Analysis

  • max time kernel
    153s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    22/02/2022, 19:34

General

  • Target

    0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe

  • Size

    13.7MB

  • MD5

    c2183b7c9c1379e8f373afb7dc3ce5c6

  • SHA1

    aa108b83f7a8b3549da0d73fff9b7437a390ae74

  • SHA256

    0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2

  • SHA512

    cc2ef515ed510fb24c4646e485a91b48f8fd7a1c301d1097cb320dac84b527ac9674c39400bc095b17361ea375bb9b291fd714ce8c1efcd9a277d07a449ccdeb

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    zcb79451

Signatures

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Executes dropped EXE 9 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe
    "C:\Users\Admin\AppData\Local\Temp\0e5e3b9050de27a940cdc6d7d92d7d3fa6c2c355784bf58128125f0f711d6ca2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Users\Admin\AppData\Local\Temp\SMB2021.dll.exe
      "C:\Users\Admin\AppData\Local\Temp\SMB2021.dll.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe
        C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.txt
        3⤵
        • Executes dropped EXE
        PID:2456
      • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe
        C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.txt
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:628
      • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe
        C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.txt
        3⤵
        • Executes dropped EXE
        PID:932
      • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe
        C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.txt
        3⤵
        • Executes dropped EXE
        PID:1040
    • C:\Users\Admin\AppData\Local\Temp\34.exe
      "C:\Users\Admin\AppData\Local\Temp\34.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:440
      • C:\Windows\SysWOW64\fondue.exe
        "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1180
        • C:\Windows\system32\FonDUE.EXE
          "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
          4⤵
            PID:2024
      • C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe
        "C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1280
        • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
          "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Windows\SYSTEM32\REG.exe
            REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V "Security" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\(s)AINT\saint.jar"
            4⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:1328
      • C:\Users\Admin\AppData\Local\Temp\result.exe
        "C:\Users\Admin\AppData\Local\Temp\result.exe"
        2⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks computer location settings
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4080
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\result.exe" >> NUL
          3⤵
            PID:3980
        • C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe
          "C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:944
          • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
            "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\saint-1.0-jar-with-dependencies.exe"
            3⤵
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4072
            • C:\Windows\SYSTEM32\REG.exe
              REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V "Security" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\(s)AINT\saint.jar"
              4⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:3364

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/884-146-0x000000007327E000-0x000000007327F000-memory.dmp

              Filesize

              4KB

            • memory/884-149-0x00000000025D0000-0x00000000025D1000-memory.dmp

              Filesize

              4KB

            • memory/884-142-0x00000000002E0000-0x0000000000374000-memory.dmp

              Filesize

              592KB

            • memory/884-158-0x00000000051B0000-0x0000000005206000-memory.dmp

              Filesize

              344KB

            • memory/884-152-0x0000000005020000-0x00000000050B2000-memory.dmp

              Filesize

              584KB

            • memory/884-151-0x0000000005530000-0x0000000005AD4000-memory.dmp

              Filesize

              5.6MB

            • memory/884-150-0x0000000004EE0000-0x0000000004F7C000-memory.dmp

              Filesize

              624KB

            • memory/884-157-0x0000000004F80000-0x0000000004F8A000-memory.dmp

              Filesize

              40KB

            • memory/2656-147-0x0000000003240000-0x00000000034B0000-memory.dmp

              Filesize

              2.4MB

            • memory/2656-153-0x00000000013A0000-0x00000000013A1000-memory.dmp

              Filesize

              4KB

            • memory/2656-181-0x00000000013A0000-0x00000000013A1000-memory.dmp

              Filesize

              4KB

            • memory/2656-189-0x00000000013A0000-0x00000000013A1000-memory.dmp

              Filesize

              4KB

            • memory/4072-148-0x0000000003090000-0x0000000003300000-memory.dmp

              Filesize

              2.4MB

            • memory/4072-154-0x0000000001300000-0x0000000001301000-memory.dmp

              Filesize

              4KB

            • memory/4072-180-0x0000000001300000-0x0000000001301000-memory.dmp

              Filesize

              4KB

            • memory/4072-184-0x0000000001300000-0x0000000001301000-memory.dmp

              Filesize

              4KB