Overview

overview

10

Static

static

10

f234b6d180...44.exe

windows7_x64

10

f234b6d180...44.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    16-02-2022 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f234b6d1801e1d4105de18a74ecd99f64cbdd7c47d6079bb2994d38ed7b0de44.exe

  • Size

    120KB

  • MD5

    b3fc46850b5a965b6c042fdb9b8a928d

  • SHA1

    48de02bb71a3434675d767114692c2741e374fd9

  • SHA256

    f234b6d1801e1d4105de18a74ecd99f64cbdd7c47d6079bb2994d38ed7b0de44

  • SHA512

    905cb59bd5d0e0f7d523e50c16b804c23d000d6d501b84abecc13e2d79f40879f9e4455dd969e25d33cc493d041b985cebccaa332704839f2170459539c8d7ee

Score
10/10
allcomestealer

Malware Config

Extracted

Family

allcome

C2

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/exp.php?usr=ssska

Wallets

rGWRCDTnxm6PbeTquXpfGaJUCdJPQa9YCU

THd43QUSXYv3uuHuvg1TtnDx1LZghcxoEW

GCQ3W4M3FC7JQ7XS5QVUFJATPPRP7XOBJOBCQLQVHG5WHISN4HKJRZZG

47hVDokEdB8HbH7eKR7DLgeDXm7m6q3JmWRzBAgNq5jHEZecWrdzp1sTE1EXRU5rAj2roRSYnzvTxaxq4nDdVdGdTQAsH1y

qq6qmn7hewgsnesl2xjh7vjqf2cg2ysdhusx5jjygs

bc1qqpuu63gd8v87yvkjw6zgwr7u5plx5hs5z4khje

0xfaCC30908F531Badecb2e8B21E182520484Fb66B

Ldh6yphmCg3gLkigDchATQN9Wbj7K6Zdzy

Signatures

  • Allcome

    A clipbanker that supports stealing different cryptocurrency wallets and payment forms.

    stealerallcome
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f234b6d1801e1d4105de18a74ecd99f64cbdd7c47d6079bb2994d38ed7b0de44.exe
    "C:\Users\Admin\AppData\Local\Temp\f234b6d1801e1d4105de18a74ecd99f64cbdd7c47d6079bb2994d38ed7b0de44.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /tn NvTmRep_CrashReport3_{B2FE1952-0186} /sc MINUTE /tr C:\Users\Admin\AppData\Local\CrashDumps\subst.exe
      2⤵
      • Creates scheduled task(s)
      PID:1568
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4944
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:752
  • C:\Users\Admin\AppData\Local\CrashDumps\subst.exe
    C:\Users\Admin\AppData\Local\CrashDumps\subst.exe
    1⤵
    • Executes dropped EXE
    PID:3916
  • C:\Users\Admin\AppData\Local\CrashDumps\subst.exe
    C:\Users\Admin\AppData\Local\CrashDumps\subst.exe
    1⤵
    • Executes dropped EXE
    PID:3008
  • C:\Users\Admin\AppData\Local\CrashDumps\subst.exe
    C:\Users\Admin\AppData\Local\CrashDumps\subst.exe
    1⤵
    • Executes dropped EXE
    PID:3604

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4944-130-0x0000015D5CF60000-0x0000015D5CF70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-131-0x0000015D5D520000-0x0000015D5D530000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-132-0x0000015D5FBB0000-0x0000015D5FBB4000-memory.dmp

    Filesize

    16KB

    Download