Analysis
-
max time kernel
18s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
30-07-2021 07:55
Static task
static1
Behavioral task
behavioral1
Sample
ximay.exe
Resource
win7v20210410
General
-
Target
ximay.exe
-
Size
871KB
-
MD5
f8a4090467dc96146cd516fa96a80171
-
SHA1
64dd6ec4ff2f57c43903fc8730dd6b0815e914bd
-
SHA256
3a601391e56cb1ebb50984f2b66b24f10122f66e09e8e21e877596504684a402
-
SHA512
ea3ad9052ecc0dbdf0dff7636d1bb2586726a0905860d04b58db3a385bf7c9478d9c78cd5d68ee99517bb97220e1f1a53cc07bd949511c8e4dd699cc2a3bb260
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
1.exe2.exepid Process 1468 1.exe 1664 2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 wtfismyip.com 8 wtfismyip.com 9 api.ipify.org 10 api.ipify.org 17 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2112 1664 WerFault.exe 75 -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
2.exe1.exeWerFault.exepid Process 1664 2.exe 1468 1.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 1468 1.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
2.exe1.exeWerFault.exedescription pid Process Token: SeDebugPrivilege 1664 2.exe Token: SeDebugPrivilege 1468 1.exe Token: SeRestorePrivilege 2112 WerFault.exe Token: SeBackupPrivilege 2112 WerFault.exe Token: SeDebugPrivilege 2112 WerFault.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
ximay.exedescription pid Process procid_target PID 4020 wrote to memory of 1468 4020 ximay.exe 74 PID 4020 wrote to memory of 1468 4020 ximay.exe 74 PID 4020 wrote to memory of 1664 4020 ximay.exe 75 PID 4020 wrote to memory of 1664 4020 ximay.exe 75 PID 4020 wrote to memory of 1664 4020 ximay.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\ximay.exe"C:\Users\Admin\AppData\Local\Temp\ximay.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 19243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5679e43fa582e92f21d1fc8e62caba59
SHA1917c6afbf7beb6c277193b33a8c337ee039dc6cc
SHA2568ea1ec338312a9497dc8f9ff4337a792b4b410516aad1da497ce93485976a0ec
SHA51230a02bada2a47e42e81c367f9a87ead558bcfd75e7daba4b1529edf4616e8a12e6bcd7a8ba591d13359d63be4d69a2ca92ae2f4e1538c56cecdc080c166cafee
-
MD5
5679e43fa582e92f21d1fc8e62caba59
SHA1917c6afbf7beb6c277193b33a8c337ee039dc6cc
SHA2568ea1ec338312a9497dc8f9ff4337a792b4b410516aad1da497ce93485976a0ec
SHA51230a02bada2a47e42e81c367f9a87ead558bcfd75e7daba4b1529edf4616e8a12e6bcd7a8ba591d13359d63be4d69a2ca92ae2f4e1538c56cecdc080c166cafee
-
MD5
5609962fffad08684e19498691586761
SHA1e8ca815c265602d3f5285ca032594d56440b3cf3
SHA256cd1d374e13770b9adfc378d073fdcfd3b65275f140dbb3a3b702f4ccfbf378db
SHA512c20e43b1823cd7916ecbb7fe1b5b99f0d36832543c08b7eae7018a616e6ee39df96889cd56614d66804a3bb943e67165619fb49d5562e0e7b8992c5b97a0637a
-
MD5
5609962fffad08684e19498691586761
SHA1e8ca815c265602d3f5285ca032594d56440b3cf3
SHA256cd1d374e13770b9adfc378d073fdcfd3b65275f140dbb3a3b702f4ccfbf378db
SHA512c20e43b1823cd7916ecbb7fe1b5b99f0d36832543c08b7eae7018a616e6ee39df96889cd56614d66804a3bb943e67165619fb49d5562e0e7b8992c5b97a0637a