6711694555512832.zip

General
Target

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

Filesize

403KB

Completed

10-11-2021 14:53

Score
10/10
MD5

f957e397e71010885b67f2afe37d8161

SHA1

a8bf84b971b37ac6e7f66c5e5a7e971a7741401e

SHA256

022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66

Malware Config
Signatures 13

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    Description

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    Tags

  • Downloads MZ/PE file
  • Executes dropped EXE
    qOvdqyVcqbCorVKkcfUuMRqK.exe

    Reported IOCs

    pidprocess
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
  • Checks computer location settings
    022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\International\Geo\Nation022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
  • Loads dropped DLL
    022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

    Reported IOCs

    pidprocess
    2004022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    14ipinfo.io
    18api.db-ip.com
    19api.db-ip.com
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    11042004WerFault.exe022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
  • Suspicious behavior: EnumeratesProcesses
    022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exeqOvdqyVcqbCorVKkcfUuMRqK.exeWerFault.exe

    Reported IOCs

    pidprocess
    2004022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1104WerFault.exe
    1104WerFault.exe
    1104WerFault.exe
    1104WerFault.exe
    1104WerFault.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
    1980qOvdqyVcqbCorVKkcfUuMRqK.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1104WerFault.exe
  • Suspicious use of WriteProcessMemory
    022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2004 wrote to memory of 19802004022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exeqOvdqyVcqbCorVKkcfUuMRqK.exe
    PID 2004 wrote to memory of 19802004022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exeqOvdqyVcqbCorVKkcfUuMRqK.exe
    PID 2004 wrote to memory of 19802004022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exeqOvdqyVcqbCorVKkcfUuMRqK.exe
    PID 2004 wrote to memory of 19802004022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exeqOvdqyVcqbCorVKkcfUuMRqK.exe
    PID 2004 wrote to memory of 11042004022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exeWerFault.exe
    PID 2004 wrote to memory of 11042004022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exeWerFault.exe
    PID 2004 wrote to memory of 11042004022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exeWerFault.exe
    PID 2004 wrote to memory of 11042004022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exeWerFault.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
    "C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"
    Checks computer location settings
    Loads dropped DLL
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\Pictures\Adobe Films\qOvdqyVcqbCorVKkcfUuMRqK.exe
      "C:\Users\Admin\Pictures\Adobe Films\qOvdqyVcqbCorVKkcfUuMRqK.exe"
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1980
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1412
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1104
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
    Discovery
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads

                • C:\Users\Admin\Pictures\Adobe Films\qOvdqyVcqbCorVKkcfUuMRqK.exe

                  MD5

                  3f22bd82ee1b38f439e6354c60126d6d

                  SHA1

                  63b57d818f86ea64ebc8566faeb0c977839defde

                  SHA256

                  265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

                  SHA512

                  b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

                  Download Submit

                • \Users\Admin\Pictures\Adobe Films\qOvdqyVcqbCorVKkcfUuMRqK.exe

                  MD5

                  3f22bd82ee1b38f439e6354c60126d6d

                  SHA1

                  63b57d818f86ea64ebc8566faeb0c977839defde

                  SHA256

                  265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

                  SHA512

                  b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

                  Download Submit

                • memory/1104-61-0x00000000005C0000-0x00000000005C1000-memory.dmp

                  Download

                • memory/1104-60-0x0000000000000000-mapping.dmp

                  Download

                • memory/1980-58-0x0000000000000000-mapping.dmp

                  Download

                • memory/2004-56-0x0000000003E80000-0x0000000003FCC000-memory.dmp

                  Download

                • memory/2004-55-0x0000000076231000-0x0000000076233000-memory.dmp

                  Download