Overview

overview

10

Static

static

driver.sys.exe

windows11_x64

driver.sys.exe

windows10_x64

SplitBot.exe

windows11_x64

10

SplitBot.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    25-10-2021 22:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SplitBot.exe

  • Size

    4.3MB

  • MD5

    4e2835daca8a52e01540a596b5b57763

  • SHA1

    bf9c98fb338e332081a6324d882f4769956b3cd8

  • SHA256

    7c3c10637adb941c20d60062422812830a040172ad939c5d8ad24f6a18f6b34d

  • SHA512

    633bd6eb1c117c772de389be8cc86766c56577375bdf8d954a3b8a878e354cc9328b02e414bcc1443694547bae91b3003ea8b0c8274c74e6ec0b683584933c16

Score
10/10
persistencespywarestealersuricata

Malware Config

Signatures

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE DCRAT Activity (GET)

    suricata: ET MALWARE DCRAT Activity (GET)

    suricata
  • Executes dropped EXE 2 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SplitBot.exe
    "C:\Users\Admin\AppData\Local\Temp\SplitBot.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Users\Admin\AppData\Local\Temp\reviewrefsessionmonitorreviewruntimeDhcp.exe
      "C:\Users\Admin\AppData\Local\Temp\reviewrefsessionmonitorreviewruntimeDhcp.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a6ap96WVlc.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2024
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            4⤵
              PID:4788
            • C:\Users\Default User\winlogon.exe
              "C:\Users\Default User\winlogon.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:3436
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 8a46f8d45264061e5266ce24d7cf5df1 aF0MGEmogECDG5fKrOX3hA.0.1.0.3.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:3744
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:1344
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3048
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Documents and Settings\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4320
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
        1⤵
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
          C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
          2⤵
            PID:2268
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\csrsrv\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1584
        • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
          C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
          1⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:2860
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3584
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe 8a46f8d45264061e5266ce24d7cf5df1 aF0MGEmogECDG5fKrOX3hA.0.1.0.3.0
          1⤵
          • Modifies data under HKEY_USERS
          PID:2704
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe 8a46f8d45264061e5266ce24d7cf5df1 aF0MGEmogECDG5fKrOX3hA.0.1.0.3.0
          1⤵
          • Modifies data under HKEY_USERS
          PID:5076

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Registry Run Keys / Startup Folder

        2
        T1060

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials in Files

        2
        T1081

        Discovery

        System Information Discovery

        2
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\a6ap96WVlc.bat
          MD5

          3f29426e07373c2bdf41dcf5ce4deca5

          SHA1

          7ad6616e65e8040257e35d2cc6e1be3a3de0cc66

          SHA256

          01c4d7fd0e84f8e6b194c7c031f6d8c70750d8b4443186bc4c888eae93191d81

          SHA512

          a770eb253cca947152fbe1ad37b272795f605af7f471337a1f3c08b955b33552c3b96b9eb0249e033fa3fbac29f1bec1b5ec48a6f524456f8f133cbe3034ba83

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\reviewrefsessionmonitorreviewruntimeDhcp.exe
          MD5

          a15410a6d2cc6b4484c870f4332658f2

          SHA1

          84b03444e3f5dcd6df96ac5ccf8dcbb712bd5525

          SHA256

          b60805e0e0dab7bc799ecc98d9280ef029fb787ffc2f754edc9640fd49187845

          SHA512

          824cb01c90daea7e31a9e704632cb77dccdbade2bcdf293620cf6a88d313ca504911989399507de3d93d198fce07512959d45c8998af47c5a3286f77699a6838

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\reviewrefsessionmonitorreviewruntimeDhcp.exe
          MD5

          a15410a6d2cc6b4484c870f4332658f2

          SHA1

          84b03444e3f5dcd6df96ac5ccf8dcbb712bd5525

          SHA256

          b60805e0e0dab7bc799ecc98d9280ef029fb787ffc2f754edc9640fd49187845

          SHA512

          824cb01c90daea7e31a9e704632cb77dccdbade2bcdf293620cf6a88d313ca504911989399507de3d93d198fce07512959d45c8998af47c5a3286f77699a6838

          Download Submit
        • C:\Users\Default User\winlogon.exe
          MD5

          a15410a6d2cc6b4484c870f4332658f2

          SHA1

          84b03444e3f5dcd6df96ac5ccf8dcbb712bd5525

          SHA256

          b60805e0e0dab7bc799ecc98d9280ef029fb787ffc2f754edc9640fd49187845

          SHA512

          824cb01c90daea7e31a9e704632cb77dccdbade2bcdf293620cf6a88d313ca504911989399507de3d93d198fce07512959d45c8998af47c5a3286f77699a6838

          Download Submit
        • C:\Users\Default\winlogon.exe
          MD5

          a15410a6d2cc6b4484c870f4332658f2

          SHA1

          84b03444e3f5dcd6df96ac5ccf8dcbb712bd5525

          SHA256

          b60805e0e0dab7bc799ecc98d9280ef029fb787ffc2f754edc9640fd49187845

          SHA512

          824cb01c90daea7e31a9e704632cb77dccdbade2bcdf293620cf6a88d313ca504911989399507de3d93d198fce07512959d45c8998af47c5a3286f77699a6838

          Download Submit
        • memory/756-147-0x0000000000000000-mapping.dmp
          Download
        • memory/756-150-0x0000000000E10000-0x0000000000E11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/756-155-0x0000000001810000-0x0000000001812000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1344-152-0x00000249DDF20000-0x00000249DDF30000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1344-153-0x00000249DDFA0000-0x00000249DDFB0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1344-154-0x00000249E06B0000-0x00000249E06B4000-memory.dmp
          Filesize

          16KB

          Download
        • memory/2024-159-0x0000000000000000-mapping.dmp
          Download
        • memory/2100-157-0x0000000000000000-mapping.dmp
          Download
        • memory/2268-156-0x0000000000000000-mapping.dmp
          Download
        • memory/2832-146-0x0000000000400000-0x0000000000B12000-memory.dmp
          Filesize

          7.1MB

          Download
        • memory/3436-161-0x0000000000000000-mapping.dmp
          Download
        • memory/3436-166-0x000000001AFF0000-0x000000001AFF7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3436-167-0x000000001C700000-0x000000001C708000-memory.dmp
          Filesize

          32KB

          Download
        • memory/3436-168-0x000000001C300000-0x000000001C350000-memory.dmp
          Filesize

          320KB

          Download
        • memory/3436-169-0x000000001C350000-0x000000001C354000-memory.dmp
          Filesize

          16KB

          Download
        • memory/3436-170-0x000000001C360000-0x000000001C362000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3436-171-0x000000001C370000-0x000000001C371000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3436-172-0x000000001E370000-0x000000001E371000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4788-160-0x0000000000000000-mapping.dmp
          Download