Analysis
-
max time kernel
60s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
02-02-2022 09:09
Static task
static1
Behavioral task
behavioral1
Sample
b06ca9689a517fa053a77ebce8fab696.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b06ca9689a517fa053a77ebce8fab696.exe
Resource
win10v2004-en-20220113
General
-
Target
b06ca9689a517fa053a77ebce8fab696.exe
-
Size
605KB
-
MD5
b06ca9689a517fa053a77ebce8fab696
-
SHA1
06691dda8b7f412ba4c31f2f78678acbc8262881
-
SHA256
2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece
-
SHA512
9af05fe8d4b2ecb0abcc3283af18950912cc0888bc1a98b3f9164cd839c41ddf6a2dea2c62dfcaaf8b53dac0eb8255ef6527e3f81f6908677d1ed5bce557e917
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
10203040eam.
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
systems.exepid process 1460 systems.exe -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systems.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systems.exe cmd.exe -
Loads dropped DLL 4 IoCs
Processes:
b06ca9689a517fa053a77ebce8fab696.exepid process 1476 b06ca9689a517fa053a77ebce8fab696.exe 1476 b06ca9689a517fa053a77ebce8fab696.exe 1476 b06ca9689a517fa053a77ebce8fab696.exe 1476 b06ca9689a517fa053a77ebce8fab696.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ifconfig.me -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
systems.exepid process 1460 systems.exe 1460 systems.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
systems.exeshutdown.exedescription pid process Token: SeDebugPrivilege 1460 systems.exe Token: SeShutdownPrivilege 576 shutdown.exe Token: SeRemoteShutdownPrivilege 576 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
systems.exepid process 1460 systems.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
b06ca9689a517fa053a77ebce8fab696.exeWScript.execmd.exedescription pid process target process PID 1476 wrote to memory of 1460 1476 b06ca9689a517fa053a77ebce8fab696.exe systems.exe PID 1476 wrote to memory of 1460 1476 b06ca9689a517fa053a77ebce8fab696.exe systems.exe PID 1476 wrote to memory of 1460 1476 b06ca9689a517fa053a77ebce8fab696.exe systems.exe PID 1476 wrote to memory of 1460 1476 b06ca9689a517fa053a77ebce8fab696.exe systems.exe PID 1476 wrote to memory of 1208 1476 b06ca9689a517fa053a77ebce8fab696.exe WScript.exe PID 1476 wrote to memory of 1208 1476 b06ca9689a517fa053a77ebce8fab696.exe WScript.exe PID 1476 wrote to memory of 1208 1476 b06ca9689a517fa053a77ebce8fab696.exe WScript.exe PID 1476 wrote to memory of 1208 1476 b06ca9689a517fa053a77ebce8fab696.exe WScript.exe PID 1208 wrote to memory of 676 1208 WScript.exe cmd.exe PID 1208 wrote to memory of 676 1208 WScript.exe cmd.exe PID 1208 wrote to memory of 676 1208 WScript.exe cmd.exe PID 1208 wrote to memory of 676 1208 WScript.exe cmd.exe PID 676 wrote to memory of 576 676 cmd.exe shutdown.exe PID 676 wrote to memory of 576 676 cmd.exe shutdown.exe PID 676 wrote to memory of 576 676 cmd.exe shutdown.exe PID 676 wrote to memory of 576 676 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b06ca9689a517fa053a77ebce8fab696.exe"C:\Users\Admin\AppData\Local\Temp\b06ca9689a517fa053a77ebce8fab696.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Public\Downloads\systems.exe"C:\Users\Public\Downloads\systems.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1460 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Downloads\vbs.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\Downloads\vbs.bat" "3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 454⤵
- Suspicious use of AdjustPrivilegeToken
PID:576
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1652
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7dcef4cc1f3f2a74f8fbc0c0166a27c3
SHA1a9297bdcd7627cdb9f7ad5a2611a0f1c283c272b
SHA25692fe9be6bf00bc36f978665fc900082dc40e5b863c92c3070f819aeb7113ef93
SHA512ac358b03013a2ebb7b18ab8adb2ce1f5fc115ea9bd6f1894e625148a206248be6f27d1dc408f014b28934fa63b5b5a80ae5bd2ac3fc85d511d6a27e4405793a3
-
MD5
7dcef4cc1f3f2a74f8fbc0c0166a27c3
SHA1a9297bdcd7627cdb9f7ad5a2611a0f1c283c272b
SHA25692fe9be6bf00bc36f978665fc900082dc40e5b863c92c3070f819aeb7113ef93
SHA512ac358b03013a2ebb7b18ab8adb2ce1f5fc115ea9bd6f1894e625148a206248be6f27d1dc408f014b28934fa63b5b5a80ae5bd2ac3fc85d511d6a27e4405793a3
-
MD5
ade19598f8dad9f073ae38aa05ddbe6d
SHA1e354e68fec4371c2dd561aac8507bf9e70c675f9
SHA256b71c40c6d22b2bf20b9b86c8a6af04097d39e58ef31dbf4e4c73636756177985
SHA51259f4ec80efa5f4804645fb0ad276177afcf5b70643b47e1d483ee881347d583f1df587289cc11e9972e733b39b9458248475705c7d487c4e109575126ede4ddb
-
MD5
703060ffd10943fcc7f9c0eede5d114a
SHA15fcd96f61af1d1325a8270b229a182f38f573952
SHA256309cad9f3be025cc5cc1a62d6ea6e6072bd307a9e9af4ab8ddaf7f7ed6f81e03
SHA51274530da055f7c386efb98e36fc52553c1d0e3f33031af8fb87c4ded84f3475bf0c983ed044ddefee1020384020f6c848249cd1a238b97567845bcbb4a8371953
-
MD5
7dcef4cc1f3f2a74f8fbc0c0166a27c3
SHA1a9297bdcd7627cdb9f7ad5a2611a0f1c283c272b
SHA25692fe9be6bf00bc36f978665fc900082dc40e5b863c92c3070f819aeb7113ef93
SHA512ac358b03013a2ebb7b18ab8adb2ce1f5fc115ea9bd6f1894e625148a206248be6f27d1dc408f014b28934fa63b5b5a80ae5bd2ac3fc85d511d6a27e4405793a3
-
MD5
7dcef4cc1f3f2a74f8fbc0c0166a27c3
SHA1a9297bdcd7627cdb9f7ad5a2611a0f1c283c272b
SHA25692fe9be6bf00bc36f978665fc900082dc40e5b863c92c3070f819aeb7113ef93
SHA512ac358b03013a2ebb7b18ab8adb2ce1f5fc115ea9bd6f1894e625148a206248be6f27d1dc408f014b28934fa63b5b5a80ae5bd2ac3fc85d511d6a27e4405793a3
-
MD5
7dcef4cc1f3f2a74f8fbc0c0166a27c3
SHA1a9297bdcd7627cdb9f7ad5a2611a0f1c283c272b
SHA25692fe9be6bf00bc36f978665fc900082dc40e5b863c92c3070f819aeb7113ef93
SHA512ac358b03013a2ebb7b18ab8adb2ce1f5fc115ea9bd6f1894e625148a206248be6f27d1dc408f014b28934fa63b5b5a80ae5bd2ac3fc85d511d6a27e4405793a3
-
MD5
7dcef4cc1f3f2a74f8fbc0c0166a27c3
SHA1a9297bdcd7627cdb9f7ad5a2611a0f1c283c272b
SHA25692fe9be6bf00bc36f978665fc900082dc40e5b863c92c3070f819aeb7113ef93
SHA512ac358b03013a2ebb7b18ab8adb2ce1f5fc115ea9bd6f1894e625148a206248be6f27d1dc408f014b28934fa63b5b5a80ae5bd2ac3fc85d511d6a27e4405793a3