Analysis

  • max time kernel
    142s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    16-02-2022 12:02

General

  • Target

    f234b6d1801e1d4105de18a74ecd99f64cbdd7c47d6079bb2994d38ed7b0de44.exe

  • Size

    120KB

  • MD5

    b3fc46850b5a965b6c042fdb9b8a928d

  • SHA1

    48de02bb71a3434675d767114692c2741e374fd9

  • SHA256

    f234b6d1801e1d4105de18a74ecd99f64cbdd7c47d6079bb2994d38ed7b0de44

  • SHA512

    905cb59bd5d0e0f7d523e50c16b804c23d000d6d501b84abecc13e2d79f40879f9e4455dd969e25d33cc493d041b985cebccaa332704839f2170459539c8d7ee

Score
10/10

Malware Config

Extracted

Family

allcome

C2

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/exp.php?usr=ssska

Wallets

rGWRCDTnxm6PbeTquXpfGaJUCdJPQa9YCU

THd43QUSXYv3uuHuvg1TtnDx1LZghcxoEW

GCQ3W4M3FC7JQ7XS5QVUFJATPPRP7XOBJOBCQLQVHG5WHISN4HKJRZZG

47hVDokEdB8HbH7eKR7DLgeDXm7m6q3JmWRzBAgNq5jHEZecWrdzp1sTE1EXRU5rAj2roRSYnzvTxaxq4nDdVdGdTQAsH1y

qq6qmn7hewgsnesl2xjh7vjqf2cg2ysdhusx5jjygs

bc1qqpuu63gd8v87yvkjw6zgwr7u5plx5hs5z4khje

0xfaCC30908F531Badecb2e8B21E182520484Fb66B

Ldh6yphmCg3gLkigDchATQN9Wbj7K6Zdzy

Signatures

  • Allcome

    A clipbanker that supports stealing different cryptocurrency wallets and payment forms.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f234b6d1801e1d4105de18a74ecd99f64cbdd7c47d6079bb2994d38ed7b0de44.exe
    "C:\Users\Admin\AppData\Local\Temp\f234b6d1801e1d4105de18a74ecd99f64cbdd7c47d6079bb2994d38ed7b0de44.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /tn NvTmRep_CrashReport3_{B2FE1952-0186} /sc MINUTE /tr C:\Users\Admin\AppData\Local\CrashDumps\subst.exe
      2⤵
      • Creates scheduled task(s)
      PID:268
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {AD11B8A4-3B95-4E12-A99D-E294E4198CB3} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Users\Admin\AppData\Local\CrashDumps\subst.exe
      C:\Users\Admin\AppData\Local\CrashDumps\subst.exe
      2⤵
      • Executes dropped EXE
      PID:960
    • C:\Users\Admin\AppData\Local\CrashDumps\subst.exe
      C:\Users\Admin\AppData\Local\CrashDumps\subst.exe
      2⤵
      • Executes dropped EXE
      PID:2036
    • C:\Users\Admin\AppData\Local\CrashDumps\subst.exe
      C:\Users\Admin\AppData\Local\CrashDumps\subst.exe
      2⤵
      • Executes dropped EXE
      PID:1168

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/820-55-0x0000000075191000-0x0000000075193000-memory.dmp

    Filesize

    8KB