Analysis
-
max time kernel
121s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 18:06
Static task
static1
Behavioral task
behavioral1
Sample
f88c058646225de6e3cddc39ea0c9ff7.exe
Resource
win7-en-20211014
General
-
Target
f88c058646225de6e3cddc39ea0c9ff7.exe
-
Size
1.4MB
-
MD5
f88c058646225de6e3cddc39ea0c9ff7
-
SHA1
a7987fab49ee81b9a86965bd6dbd14bc0140a27c
-
SHA256
8dca2819e4395eb497f4246dc808a5efb1cd805a70825bda636240facd8dd66c
-
SHA512
c6a7a330372ce389758e4339954b248e825df0b8872f01993aa547fba816fbaa91086d61f30fdaf25bd35ff0bbe550ccc4b73c5b061916a62a2380b9ced9352f
Malware Config
Signatures
-
suricata: ET MALWARE Win32/Voltron/Spectre Stealer Checkin Activity (GET)
suricata: ET MALWARE Win32/Voltron/Spectre Stealer Checkin Activity (GET)
-
suricata: ET MALWARE Win32/Voltron/Spectre Stealer CnC Activity (POST)
suricata: ET MALWARE Win32/Voltron/Spectre Stealer CnC Activity (POST)
-
suricata: ET MALWARE Win32/Voltron/Spectre Stealer Download Activity (GET)
suricata: ET MALWARE Win32/Voltron/Spectre Stealer Download Activity (GET)
-
suricata: ET MALWARE Win32/Voltron/Spectre Stealer Sending OS Information (POST)
suricata: ET MALWARE Win32/Voltron/Spectre Stealer Sending OS Information (POST)
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
unzip.exePsInfo64.exe7za.exepid process 1224 unzip.exe 856 PsInfo64.exe 1740 7za.exe -
Loads dropped DLL 3 IoCs
Processes:
f88c058646225de6e3cddc39ea0c9ff7.exepid process 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
f88c058646225de6e3cddc39ea0c9ff7.exedescription pid process target process PID 4092 set thread context of 2192 4092 f88c058646225de6e3cddc39ea0c9ff7.exe f88c058646225de6e3cddc39ea0c9ff7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
PsInfo64.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 PsInfo64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz PsInfo64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PsInfo64.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f88c058646225de6e3cddc39ea0c9ff7.exepid process 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7za.exedescription pid process Token: SeRestorePrivilege 1740 7za.exe Token: 35 1740 7za.exe Token: SeSecurityPrivilege 1740 7za.exe Token: SeSecurityPrivilege 1740 7za.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
f88c058646225de6e3cddc39ea0c9ff7.exef88c058646225de6e3cddc39ea0c9ff7.exepid process 4092 f88c058646225de6e3cddc39ea0c9ff7.exe 2192 f88c058646225de6e3cddc39ea0c9ff7.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
f88c058646225de6e3cddc39ea0c9ff7.exef88c058646225de6e3cddc39ea0c9ff7.execmd.execmd.execmd.exedescription pid process target process PID 4092 wrote to memory of 2192 4092 f88c058646225de6e3cddc39ea0c9ff7.exe f88c058646225de6e3cddc39ea0c9ff7.exe PID 4092 wrote to memory of 2192 4092 f88c058646225de6e3cddc39ea0c9ff7.exe f88c058646225de6e3cddc39ea0c9ff7.exe PID 4092 wrote to memory of 2192 4092 f88c058646225de6e3cddc39ea0c9ff7.exe f88c058646225de6e3cddc39ea0c9ff7.exe PID 4092 wrote to memory of 2192 4092 f88c058646225de6e3cddc39ea0c9ff7.exe f88c058646225de6e3cddc39ea0c9ff7.exe PID 4092 wrote to memory of 2192 4092 f88c058646225de6e3cddc39ea0c9ff7.exe f88c058646225de6e3cddc39ea0c9ff7.exe PID 4092 wrote to memory of 2192 4092 f88c058646225de6e3cddc39ea0c9ff7.exe f88c058646225de6e3cddc39ea0c9ff7.exe PID 4092 wrote to memory of 2192 4092 f88c058646225de6e3cddc39ea0c9ff7.exe f88c058646225de6e3cddc39ea0c9ff7.exe PID 4092 wrote to memory of 2192 4092 f88c058646225de6e3cddc39ea0c9ff7.exe f88c058646225de6e3cddc39ea0c9ff7.exe PID 4092 wrote to memory of 2192 4092 f88c058646225de6e3cddc39ea0c9ff7.exe f88c058646225de6e3cddc39ea0c9ff7.exe PID 2192 wrote to memory of 2856 2192 f88c058646225de6e3cddc39ea0c9ff7.exe cmd.exe PID 2192 wrote to memory of 2856 2192 f88c058646225de6e3cddc39ea0c9ff7.exe cmd.exe PID 2192 wrote to memory of 2856 2192 f88c058646225de6e3cddc39ea0c9ff7.exe cmd.exe PID 2856 wrote to memory of 1224 2856 cmd.exe unzip.exe PID 2856 wrote to memory of 1224 2856 cmd.exe unzip.exe PID 2856 wrote to memory of 1224 2856 cmd.exe unzip.exe PID 2192 wrote to memory of 4000 2192 f88c058646225de6e3cddc39ea0c9ff7.exe cmd.exe PID 2192 wrote to memory of 4000 2192 f88c058646225de6e3cddc39ea0c9ff7.exe cmd.exe PID 2192 wrote to memory of 4000 2192 f88c058646225de6e3cddc39ea0c9ff7.exe cmd.exe PID 4000 wrote to memory of 856 4000 cmd.exe PsInfo64.exe PID 4000 wrote to memory of 856 4000 cmd.exe PsInfo64.exe PID 2192 wrote to memory of 3488 2192 f88c058646225de6e3cddc39ea0c9ff7.exe cmd.exe PID 2192 wrote to memory of 3488 2192 f88c058646225de6e3cddc39ea0c9ff7.exe cmd.exe PID 2192 wrote to memory of 3488 2192 f88c058646225de6e3cddc39ea0c9ff7.exe cmd.exe PID 2192 wrote to memory of 1716 2192 f88c058646225de6e3cddc39ea0c9ff7.exe cmd.exe PID 2192 wrote to memory of 1716 2192 f88c058646225de6e3cddc39ea0c9ff7.exe cmd.exe PID 2192 wrote to memory of 1716 2192 f88c058646225de6e3cddc39ea0c9ff7.exe cmd.exe PID 1716 wrote to memory of 1740 1716 cmd.exe 7za.exe PID 1716 wrote to memory of 1740 1716 cmd.exe 7za.exe PID 1716 wrote to memory of 1740 1716 cmd.exe 7za.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f88c058646225de6e3cddc39ea0c9ff7.exe"C:\Users\Admin\AppData\Local\Temp\f88c058646225de6e3cddc39ea0c9ff7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f88c058646225de6e3cddc39ea0c9ff7.exe"C:\Users\Admin\AppData\Local\Temp\f88c058646225de6e3cddc39ea0c9ff7.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\IronPortCenter" & unzip.exe -o libraries.zip3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\IronPortCenter\unzip.exeunzip.exe -o libraries.zip4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\IronPortCenter\PsInfo64.exe /accepteula kernel > "C:\Users\Admin\AppData\Roaming\IronPortCenter\os_out"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\IronPortCenter\PsInfo64.exeC:\Users\Admin\AppData\Roaming\IronPortCenter\PsInfo64.exe /accepteula kernel4⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\IronPortCenter.lnk');$s.TargetPath='C:\Users\Admin\AppData\Local\Temp\f88c058646225de6e3cddc39ea0c9ff7.exe';$s.Save()"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\IronPortCenter\7za.exe x "C:\Users\Admin\AppData\Local\temp\chromium89.7z" -o"C:\Users\Admin\AppData\Roaming"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\IronPortCenter\7za.exeC:\Users\Admin\AppData\Roaming\IronPortCenter\7za.exe x "C:\Users\Admin\AppData\Local\temp\chromium89.7z" -o"C:\Users\Admin\AppData\Roaming"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\temp\chromium89.7zMD5
4c127ed294686a00b6bc414c3984c185
SHA1128b851818a350e9ee46cd1ef7e8bb19dee759cd
SHA25665f335226ab7d0b47d424aa3391c240352c25dddbc666b12c67c583140691d2c
SHA5127cc88e3caabd42652030f441d867b577b7ab2fc1b7886f69c43745778918323d551ddd5e61218cfa54b2d40338cc2f111983ce583df9f1eb8aada530ce645aaf
-
C:\Users\Admin\AppData\Roaming\IronPortCenter\7za.exeMD5
0184e6ebe133ef41a8cc6ef98a263712
SHA1cb9f603e061aef833a2db501aa8ba6ba007d768e
SHA256dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
SHA5126fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed
-
C:\Users\Admin\AppData\Roaming\IronPortCenter\7za.exeMD5
0184e6ebe133ef41a8cc6ef98a263712
SHA1cb9f603e061aef833a2db501aa8ba6ba007d768e
SHA256dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
SHA5126fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed
-
C:\Users\Admin\AppData\Roaming\IronPortCenter\PsInfo64.exeMD5
efa2f8f73b3559711149dfdeb8bc288e
SHA1453c70e4b12ecabe860866165ad39de6361215fd
SHA256ef5cf80c8448bf0907c634a3251cc348b1d36bb5ad8f31f23b11d12aa7f63bcb
SHA51263f75a3d639a912e2e3966e9d410f8e1c52b75300518bb5083853ef2633c7e109c037ea2b66ced57bd5b319866a14bcd92254cb38ab9ec7b99465b0a8a8f5f3e
-
C:\Users\Admin\AppData\Roaming\IronPortCenter\PsInfo64.exeMD5
efa2f8f73b3559711149dfdeb8bc288e
SHA1453c70e4b12ecabe860866165ad39de6361215fd
SHA256ef5cf80c8448bf0907c634a3251cc348b1d36bb5ad8f31f23b11d12aa7f63bcb
SHA51263f75a3d639a912e2e3966e9d410f8e1c52b75300518bb5083853ef2633c7e109c037ea2b66ced57bd5b319866a14bcd92254cb38ab9ec7b99465b0a8a8f5f3e
-
C:\Users\Admin\AppData\Roaming\IronPortCenter\libraries.zipMD5
dc28d93d4ffd9849985c0dedf6425074
SHA1224d0b1ddb2952372d66495e6432d826b3bfac02
SHA25653515197bbbc76b3b7e6b0c5da2c078cc71d7c86208ca04ea5e5fca92547d2c2
SHA512a91b78ecbcafd54e327700b494ef56ed85f270cba46765f5fcae3d4a8f9b80074a663c9d29e842ea55a7398cc650edec9a7667e0a1de87f43bf5f0a1f71cf1ff
-
C:\Users\Admin\AppData\Roaming\IronPortCenter\mozglue.dllMD5
beee632711993fe38cf290a9d301df42
SHA15c4b214cf77b0e781124b8295ec55263b90d0707
SHA256f7e8d6214a4ffc3188adf133fcbe9f036571a6b6c90718eadbb10339f27c9d9b
SHA512c00ebcc7b12ec456046f95e128cf23636d9fa2af6877a4e994858f8f97088f569dbd720f130db243e0f6f382b60b9636a52d151435f8d65c7eaab3025b1af97f
-
C:\Users\Admin\AppData\Roaming\IronPortCenter\nss3.dllMD5
0cab66732ed0978c1c5d2c378613c504
SHA18d3102b25a1fd36e0f9d4a33f05da107065f0e7a
SHA256101f57145ea784442b4bc267fdfcfab754ee664ca974138838ece9fc4bb4c84d
SHA512cc49bf303158788023295fb406eec9886b44297e3be5d06a1f14d793d09bf66609025731b2c6c97ade17e9c8d4da480d4ba53ac427dcc459fcae9678b8f767da
-
C:\Users\Admin\AppData\Roaming\IronPortCenter\os_outMD5
e61f6d8191310059f70ba867794e8ac4
SHA11592ff630018feeeaf4720e5df4c68774075ca1a
SHA25625e68f1b079fc3bbe25f5b663eb6f8f2398fafd01fceae02c5311cb7a8513404
SHA51288655b6f73e543732cecf2ffe3020b856ab25bd0a3e8902c363172e58cd4915582ee9def30575f708884ef715d8d5d1a28cd11a5d365cc735f93f70968bef08e
-
C:\Users\Admin\AppData\Roaming\IronPortCenter\sqlite3.dllMD5
9502f3ae1cc9398671edfd461275d78d
SHA161e7dbbc8b44db32fa9d3841275718dbd163cd45
SHA256badca203e5d4d79d2107b9ec2c64547157288a43932bb973719375e9ed8d5d12
SHA51279d5e5875218bbc6288500c29b72845fb6427b9cefe9916c13c3301c0c7e02c21a576a597e74532b41932ec4343a21599c252ad5b34c547650f9c5f817ab09eb
-
C:\Users\Admin\AppData\Roaming\IronPortCenter\unzip.exeMD5
75375c22c72f1beb76bea39c22a1ed68
SHA1e1652b058195db3f5f754b7ab430652ae04a50b8
SHA2568d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
SHA5121b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a
-
C:\Users\Admin\AppData\Roaming\IronPortCenter\unzip.exeMD5
75375c22c72f1beb76bea39c22a1ed68
SHA1e1652b058195db3f5f754b7ab430652ae04a50b8
SHA2568d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
SHA5121b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a
-
\Users\Admin\AppData\Roaming\IronPortCenter\mozglue.dllMD5
beee632711993fe38cf290a9d301df42
SHA15c4b214cf77b0e781124b8295ec55263b90d0707
SHA256f7e8d6214a4ffc3188adf133fcbe9f036571a6b6c90718eadbb10339f27c9d9b
SHA512c00ebcc7b12ec456046f95e128cf23636d9fa2af6877a4e994858f8f97088f569dbd720f130db243e0f6f382b60b9636a52d151435f8d65c7eaab3025b1af97f
-
\Users\Admin\AppData\Roaming\IronPortCenter\nss3.dllMD5
0cab66732ed0978c1c5d2c378613c504
SHA18d3102b25a1fd36e0f9d4a33f05da107065f0e7a
SHA256101f57145ea784442b4bc267fdfcfab754ee664ca974138838ece9fc4bb4c84d
SHA512cc49bf303158788023295fb406eec9886b44297e3be5d06a1f14d793d09bf66609025731b2c6c97ade17e9c8d4da480d4ba53ac427dcc459fcae9678b8f767da
-
\Users\Admin\AppData\Roaming\IronPortCenter\sqlite3.dllMD5
9502f3ae1cc9398671edfd461275d78d
SHA161e7dbbc8b44db32fa9d3841275718dbd163cd45
SHA256badca203e5d4d79d2107b9ec2c64547157288a43932bb973719375e9ed8d5d12
SHA51279d5e5875218bbc6288500c29b72845fb6427b9cefe9916c13c3301c0c7e02c21a576a597e74532b41932ec4343a21599c252ad5b34c547650f9c5f817ab09eb
-
memory/856-126-0x0000000000000000-mapping.dmp
-
memory/1224-121-0x0000000000000000-mapping.dmp
-
memory/1716-137-0x0000000000000000-mapping.dmp
-
memory/1740-138-0x0000000000000000-mapping.dmp
-
memory/2192-117-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/2192-119-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/2192-118-0x0000000000437122-mapping.dmp
-
memory/2856-120-0x0000000000000000-mapping.dmp
-
memory/3488-136-0x0000000000000000-mapping.dmp
-
memory/4000-125-0x0000000000000000-mapping.dmp