Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09-12-2021 21:57
Static task
static1
Behavioral task
behavioral1
Sample
033bd23a236b70e2fe45c57a9b9a1155.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
033bd23a236b70e2fe45c57a9b9a1155.exe
Resource
win10-en-20211208
General
-
Target
033bd23a236b70e2fe45c57a9b9a1155.exe
-
Size
950KB
-
MD5
033bd23a236b70e2fe45c57a9b9a1155
-
SHA1
cf55475105cf32e3fb63d70dda18b7cb8d794041
-
SHA256
56125010c5571fa10c9eb077f5620108f9dae9d5aea04880bfe8ee2a112c3c13
-
SHA512
d41ed9bedeeb04dd578fbcde94dcba2a278d751b9e5308e5f87d59f7e3c5e01c5ee1f559e10ca16344bab8653c0d530a535cc96065fcad12632ee10978f0d0c3
Malware Config
Signatures
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
Disables taskbar notifications via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
6kxoOdJ16_mgNmlNYUIn9buw.exealg.exeaspnet_state.exepid process 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 468 1048 alg.exe 1660 aspnet_state.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
033bd23a236b70e2fe45c57a9b9a1155.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation 033bd23a236b70e2fe45c57a9b9a1155.exe -
Loads dropped DLL 2 IoCs
Processes:
033bd23a236b70e2fe45c57a9b9a1155.exepid process 1936 033bd23a236b70e2fe45c57a9b9a1155.exe 468 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2329389628-4064185017-3901522362-1000 alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2329389628-4064185017-3901522362-1000\EnableNotifications = "0" alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
alg.exedescription ioc process File opened (read-only) \??\E: alg.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\F: alg.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\I: alg.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ipinfo.io 15 ipinfo.io -
Drops file in System32 directory 22 IoCs
Processes:
alg.exe033bd23a236b70e2fe45c57a9b9a1155.exedescription ioc process File opened for modification \??\c:\windows\syswow64\perfhost.exe alg.exe File opened for modification \??\c:\windows\system32\locator.exe alg.exe File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File opened for modification \??\c:\windows\system32\wbengine.exe alg.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File opened for modification \??\c:\windows\system32\msdtc.exe alg.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File opened for modification \??\c:\windows\system32\lsass.exe alg.exe File opened for modification \??\c:\windows\system32\msiexec.exe alg.exe File opened for modification \??\c:\windows\system32\snmptrap.exe alg.exe File opened for modification \??\c:\windows\system32\alg.exe 033bd23a236b70e2fe45c57a9b9a1155.exe File opened for modification \??\c:\windows\system32\fxssvc.exe alg.exe File opened for modification \??\c:\windows\system32\ui0detect.exe alg.exe File opened for modification \??\c:\windows\system32\vds.exe alg.exe File created \??\c:\windows\SysWOW64\flmkgejc.tmp 033bd23a236b70e2fe45c57a9b9a1155.exe File opened for modification \??\c:\windows\system32\svchost.exe 033bd23a236b70e2fe45c57a9b9a1155.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe 033bd23a236b70e2fe45c57a9b9a1155.exe File created \??\c:\windows\system32\ndhmigej.tmp 033bd23a236b70e2fe45c57a9b9a1155.exe File opened for modification \??\c:\windows\system32\svchost.exe alg.exe File opened for modification \??\c:\windows\system32\ieetwcollector.exe alg.exe File opened for modification \??\c:\windows\system32\searchindexer.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe 033bd23a236b70e2fe45c57a9b9a1155.exe -
Drops file in Program Files directory 10 IoCs
Processes:
alg.exedescription ioc process File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe alg.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe alg.exe File created \??\c:\program files (x86)\mozilla maintenance service\kadjbhhd.tmp alg.exe File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe alg.exe File opened for modification \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe alg.exe File created \??\c:\program files\google\chrome\Application\89.0.4389.114\kpengjpg.tmp alg.exe File created \??\c:\program files (x86)\microsoft office\office14\iokcjkcf.tmp alg.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe alg.exe File created \??\c:\program files (x86)\common files\microsoft shared\source engine\ghljgmah.tmp alg.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe alg.exe -
Drops file in Windows directory 13 IoCs
Processes:
alg.exe033bd23a236b70e2fe45c57a9b9a1155.exedescription ioc process File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe alg.exe File created \??\c:\windows\microsoft.net\framework\v4.0.30319\jgnejenk.tmp alg.exe File created \??\c:\windows\microsoft.net\framework64\v4.0.30319\obpdibpb.tmp alg.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe alg.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe alg.exe File created \??\c:\windows\microsoft.net\framework64\v4.0.30319\afipaeib.tmp 033bd23a236b70e2fe45c57a9b9a1155.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe alg.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe alg.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe alg.exe File opened for modification \??\c:\windows\ehome\ehsched.exe alg.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe 033bd23a236b70e2fe45c57a9b9a1155.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 300 1936 WerFault.exe 033bd23a236b70e2fe45c57a9b9a1155.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
033bd23a236b70e2fe45c57a9b9a1155.exe6kxoOdJ16_mgNmlNYUIn9buw.exepid process 1936 033bd23a236b70e2fe45c57a9b9a1155.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe 1564 6kxoOdJ16_mgNmlNYUIn9buw.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 300 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
033bd23a236b70e2fe45c57a9b9a1155.exeWerFault.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 1936 033bd23a236b70e2fe45c57a9b9a1155.exe Token: SeDebugPrivilege 300 WerFault.exe Token: SeTakeOwnershipPrivilege 1048 alg.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
033bd23a236b70e2fe45c57a9b9a1155.exedescription pid process target process PID 1936 wrote to memory of 1564 1936 033bd23a236b70e2fe45c57a9b9a1155.exe 6kxoOdJ16_mgNmlNYUIn9buw.exe PID 1936 wrote to memory of 1564 1936 033bd23a236b70e2fe45c57a9b9a1155.exe 6kxoOdJ16_mgNmlNYUIn9buw.exe PID 1936 wrote to memory of 1564 1936 033bd23a236b70e2fe45c57a9b9a1155.exe 6kxoOdJ16_mgNmlNYUIn9buw.exe PID 1936 wrote to memory of 1564 1936 033bd23a236b70e2fe45c57a9b9a1155.exe 6kxoOdJ16_mgNmlNYUIn9buw.exe PID 1936 wrote to memory of 300 1936 033bd23a236b70e2fe45c57a9b9a1155.exe WerFault.exe PID 1936 wrote to memory of 300 1936 033bd23a236b70e2fe45c57a9b9a1155.exe WerFault.exe PID 1936 wrote to memory of 300 1936 033bd23a236b70e2fe45c57a9b9a1155.exe WerFault.exe PID 1936 wrote to memory of 300 1936 033bd23a236b70e2fe45c57a9b9a1155.exe WerFault.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\033bd23a236b70e2fe45c57a9b9a1155.exe"C:\Users\Admin\AppData\Local\Temp\033bd23a236b70e2fe45c57a9b9a1155.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\6kxoOdJ16_mgNmlNYUIn9buw.exe"C:\Users\Admin\Pictures\Adobe Films\6kxoOdJ16_mgNmlNYUIn9buw.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 5802⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Pictures\Adobe Films\6kxoOdJ16_mgNmlNYUIn9buw.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeMD5
5414af7b560e0b1fdd25b5aaeeaad6f0
SHA1d57aa9e795b5f5fe817e481a3679187acf084fbc
SHA2568165f81eb06073e19f184f4846fc6d0620d3d047d2cb2a64f12b28b03bd3c27e
SHA51267f419043a73fa80812e29e0a35d6eb908577ebb856921d0529d323de14bac4b99d017cffbb8d137a66262cd21147c19cba92eaabbbb1ff9794b9ce278a85218
-
C:\Windows\System32\alg.exeMD5
e6ad28f9b9c6e50aa30fc29fa3339096
SHA1e2c93213c5087ef9693530d874a9a540ebd6b7e0
SHA256cc307a73649dea03fa7ee99c95a02e1da3aa83c43b3df0168c35772c87ab495e
SHA512455fea6ed34ed2775bd53103679ebf66ea9c01657d9dc0b27ed1c7524b398dc6225c830bb2bc310c7fee39ba8ed682cd5b74009b8cd757227760f4ba290d9f1e
-
\Users\Admin\Pictures\Adobe Films\6kxoOdJ16_mgNmlNYUIn9buw.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeMD5
5414af7b560e0b1fdd25b5aaeeaad6f0
SHA1d57aa9e795b5f5fe817e481a3679187acf084fbc
SHA2568165f81eb06073e19f184f4846fc6d0620d3d047d2cb2a64f12b28b03bd3c27e
SHA51267f419043a73fa80812e29e0a35d6eb908577ebb856921d0529d323de14bac4b99d017cffbb8d137a66262cd21147c19cba92eaabbbb1ff9794b9ce278a85218
-
\Windows\System32\alg.exeMD5
e6ad28f9b9c6e50aa30fc29fa3339096
SHA1e2c93213c5087ef9693530d874a9a540ebd6b7e0
SHA256cc307a73649dea03fa7ee99c95a02e1da3aa83c43b3df0168c35772c87ab495e
SHA512455fea6ed34ed2775bd53103679ebf66ea9c01657d9dc0b27ed1c7524b398dc6225c830bb2bc310c7fee39ba8ed682cd5b74009b8cd757227760f4ba290d9f1e
-
memory/300-68-0x0000000000000000-mapping.dmp
-
memory/300-70-0x0000000000620000-0x0000000000621000-memory.dmpFilesize
4KB
-
memory/1048-64-0x00000000FFEA0000-0x00000000FFF6F000-memory.dmpFilesize
828KB
-
memory/1048-69-0x00000000FFEA0000-0x00000000FFF6F000-memory.dmpFilesize
828KB
-
memory/1564-60-0x0000000000000000-mapping.dmp
-
memory/1660-67-0x000000013F760000-0x000000013F828000-memory.dmpFilesize
800KB
-
memory/1936-58-0x0000000000C50000-0x0000000000D73000-memory.dmpFilesize
1.1MB
-
memory/1936-54-0x0000000000C50000-0x0000000000D73000-memory.dmpFilesize
1.1MB
-
memory/1936-57-0x0000000003B00000-0x0000000003C4E000-memory.dmpFilesize
1.3MB
-
memory/1936-56-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB
-
memory/1936-55-0x0000000000C50000-0x0000000000D73000-memory.dmpFilesize
1.1MB