Overview

overview

8

Static

static

sample.exe

windows10-2004_x64

8

Resubmissions

25-02-2022 16:28

220225-tysw3shhhm 8

19-05-2021 13:45

210519-8m9k3t3eza 8

Analysis

  • max time kernel
    433s
  • max time network
    435s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    25-02-2022 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    179KB

  • MD5

    61fccc142e2bbf498885bb6e42bae62c

  • SHA1

    7f15507c7798d8b99696c19929c86c6c629eb2f5

  • SHA256

    ae91da58a702252cc0dabcf19fa65e9655c7b7143e71e048aad1ebe59a31aabf

  • SHA512

    a3cc95a442581d02c97d4fe48494b157f37e5dff4ddf175723a2c99e442492370ad65f9f22da29ffd020754445193215b7dadc3515ab8cee91b6dd3b1f1202b1

Score
8/10
ransomwarespywarestealer

Malware Config

Signatures

  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    PID:1040
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2396
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:736
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffab3e54f50,0x7ffab3e54f60,0x7ffab3e54f70
      2⤵
        PID:1052
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:936
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.0.631519261\302609142" -parentBuildID 20200403170909 -prefsHandle 2064 -prefMapHandle 2056 -prefsLen 1 -prefMapSize 216161 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 2160 gpu
          3⤵
            PID:1532
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.6.1614987940\1866993424" -childID 1 -isForBrowser -prefsHandle 1960 -prefMapHandle 2008 -prefsLen 708 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 2556 tab
            3⤵
              PID:3256
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.13.358960565\2113770606" -childID 2 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 753 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 3036 tab
              3⤵
                PID:3080
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.20.1990642490\1605788752" -childID 3 -isForBrowser -prefsHandle 3416 -prefMapHandle 3412 -prefsLen 8151 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 3380 tab
                3⤵
                  PID:2600
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.27.1255951810\283985959" -childID 4 -isForBrowser -prefsHandle 2860 -prefMapHandle 3304 -prefsLen 9887 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 2884 tab
                  3⤵
                    PID:400
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.34.1997031220\1326932171" -childID 5 -isForBrowser -prefsHandle 3112 -prefMapHandle 3016 -prefsLen 12419 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 3124 tab
                    3⤵
                      PID:980
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:2932

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Persistence

                  Privilege Escalation

                  Defense Evasion

                  Credential Access

                  Credentials in Files

                  1
                  T1081

                  Discovery

                  Query Registry

                  2
                  T1012

                  Peripheral Device Discovery

                  1
                  T1120

                  System Information Discovery

                  2
                  T1082

                  Lateral Movement

                  Collection

                  Data from Local System

                  1
                  T1005

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
                    MD5

                    3f2fc9950237c905650b841809bca2a8

                    SHA1

                    89c6b1489d8aa00ccaa3738d72ba6193923e16bc

                    SHA256

                    7ca9a484be0f0adb35e1c194191590efb7e22a52a3ab7b2f7c8df0ed596f2a54

                    SHA512

                    7420b183cef7509d50427477bdee2df5dceb1d4d694c3b2afd16dd05c3e25edd3de49bd1ebc841de46383a5bef50c9a0d5f43a62071dd114fce0851fbf301ba2

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
                    MD5

                    3f2fc9950237c905650b841809bca2a8

                    SHA1

                    89c6b1489d8aa00ccaa3738d72ba6193923e16bc

                    SHA256

                    7ca9a484be0f0adb35e1c194191590efb7e22a52a3ab7b2f7c8df0ed596f2a54

                    SHA512

                    7420b183cef7509d50427477bdee2df5dceb1d4d694c3b2afd16dd05c3e25edd3de49bd1ebc841de46383a5bef50c9a0d5f43a62071dd114fce0851fbf301ba2

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\AlternateServices.txt.matryoshka
                    MD5

                    2163808299db50591734821561142111

                    SHA1

                    583a912db6bb94190313e92eedc0cb5327540121

                    SHA256

                    41e6014fff2f15f039b9d3cc57f92faa3c9cdad9ecb4c9b24fba1dc949753abe

                    SHA512

                    3ef7e45948ba6067875bf60d7393e589104f186e96f73ea396bc7819628d70b58550d2516f44e4c631e6780a0359ee9b21808e7c208fa003577cb306806d5e99

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\SecurityPreloadState.txt.matryoshka
                    MD5

                    2163808299db50591734821561142111

                    SHA1

                    583a912db6bb94190313e92eedc0cb5327540121

                    SHA256

                    41e6014fff2f15f039b9d3cc57f92faa3c9cdad9ecb4c9b24fba1dc949753abe

                    SHA512

                    3ef7e45948ba6067875bf60d7393e589104f186e96f73ea396bc7819628d70b58550d2516f44e4c631e6780a0359ee9b21808e7c208fa003577cb306806d5e99

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\SiteSecurityServiceState.txt.matryoshka
                    MD5

                    86c9c4536e60892613c0057c4bb7c4ae

                    SHA1

                    02e5e4744fa58724823b22f9e389a05824e88aaf

                    SHA256

                    decdba0049d707c748efd1a88bd78e39b9fd4c0389698ea7b116039934574f26

                    SHA512

                    49e4a413059fe02c4da6bdb4c88a876fc81989796dcce925479fcc115eef4ba0ff5c2b0cd8b28bd024f4558400d36002947302804423dfbc40df50dcf5e548f1

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\addons.json.matryoshka
                    MD5

                    c717c5714cac344946cd0bad6af4fc18

                    SHA1

                    3887d326a1277e3a0a4154784d9985f758f7ff3a

                    SHA256

                    0f740e09dfd10e554d599bd0b48c42172a383214e49dc5ac1d2e4a88c40d2ec2

                    SHA512

                    b092c03212597082adcb19756c1492c921dc98ab0d000b657f416d79f75bd039302c5ff3be56e79d72e0898cbe277612dfbd4ce523d992bc0d312968e7cc95bf

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\cert9.db.matryoshka
                    MD5

                    9a97f2ec7bb0f59e17ad2449f639a5c1

                    SHA1

                    5fb109dd08de39a18b323c0ebe8211ceb83ab36d

                    SHA256

                    eefa7d3e269bd5b931684ac6be3cc247152b5df1107efa1c78eb7890d915de67

                    SHA512

                    7e95e870a5d7a6b25a043537e3b13045488f42bbd7cdd0fb185cd9bae9490a82529145e00cdadba6a4c81c4316fd42007155e2dd2eb997424d2f37733efd2bcc

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\containers.json.matryoshka
                    MD5

                    8ce1566a0d568178e6dfb1ad0b0a5aae

                    SHA1

                    ef05a61902362b547c766abe0c3651c4d3471e98

                    SHA256

                    367912bfbe21f600aa2a548d5d08dae155e5e58b8f74d1a41fb1d5e82e24ab20

                    SHA512

                    77717296d9e25378f14046446e3063a019b025ac188029dbff8aaeb0859889f39e23b8044f7b5d2c54f20537480c574845e2485dee6bc368307491e8183ef05f

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\extension-preferences.json.matryoshka
                    MD5

                    772f84e99fd1a24dcdee86cd2ba052e7

                    SHA1

                    15447cac68983f72116ca08ec2d34ef80ea9fe86

                    SHA256

                    ed5f5858e97c36a8b8f50e96a6c3831870cc068dc7a9423a5597d37b2a329fcf

                    SHA512

                    b08a60dbf38563f75bb4cc388e8cc57ec97714ab1cd60a4027d8c8dbd1490d3cbb246f5f2aa372ecbcfd2ea17ba315c652dd7ec6c7d2602009856de45c9105be

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\extensions.json.matryoshka
                    MD5

                    5f7e3be2e5739788b95d538ee8288c02

                    SHA1

                    bc41f46a5df3d07386221841ace2c0ab0c2ed937

                    SHA256

                    d18d3ee0447def2b25262e59ad965697470f8907aff29c0ca0efc2dc7e6ff216

                    SHA512

                    d60cc480d1b5eb769ae940ba5df8e5421f099939ae3d12e04a3f94e8ca76fbc1a320cc786fbbb8afb81538ba9ee5246bc1f634fcf511c74ed0573ce3efef2ece

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\handlers.json.matryoshka
                    MD5

                    87c4a8d9253c092299bd92e320aca407

                    SHA1

                    ae78f1260b6acc72c58c4da3ac82be0ed356ce2e

                    SHA256

                    3a69e811c926aee4cb1061a49b53acfa010349e8abb0b5772c7cbbe797c7e858

                    SHA512

                    a68e539f28cbcdc1d01983a5f2de2fee6ae46b2992caf69708bc3ecf6abde365178df9c3534a9ddfd816bc59dd91d60958070959e7cd7ea527205eb29ea92216

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\key4.db.matryoshka
                    MD5

                    005c6a8266f66ed41add4f8710647615

                    SHA1

                    3a27e355b46c1c67a271b52689aedaf1611e83b9

                    SHA256

                    e4dc369e7914e75e5d1fa2b3e4e7ce7def26a17cef86c9487d5175d0dc114355

                    SHA512

                    c7a2c6a321e65ac2e7298afc828246235252a43d5766918fff42aad04a2caea6758075c280cee97036d391c4873d91439c8b3bcb64dec1323405b11c1ebcdaa0

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\pkcs11.txt.matryoshka
                    MD5

                    a3b08964a35b929ae585eb4bbab23a25

                    SHA1

                    b2df7308d10c038457c9ce512ef38f48df5b8bcd

                    SHA256

                    4ea048314e39052888fb1bd99c4d5d3f57fdfd6af6739738ac7527194c7a9f1b

                    SHA512

                    e823323f5ae6e786796df028b1fe95957cc7e80e6fb1cfaddc00bdd2a2bcf7da0d1ca5a9deca7b8ae980d9d1bc7eba741236d29add1dc16ee32f82822fcd09a6

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\pluginreg.dat.matryoshka
                    MD5

                    b109ce5949b56dacbc0a6e954c497232

                    SHA1

                    b8860456fccad8ec4ce6b67f89aed663a31a74f3

                    SHA256

                    826dfe3504871543c0504859cc5f741470c593ccc3ffedc618be223d486bcf8e

                    SHA512

                    31a072a721702fdb0811d4ad90aab91305b492a1706a68aeff3c328644d7e37767618954531c74fdc2a207eec3774178d81d4e4ad2b7705ff1c948abf229369c

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\prefs.js.matryoshka
                    MD5

                    f9c0c05a892d1fc881c68acb650d7f61

                    SHA1

                    1d4955b4a7a2a72c1f14632e57cd1570cf60992a

                    SHA256

                    558701d1f64af0ed44cc4111a623c0e623dc9d220960b8b2d9800310462745f8

                    SHA512

                    dd4f79be91baf0b8ffb1536e62c5b25eadf47a9c979a7124855065e8701fb667a2493a477fa026cae402b395734f15940e8a2ecb2f6fcd6487dd0392d45776e9

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\sessionCheckpoints.json.matryoshka
                    MD5

                    4c30f79545c005c9bef45aaadab989a1

                    SHA1

                    24d902a82e2dd3d4fa947563c41e4ebd1378414a

                    SHA256

                    e3cd253dbd46204fcd911e62a22f85ce195dcd26f83f6e286635f8968b293002

                    SHA512

                    3f0c1c8d9d0cd44031441573c450e0ba62fff54b9f3dadbe5375bb8ad7b447f392d40ab8a90bb8492dd9ebda6181698398e684ffaacd272dc0e8b4ed2e18c905

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\shield-preference-experiments.json.matryoshka
                    MD5

                    4e2588317574321d6d874515399e4922

                    SHA1

                    4c75018e712b3a8ea5be38d95a4f722a3c194638

                    SHA256

                    543eef9ee28bcd2f050a04f8bfb2c8f41c0d92452ce72f7d90f08578e2b9f0b4

                    SHA512

                    069792e7689e14c72762be4596e6f4a204e82f3ec0b675ce3eba17dab93d957dbaaf4682bacdf6143609a21aeb16889efb6388b2b2a50c7a83882c5118859c25

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\times.json.matryoshka
                    MD5

                    f06c8025b0db893094b492c287ad181f

                    SHA1

                    04aaa72697b2c985bb584fcad22296658f505eca

                    SHA256

                    786ecf451c875d3692002d8f5220a262687639b08ff5201751dc8bc7c2736d92

                    SHA512

                    7aa49fccfffdc385e6f02a6a03bbb37a883b0b5cb5ed7bc91db6a62ff372188bbd20c9a0feed715d9e82377c4d42373ac890a04b91117e4cfdeb29ae6e511483

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3kzncs28.default-release\xulstore.json.matryoshka
                    MD5

                    28760dd8b9541231eb0dad7e5ecfb21a

                    SHA1

                    b64e8d2a93d9fe5e7d4c38fc8d9a7db42df6ee1f

                    SHA256

                    d5e375e17582d7fb727dea2fdd5e67f8df0c493da22d5e9c1c787a4c459ca72f

                    SHA512

                    6f0616f0797a789f71b1ddee1488596c77f54caaa4d7722a5722ae6d64826900e5477ed392f8bf299c88acbfa58d77578ac96971d0561bd09169167572685ed5

                    Download Submit
                  • C:\Users\Admin\Desktop\GroupBackup.txt.matryoshka
                    MD5

                    6dcde22b432b25950279618aeeaf8a70

                    SHA1

                    6f83fd27fe9c89748a7f4afd84701df669ea1038

                    SHA256

                    8aea3775c67c8f9ef8d936a46f001acbe5819ad098e7c908c06af67222cf1a07

                    SHA512

                    000ee1471bcbcf66671e342edef0df552fca0add0d9b1ee0c9d2be6c545b9376897eea94e29b70cb33cf2fad408bf864269e135634a16b7dd5ff6488dcfbcf2a

                    Download Submit
                  • \??\pipe\crashpad_364_FFHVBPHIBGAHOIGK
                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    Download Submit
                  • memory/1040-135-0x000000001C4F5000-0x000000001C4F6000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1040-130-0x00000000002E0000-0x0000000000312000-memory.dmp
                    Filesize

                    200KB

                    Download
                  • memory/1040-132-0x000000001C4F0000-0x000000001C4F2000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1040-133-0x000000001C4F2000-0x000000001C4F4000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1040-134-0x000000001C4F4000-0x000000001C4F5000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1040-136-0x0000000025A80000-0x0000000026226000-memory.dmp
                    Filesize

                    7.6MB

                    Download
                  • memory/1040-131-0x00007FFAB04E3000-0x00007FFAB04E5000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1040-137-0x000000001C4F7000-0x000000001C4F8000-memory.dmp
                    Filesize

                    4KB

                    Download