1212 1.exe 1212 1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1372 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2.exe1.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1392 2.exe Token: SeDebugPrivilege 1212 1.exe Token: SeDebugPrivilege 1372 WerFault.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ximay.exe2.exedescription pid process target process PID 1640 wrote to memory of 1212 1640 ximay.exe 1.exe PID 1640 wrote to memory of 1212 1640 ximay.exe 1.exe PID 1640 wrote to memory of 1212 1640 ximay.exe 1.exe PID 1640 wrote to memory of 1212 1640 ximay.exe 1.exe PID 1640 wrote to memory of 1392 1640 ximay.exe 2.exe PID 1640 wrote to memory of 1392 1640 ximay.exe 2.exe PID 1640 wrote to memory of 1392 1640 ximay.exe 2.exe PID 1640 wrote to memory of 1392 1640 ximay.exe 2.exe PID 1392 wrote to memory of 1372 1392 2.exe WerFault.exe PID 1392 wrote to memory of 1372 1392 2.exe WerFault.exe PID 1392 wrote to memory of 1372 1392 2.exe WerFault.exe PID 1392 wrote to memory of 1372 1392 2.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ximay.exe"C:\Users\Admin\AppData\Local\Temp\ximay.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 12563⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1372
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5679e43fa582e92f21d1fc8e62caba59
SHA1917c6afbf7beb6c277193b33a8c337ee039dc6cc
SHA2568ea1ec338312a9497dc8f9ff4337a792b4b410516aad1da497ce93485976a0ec
SHA51230a02bada2a47e42e81c367f9a87ead558bcfd75e7daba4b1529edf4616e8a12e6bcd7a8ba591d13359d63be4d69a2ca92ae2f4e1538c56cecdc080c166cafee
-
MD5
5679e43fa582e92f21d1fc8e62caba59
SHA1917c6afbf7beb6c277193b33a8c337ee039dc6cc
SHA2568ea1ec338312a9497dc8f9ff4337a792b4b410516aad1da497ce93485976a0ec
SHA51230a02bada2a47e42e81c367f9a87ead558bcfd75e7daba4b1529edf4616e8a12e6bcd7a8ba591d13359d63be4d69a2ca92ae2f4e1538c56cecdc080c166cafee
-
MD5
5609962fffad08684e19498691586761
SHA1e8ca815c265602d3f5285ca032594d56440b3cf3
SHA256cd1d374e13770b9adfc378d073fdcfd3b65275f140dbb3a3b702f4ccfbf378db
SHA512c20e43b1823cd7916ecbb7fe1b5b99f0d36832543c08b7eae7018a616e6ee39df96889cd56614d66804a3bb943e67165619fb49d5562e0e7b8992c5b97a0637a
-
MD5
5609962fffad08684e19498691586761
SHA1e8ca815c265602d3f5285ca032594d56440b3cf3
SHA256cd1d374e13770b9adfc378d073fdcfd3b65275f140dbb3a3b702f4ccfbf378db
SHA512c20e43b1823cd7916ecbb7fe1b5b99f0d36832543c08b7eae7018a616e6ee39df96889cd56614d66804a3bb943e67165619fb49d5562e0e7b8992c5b97a0637a
-
MD5
5679e43fa582e92f21d1fc8e62caba59
SHA1917c6afbf7beb6c277193b33a8c337ee039dc6cc
SHA2568ea1ec338312a9497dc8f9ff4337a792b4b410516aad1da497ce93485976a0ec
SHA51230a02bada2a47e42e81c367f9a87ead558bcfd75e7daba4b1529edf4616e8a12e6bcd7a8ba591d13359d63be4d69a2ca92ae2f4e1538c56cecdc080c166cafee
-
MD5
5609962fffad08684e19498691586761
SHA1e8ca815c265602d3f5285ca032594d56440b3cf3
SHA256cd1d374e13770b9adfc378d073fdcfd3b65275f140dbb3a3b702f4ccfbf378db
SHA512c20e43b1823cd7916ecbb7fe1b5b99f0d36832543c08b7eae7018a616e6ee39df96889cd56614d66804a3bb943e67165619fb49d5562e0e7b8992c5b97a0637a
-
MD5
5609962fffad08684e19498691586761
SHA1e8ca815c265602d3f5285ca032594d56440b3cf3
SHA256cd1d374e13770b9adfc378d073fdcfd3b65275f140dbb3a3b702f4ccfbf378db
SHA512c20e43b1823cd7916ecbb7fe1b5b99f0d36832543c08b7eae7018a616e6ee39df96889cd56614d66804a3bb943e67165619fb49d5562e0e7b8992c5b97a0637a
-
MD5
5609962fffad08684e19498691586761
SHA1e8ca815c265602d3f5285ca032594d56440b3cf3
SHA256cd1d374e13770b9adfc378d073fdcfd3b65275f140dbb3a3b702f4ccfbf378db
SHA512c20e43b1823cd7916ecbb7fe1b5b99f0d36832543c08b7eae7018a616e6ee39df96889cd56614d66804a3bb943e67165619fb49d5562e0e7b8992c5b97a0637a
-
MD5
5609962fffad08684e19498691586761
SHA1e8ca815c265602d3f5285ca032594d56440b3cf3
SHA256cd1d374e13770b9adfc378d073fdcfd3b65275f140dbb3a3b702f4ccfbf378db
SHA512c20e43b1823cd7916ecbb7fe1b5b99f0d36832543c08b7eae7018a616e6ee39df96889cd56614d66804a3bb943e67165619fb49d5562e0e7b8992c5b97a0637a
-
MD5
5609962fffad08684e19498691586761
SHA1e8ca815c265602d3f5285ca032594d56440b3cf3
SHA256cd1d374e13770b9adfc378d073fdcfd3b65275f140dbb3a3b702f4ccfbf378db
SHA512c20e43b1823cd7916ecbb7fe1b5b99f0d36832543c08b7eae7018a616e6ee39df96889cd56614d66804a3bb943e67165619fb49d5562e0e7b8992c5b97a0637a
-
MD5
5609962fffad08684e19498691586761
SHA1e8ca815c265602d3f5285ca032594d56440b3cf3
SHA256cd1d374e13770b9adfc378d073fdcfd3b65275f140dbb3a3b702f4ccfbf378db
SHA512c20e43b1823cd7916ecbb7fe1b5b99f0d36832543c08b7eae7018a616e6ee39df96889cd56614d66804a3bb943e67165619fb49d5562e0e7b8992c5b97a0637a