Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
22/02/2022, 19:34
Static task
static1
Behavioral task
behavioral1
Sample
0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe
Resource
win10v2004-en-20220113
General
-
Target
0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe
-
Size
13.7MB
-
MD5
c2183b7c9c1379e8f373afb7dc3ce5c6
-
SHA1
aa108b83f7a8b3549da0d73fff9b7437a390ae74
-
SHA256
0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2
-
SHA512
cc2ef515ed510fb24c4646e485a91b48f8fd7a1c301d1097cb320dac84b527ac9674c39400bc095b17361ea375bb9b291fd714ce8c1efcd9a277d07a449ccdeb
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
zcb79451
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/files/0x000500000001e783-136.dat MailPassView behavioral2/files/0x000500000001e783-135.dat MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001e783-136.dat WebBrowserPassView behavioral2/files/0x000500000001e783-135.dat WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/files/0x000500000001e783-136.dat Nirsoft behavioral2/files/0x000500000001e783-135.dat Nirsoft behavioral2/files/0x000400000001e79a-165.dat Nirsoft behavioral2/files/0x000400000001e79a-166.dat Nirsoft behavioral2/files/0x000300000001e79f-174.dat Nirsoft behavioral2/files/0x000300000001e79f-175.dat Nirsoft -
Executes dropped EXE 9 IoCs
pid Process 884 SMB2021.dll.exe 440 34.exe 1280 saint-1.0-jar-with-dependencies.exe 4080 result.exe 944 saint-1.0-jar-with-dependencies.exe 2456 WebBrowserPassView1.exe 628 WebBrowserPassView2.exe 932 WebBrowserPassView3.exe 1040 WebBrowserPassView4.exe -
resource yara_rule behavioral2/files/0x000400000001e79d-173.dat upx behavioral2/files/0x000400000001e79d-172.dat upx behavioral2/files/0x000300000001e7a2-177.dat upx behavioral2/files/0x000300000001e7a2-178.dat upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion result.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation result.exe -
Loads dropped DLL 2 IoCs
pid Process 2656 javaw.exe 4072 javaw.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security = "C:\\Users\\Admin\\AppData\\Roaming\\(s)AINT\\saint.jar" REG.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security = "C:\\Users\\Admin\\AppData\\Roaming\\(s)AINT\\saint.jar" REG.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 whatismyip.akamai.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString result.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier result.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 result.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 3364 REG.exe 1328 REG.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4080 result.exe 4080 result.exe 4080 result.exe 4080 result.exe 4080 result.exe 4080 result.exe 4080 result.exe 4080 result.exe 4080 result.exe 4080 result.exe 4080 result.exe 4080 result.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 628 WebBrowserPassView2.exe Token: SeRestorePrivilege 628 WebBrowserPassView2.exe Token: SeBackupPrivilege 628 WebBrowserPassView2.exe Token: SeDebugPrivilege 884 SMB2021.dll.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2656 javaw.exe 2656 javaw.exe 4072 javaw.exe 4072 javaw.exe 2656 javaw.exe 4072 javaw.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1852 wrote to memory of 884 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 84 PID 1852 wrote to memory of 884 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 84 PID 1852 wrote to memory of 884 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 84 PID 1852 wrote to memory of 440 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 85 PID 1852 wrote to memory of 440 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 85 PID 1852 wrote to memory of 440 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 85 PID 440 wrote to memory of 1180 440 34.exe 86 PID 440 wrote to memory of 1180 440 34.exe 86 PID 440 wrote to memory of 1180 440 34.exe 86 PID 1852 wrote to memory of 1280 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 87 PID 1852 wrote to memory of 1280 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 87 PID 1852 wrote to memory of 1280 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 87 PID 1280 wrote to memory of 2656 1280 saint-1.0-jar-with-dependencies.exe 88 PID 1280 wrote to memory of 2656 1280 saint-1.0-jar-with-dependencies.exe 88 PID 1852 wrote to memory of 4080 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 89 PID 1852 wrote to memory of 4080 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 89 PID 1852 wrote to memory of 4080 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 89 PID 1852 wrote to memory of 944 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 90 PID 1852 wrote to memory of 944 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 90 PID 1852 wrote to memory of 944 1852 0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe 90 PID 944 wrote to memory of 4072 944 saint-1.0-jar-with-dependencies.exe 91 PID 944 wrote to memory of 4072 944 saint-1.0-jar-with-dependencies.exe 91 PID 1180 wrote to memory of 2024 1180 fondue.exe 92 PID 1180 wrote to memory of 2024 1180 fondue.exe 92 PID 4072 wrote to memory of 3364 4072 javaw.exe 94 PID 4072 wrote to memory of 3364 4072 javaw.exe 94 PID 2656 wrote to memory of 1328 2656 javaw.exe 95 PID 2656 wrote to memory of 1328 2656 javaw.exe 95 PID 4080 wrote to memory of 3980 4080 result.exe 98 PID 4080 wrote to memory of 3980 4080 result.exe 98 PID 4080 wrote to memory of 3980 4080 result.exe 98 PID 884 wrote to memory of 2456 884 SMB2021.dll.exe 100 PID 884 wrote to memory of 2456 884 SMB2021.dll.exe 100 PID 884 wrote to memory of 2456 884 SMB2021.dll.exe 100 PID 884 wrote to memory of 628 884 SMB2021.dll.exe 101 PID 884 wrote to memory of 628 884 SMB2021.dll.exe 101 PID 884 wrote to memory of 628 884 SMB2021.dll.exe 101 PID 884 wrote to memory of 932 884 SMB2021.dll.exe 103 PID 884 wrote to memory of 932 884 SMB2021.dll.exe 103 PID 884 wrote to memory of 932 884 SMB2021.dll.exe 103 PID 884 wrote to memory of 1040 884 SMB2021.dll.exe 104 PID 884 wrote to memory of 1040 884 SMB2021.dll.exe 104 PID 884 wrote to memory of 1040 884 SMB2021.dll.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe"C:\Users\Admin\AppData\Local\Temp\0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\SMB2021.dll.exe"C:\Users\Admin\AppData\Local\Temp\SMB2021.dll.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.txt3⤵
- Executes dropped EXE
PID:2456
-
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.txt3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:628
-
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.txt3⤵
- Executes dropped EXE
PID:932
-
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.txt3⤵
- Executes dropped EXE
PID:1040
-
-
-
C:\Users\Admin\AppData\Local\Temp\34.exe"C:\Users\Admin\AppData\Local\Temp\34.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵PID:2024
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V "Security" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\(s)AINT\saint.jar"4⤵
- Adds Run key to start application
- Modifies registry key
PID:1328
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\result.exe"C:\Users\Admin\AppData\Local\Temp\result.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\result.exe" >> NUL3⤵PID:3980
-
-
-
C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V "Security" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\(s)AINT\saint.jar"4⤵
- Adds Run key to start application
- Modifies registry key
PID:3364
-
-
-