8737889b676e5b9fc9511cb9f2bb692032e944739d8d77e4cece07395014f16c

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-en-20211208
submitted
10-01-2022 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c59169b97872d5c4d49ffb4739fff1e.exe
Size

463KB
MD5

6c59169b97872d5c4d49ffb4739fff1e
SHA1

1d58ddc670cada78ce42a24d53addfac251602cd
SHA256

8737889b676e5b9fc9511cb9f2bb692032e944739d8d77e4cece07395014f16c
SHA512

6ee1bdaf611463a726761be86aa3de66b03cdeba00849322664d19c7cd9bc2a69daf4d75d644e4152f5edb7da3cea70d9e06b859df7b48431df7bffea68b7bc0

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE Win32/Voltron/Spectre Stealer Checkin Activity (GET)
suricata: ET MALWARE Win32/Voltron/Spectre Stealer Checkin Activity (GET)
suricata
suricata: ET MALWARE Win32/Voltron/Spectre Stealer CnC Activity (POST)
suricata: ET MALWARE Win32/Voltron/Spectre Stealer CnC Activity (POST)
suricata
suricata: ET MALWARE Win32/Voltron/Spectre Stealer Sending OS Information (POST)
suricata: ET MALWARE Win32/Voltron/Spectre Stealer Sending OS Information (POST)
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

unzip.exePsInfo64.exe7za.exe

pid process

1928 unzip.exe
1328 PsInfo64.exe
1364 7za.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.execmd.execmd.exe

pid process

1552 cmd.exe
1552 cmd.exe
1404 cmd.exe
900 cmd.exe
900 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1928	unzip.exe
1328	PsInfo64.exe
1364	7za.exe

pid	process
1552	cmd.exe
1552	cmd.exe
1404	cmd.exe
900	cmd.exe
900	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PsInfo64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PsInfo64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PsInfo64.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

6c59169b97872d5c4d49ffb4739fff1e.exePsInfo64.exepowershell.exe

pid	process
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1648	6c59169b97872d5c4d49ffb4739fff1e.exe
1328	PsInfo64.exe
1328	PsInfo64.exe
1776	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exe7za.exe

description	pid	process
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeRestorePrivilege	1364	7za.exe
Token: 35	1364	7za.exe
Token: SeSecurityPrivilege	1364	7za.exe
Token: SeSecurityPrivilege	1364	7za.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

6c59169b97872d5c4d49ffb4739fff1e.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1648 wrote to memory of 1552	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1648 wrote to memory of 1552	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1648 wrote to memory of 1552	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1648 wrote to memory of 1552	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1552 wrote to memory of 1928	1552	cmd.exe	unzip.exe
PID 1552 wrote to memory of 1928	1552	cmd.exe	unzip.exe
PID 1552 wrote to memory of 1928	1552	cmd.exe	unzip.exe
PID 1552 wrote to memory of 1928	1552	cmd.exe	unzip.exe
PID 1648 wrote to memory of 1404	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1648 wrote to memory of 1404	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1648 wrote to memory of 1404	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1648 wrote to memory of 1404	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1404 wrote to memory of 1328	1404	cmd.exe	PsInfo64.exe
PID 1404 wrote to memory of 1328	1404	cmd.exe	PsInfo64.exe
PID 1404 wrote to memory of 1328	1404	cmd.exe	PsInfo64.exe
PID 1404 wrote to memory of 1328	1404	cmd.exe	PsInfo64.exe
PID 1648 wrote to memory of 1992	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1648 wrote to memory of 1992	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1648 wrote to memory of 1992	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1648 wrote to memory of 1992	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1992 wrote to memory of 1776	1992	cmd.exe	powershell.exe
PID 1992 wrote to memory of 1776	1992	cmd.exe	powershell.exe
PID 1992 wrote to memory of 1776	1992	cmd.exe	powershell.exe
PID 1992 wrote to memory of 1776	1992	cmd.exe	powershell.exe
PID 1648 wrote to memory of 900	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1648 wrote to memory of 900	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1648 wrote to memory of 900	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 1648 wrote to memory of 900	1648	6c59169b97872d5c4d49ffb4739fff1e.exe	cmd.exe
PID 900 wrote to memory of 1364	900	cmd.exe	7za.exe
PID 900 wrote to memory of 1364	900	cmd.exe	7za.exe
PID 900 wrote to memory of 1364	900	cmd.exe	7za.exe
PID 900 wrote to memory of 1364	900	cmd.exe	7za.exe

C:\Users\Admin\AppData\Local\Temp\6c59169b97872d5c4d49ffb4739fff1e.exe
"C:\Users\Admin\AppData\Local\Temp\6c59169b97872d5c4d49ffb4739fff1e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\MailroutePackage" & unzip.exe -o libraries.zip
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Users\Admin\AppData\Roaming\MailroutePackage\unzip.exe
    unzip.exe -o libraries.zip
    3⤵
    - Executes dropped EXE
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\MailroutePackage\PsInfo64.exe /accepteula kernel > "C:\Users\Admin\AppData\Roaming\MailroutePackage\os_out"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Roaming\MailroutePackage\PsInfo64.exe
    C:\Users\Admin\AppData\Roaming\MailroutePackage\PsInfo64.exe /accepteula kernel
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('%userprofile%\Start Menu\Programs\Startup\MailroutePackage.lnk');$s.TargetPath='C:\Users\Admin\AppData\Local\Temp\6c59169b97872d5c4d49ffb4739fff1e.exe';$s.Save()"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\Start Menu\Programs\Startup\MailroutePackage.lnk');$s.TargetPath='C:\Users\Admin\AppData\Local\Temp\6c59169b97872d5c4d49ffb4739fff1e.exe';$s.Save()"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\MailroutePackage\7za.exe x "C:\Users\Admin\AppData\Local\temp\chromium89.7z" -o"C:\Users\Admin\AppData\Roaming"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Roaming\MailroutePackage\7za.exe
    C:\Users\Admin\AppData\Roaming\MailroutePackage\7za.exe x "C:\Users\Admin\AppData\Local\temp\chromium89.7z" -o"C:\Users\Admin\AppData\Roaming"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\temp\chromium89.7z

MD5
4c127ed294686a00b6bc414c3984c185

SHA1
128b851818a350e9ee46cd1ef7e8bb19dee759cd

SHA256
65f335226ab7d0b47d424aa3391c240352c25dddbc666b12c67c583140691d2c

SHA512
7cc88e3caabd42652030f441d867b577b7ab2fc1b7886f69c43745778918323d551ddd5e61218cfa54b2d40338cc2f111983ce583df9f1eb8aada530ce645aaf

Download Submit
C:\Users\Admin\AppData\Roaming\MailroutePackage\7za.exe

MD5
0184e6ebe133ef41a8cc6ef98a263712

SHA1
cb9f603e061aef833a2db501aa8ba6ba007d768e

SHA256
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229

SHA512
6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed

Download Submit
C:\Users\Admin\AppData\Roaming\MailroutePackage\7za.exe

MD5
0184e6ebe133ef41a8cc6ef98a263712

SHA1
cb9f603e061aef833a2db501aa8ba6ba007d768e

SHA256
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229

SHA512
6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed

Download Submit
C:\Users\Admin\AppData\Roaming\MailroutePackage\PsInfo64.exe

MD5
efa2f8f73b3559711149dfdeb8bc288e

SHA1
453c70e4b12ecabe860866165ad39de6361215fd

SHA256
ef5cf80c8448bf0907c634a3251cc348b1d36bb5ad8f31f23b11d12aa7f63bcb

SHA512
63f75a3d639a912e2e3966e9d410f8e1c52b75300518bb5083853ef2633c7e109c037ea2b66ced57bd5b319866a14bcd92254cb38ab9ec7b99465b0a8a8f5f3e

Download Submit
C:\Users\Admin\AppData\Roaming\MailroutePackage\libraries.zip

MD5
dc28d93d4ffd9849985c0dedf6425074

SHA1
224d0b1ddb2952372d66495e6432d826b3bfac02

SHA256
53515197bbbc76b3b7e6b0c5da2c078cc71d7c86208ca04ea5e5fca92547d2c2

SHA512
a91b78ecbcafd54e327700b494ef56ed85f270cba46765f5fcae3d4a8f9b80074a663c9d29e842ea55a7398cc650edec9a7667e0a1de87f43bf5f0a1f71cf1ff

Download Submit
C:\Users\Admin\AppData\Roaming\MailroutePackage\os_out

MD5
80f234991a2af840c5a53329c85e9a39

SHA1
a3313dc21301332cbf9f3b251c645665c9f6ec2b

SHA256
a1950f310a92e9b429a04520e1b8ad4ec6c132ef60d3ab6e004fa0d77a7a3bd7

SHA512
117b59b3d53a882a0f651930376ff5b0c2a0c446fdf5584460eaf93e50e18898f5750104d23ffb27e3e188118247f3c7e23d1f730f41075dd6c2e4f259b96a69

Download Submit
C:\Users\Admin\AppData\Roaming\MailroutePackage\unzip.exe

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Roaming\MailroutePackage\unzip.exe

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
\Users\Admin\AppData\Roaming\MailroutePackage\7za.exe

MD5
0184e6ebe133ef41a8cc6ef98a263712

SHA1
cb9f603e061aef833a2db501aa8ba6ba007d768e

SHA256
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229

SHA512
6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed

Download Submit
\Users\Admin\AppData\Roaming\MailroutePackage\7za.exe

MD5
0184e6ebe133ef41a8cc6ef98a263712

SHA1
cb9f603e061aef833a2db501aa8ba6ba007d768e

SHA256
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229

SHA512
6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed

Download Submit
\Users\Admin\AppData\Roaming\MailroutePackage\PsInfo64.exe

MD5
efa2f8f73b3559711149dfdeb8bc288e

SHA1
453c70e4b12ecabe860866165ad39de6361215fd

SHA256
ef5cf80c8448bf0907c634a3251cc348b1d36bb5ad8f31f23b11d12aa7f63bcb

SHA512
63f75a3d639a912e2e3966e9d410f8e1c52b75300518bb5083853ef2633c7e109c037ea2b66ced57bd5b319866a14bcd92254cb38ab9ec7b99465b0a8a8f5f3e

Download Submit
\Users\Admin\AppData\Roaming\MailroutePackage\unzip.exe

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
\Users\Admin\AppData\Roaming\MailroutePackage\unzip.exe

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
memory/900-73-0x0000000000000000-mapping.dmp

Download
memory/1328-64-0x0000000000000000-mapping.dmp

Download
memory/1364-77-0x0000000000000000-mapping.dmp

Download
memory/1404-62-0x0000000000000000-mapping.dmp

Download
memory/1552-55-0x0000000000000000-mapping.dmp

Download
memory/1648-54-0x0000000076001000-0x0000000076003000-memory.dmp

Filesize
8KB

Download
memory/1776-68-0x0000000000000000-mapping.dmp

Download
memory/1776-71-0x0000000002421000-0x0000000002422000-memory.dmp

Filesize
4KB

Download
memory/1776-72-0x0000000002422000-0x0000000002424000-memory.dmp

Filesize
8KB

Download
memory/1776-70-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1928-59-0x0000000000000000-mapping.dmp

Download
memory/1992-67-0x0000000000000000-mapping.dmp

Download