Overview
overview
10Static
static
022e3c30a1...66.exe
windows7_x64
10022e3c30a1...66.exe
windows11_x64
10022e3c30a1...66.exe
windows10_x64
104d27dca0a1...ef.exe
windows7_x64
104d27dca0a1...ef.exe
windows11_x64
104d27dca0a1...ef.exe
windows10_x64
10578a3a7a2b...b3.exe
windows7_x64
10578a3a7a2b...b3.exe
windows11_x64
10578a3a7a2b...b3.exe
windows10_x64
109c4880a98c...82.exe
windows7_x64
109c4880a98c...82.exe
windows11_x64
109c4880a98c...82.exe
windows10_x64
10a1dad4a83d...c4.exe
windows7_x64
10a1dad4a83d...c4.exe
windows11_x64
10a1dad4a83d...c4.exe
windows10_x64
10acf1b7d80f...e0.exe
windows7_x64
10acf1b7d80f...e0.exe
windows11_x64
10acf1b7d80f...e0.exe
windows10_x64
10cbf31d825a...d2.exe
windows7_x64
10cbf31d825a...d2.exe
windows11_x64
10cbf31d825a...d2.exe
windows10_x64
10db76a117db...12.exe
windows7_x64
10db76a117db...12.exe
windows11_x64
10db76a117db...12.exe
windows10_x64
10e2ffb8aeeb...f6.exe
windows7_x64
10e2ffb8aeeb...f6.exe
windows11_x64
10e2ffb8aeeb...f6.exe
windows10_x64
10f2196668f4...cb.exe
windows7_x64
10f2196668f4...cb.exe
windows11_x64
10f2196668f4...cb.exe
windows10_x64
10Resubmissions
10-11-2021 14:50
211110-r7nbvaeddr 1008-11-2021 16:12
211108-tnmmbahgaj 1008-11-2021 15:26
211108-svdsbaccf6 1008-11-2021 14:48
211108-r6lfvshdfn 10Analysis
-
max time kernel
156s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
10-11-2021 14:50
Static task
static1
Behavioral task
behavioral1
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win11
Behavioral task
behavioral3
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win10-en-20211014
Behavioral task
behavioral4
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win7-en-20211104
Behavioral task
behavioral5
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win11
Behavioral task
behavioral6
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win7-en-20211014
Behavioral task
behavioral8
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win11
Behavioral task
behavioral9
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win10-en-20211104
Behavioral task
behavioral10
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win7-en-20211014
Behavioral task
behavioral11
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win11
Behavioral task
behavioral12
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win10-en-20211014
Behavioral task
behavioral13
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win7-en-20211104
Behavioral task
behavioral14
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win11
Behavioral task
behavioral15
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win10-en-20211014
Behavioral task
behavioral16
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win7-en-20211104
Behavioral task
behavioral17
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win11
Behavioral task
behavioral18
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win10-en-20211014
Behavioral task
behavioral19
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win7-en-20211014
Behavioral task
behavioral20
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win11
Behavioral task
behavioral21
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win10-en-20211014
Behavioral task
behavioral22
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win7-en-20211104
Behavioral task
behavioral23
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win11
Behavioral task
behavioral24
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win10-en-20211104
Behavioral task
behavioral25
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win7-en-20211014
Behavioral task
behavioral26
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win11
Behavioral task
behavioral27
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win10-en-20211104
Behavioral task
behavioral28
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win7-en-20211014
Behavioral task
behavioral29
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win11
Behavioral task
behavioral30
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win10-en-20211104
General
-
Target
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
-
Size
403KB
-
MD5
f957e397e71010885b67f2afe37d8161
-
SHA1
a8bf84b971b37ac6e7f66c5e5a7e971a7741401e
-
SHA256
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
-
SHA512
8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6
Malware Config
Signatures
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
qOvdqyVcqbCorVKkcfUuMRqK.exepid process 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\International\Geo\Nation 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe -
Loads dropped DLL 1 IoCs
Processes:
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exepid process 2004 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ipinfo.io 18 api.db-ip.com 19 api.db-ip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1104 2004 WerFault.exe 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exeqOvdqyVcqbCorVKkcfUuMRqK.exeWerFault.exepid process 2004 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe 1980 qOvdqyVcqbCorVKkcfUuMRqK.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1104 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exedescription pid process target process PID 2004 wrote to memory of 1980 2004 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe qOvdqyVcqbCorVKkcfUuMRqK.exe PID 2004 wrote to memory of 1980 2004 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe qOvdqyVcqbCorVKkcfUuMRqK.exe PID 2004 wrote to memory of 1980 2004 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe qOvdqyVcqbCorVKkcfUuMRqK.exe PID 2004 wrote to memory of 1980 2004 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe qOvdqyVcqbCorVKkcfUuMRqK.exe PID 2004 wrote to memory of 1104 2004 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe WerFault.exe PID 2004 wrote to memory of 1104 2004 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe WerFault.exe PID 2004 wrote to memory of 1104 2004 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe WerFault.exe PID 2004 wrote to memory of 1104 2004 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\qOvdqyVcqbCorVKkcfUuMRqK.exe"C:\Users\Admin\Pictures\Adobe Films\qOvdqyVcqbCorVKkcfUuMRqK.exe"
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1412
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Pictures\Adobe Films\qOvdqyVcqbCorVKkcfUuMRqK.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
\Users\Admin\Pictures\Adobe Films\qOvdqyVcqbCorVKkcfUuMRqK.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/1104-60-0x0000000000000000-mapping.dmp
-
memory/1104-61-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/1980-58-0x0000000000000000-mapping.dmp
-
memory/2004-55-0x0000000076231000-0x0000000076233000-memory.dmpFilesize
8KB
-
memory/2004-56-0x0000000003E80000-0x0000000003FCC000-memory.dmpFilesize
1MB