Analysis

  • max time kernel
    18s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    30-07-2021 07:55

General

  • Target

    ximay.exe

  • Size

    871KB

  • MD5

    f8a4090467dc96146cd516fa96a80171

  • SHA1

    64dd6ec4ff2f57c43903fc8730dd6b0815e914bd

  • SHA256

    3a601391e56cb1ebb50984f2b66b24f10122f66e09e8e21e877596504684a402

  • SHA512

    ea3ad9052ecc0dbdf0dff7636d1bb2586726a0905860d04b58db3a385bf7c9478d9c78cd5d68ee99517bb97220e1f1a53cc07bd949511c8e4dd699cc2a3bb260

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ximay.exe
    "C:\Users\Admin\AppData\Local\Temp\ximay.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4020
    • C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1468
    • C:\Users\Admin\AppData\Local\Temp\2.exe
      "C:\Users\Admin\AppData\Local\Temp\2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1664
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1924
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2112

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.exe

    MD5

    5679e43fa582e92f21d1fc8e62caba59

    SHA1

    917c6afbf7beb6c277193b33a8c337ee039dc6cc

    SHA256

    8ea1ec338312a9497dc8f9ff4337a792b4b410516aad1da497ce93485976a0ec

    SHA512

    30a02bada2a47e42e81c367f9a87ead558bcfd75e7daba4b1529edf4616e8a12e6bcd7a8ba591d13359d63be4d69a2ca92ae2f4e1538c56cecdc080c166cafee

  • C:\Users\Admin\AppData\Local\Temp\1.exe

    MD5

    5679e43fa582e92f21d1fc8e62caba59

    SHA1

    917c6afbf7beb6c277193b33a8c337ee039dc6cc

    SHA256

    8ea1ec338312a9497dc8f9ff4337a792b4b410516aad1da497ce93485976a0ec

    SHA512

    30a02bada2a47e42e81c367f9a87ead558bcfd75e7daba4b1529edf4616e8a12e6bcd7a8ba591d13359d63be4d69a2ca92ae2f4e1538c56cecdc080c166cafee

  • C:\Users\Admin\AppData\Local\Temp\2.exe

    MD5

    5609962fffad08684e19498691586761

    SHA1

    e8ca815c265602d3f5285ca032594d56440b3cf3

    SHA256

    cd1d374e13770b9adfc378d073fdcfd3b65275f140dbb3a3b702f4ccfbf378db

    SHA512

    c20e43b1823cd7916ecbb7fe1b5b99f0d36832543c08b7eae7018a616e6ee39df96889cd56614d66804a3bb943e67165619fb49d5562e0e7b8992c5b97a0637a

  • C:\Users\Admin\AppData\Local\Temp\2.exe

    MD5

    5609962fffad08684e19498691586761

    SHA1

    e8ca815c265602d3f5285ca032594d56440b3cf3

    SHA256

    cd1d374e13770b9adfc378d073fdcfd3b65275f140dbb3a3b702f4ccfbf378db

    SHA512

    c20e43b1823cd7916ecbb7fe1b5b99f0d36832543c08b7eae7018a616e6ee39df96889cd56614d66804a3bb943e67165619fb49d5562e0e7b8992c5b97a0637a

  • memory/1468-114-0x0000000000000000-mapping.dmp

  • memory/1468-120-0x0000028E8BC70000-0x0000028E8BC71000-memory.dmp

    Filesize

    4KB

  • memory/1468-125-0x0000028EA62C0000-0x0000028EA6331000-memory.dmp

    Filesize

    452KB

  • memory/1468-126-0x0000028E8D9D0000-0x0000028E8D9D2000-memory.dmp

    Filesize

    8KB

  • memory/1664-117-0x0000000000000000-mapping.dmp

  • memory/1664-122-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

  • memory/1664-124-0x0000000004B50000-0x0000000004B51000-memory.dmp

    Filesize

    4KB