Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-03-2022 17:16
Static task
static1
Behavioral task
behavioral1
Sample
55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe
Resource
win7-en-20211208
General
-
Target
55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe
-
Size
3.0MB
-
MD5
09fb8646753f7041cb0dc124b3c571cf
-
SHA1
d41f962c8b308802635a446d1637a1316be54da1
-
SHA256
55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a
-
SHA512
7e0bc327c63acfc77c4276b6e7cffdd6514a4512fe76ebed360c629d94511f20dd0368c6220a21c40e1bb64b53e9a86ccb971a4c38c5cdf813a431716b15a536
Malware Config
Signatures
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1396-63-0x000000001B170000-0x000000001B4B2000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1396-63-0x000000001B170000-0x000000001B4B2000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
RtkBtManServ.exepid process 1396 RtkBtManServ.exe -
Loads dropped DLL 1 IoCs
Processes:
55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exepid process 1316 55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api64.ipify.org 6 api64.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RtkBtManServ.exedescription pid process Token: SeDebugPrivilege 1396 RtkBtManServ.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exedescription pid process target process PID 1316 wrote to memory of 1396 1316 55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe RtkBtManServ.exe PID 1316 wrote to memory of 1396 1316 55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe RtkBtManServ.exe PID 1316 wrote to memory of 1396 1316 55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe RtkBtManServ.exe PID 1316 wrote to memory of 1396 1316 55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe RtkBtManServ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe"C:\Users\Admin\AppData\Local\Temp\55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4iWQts1PND+kGJ4xdmGirFtT5W3OXFMbjE8CmdHgtOm0xo8eWTYs60ZjZMZYNO9Oj+IEZX5hTZz71kfTdlEjihNmMmWELE++ykkeW58BqUkHKYnClrsLhUECbONhhqWho=2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exeMD5
88ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exeMD5
88ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
C:\Users\Admin\AppData\Local\Temp\configMD5
1ba367d0f9aac0f650e65ab7401776c0
SHA175cf3295125cfaa0c247ebccc57e63f915198683
SHA25668c4ec552c98f3b5a4744e4eefadd6364dc8075c2e718b7bcbfc76625aa60d03
SHA51245ccdf02314fe01948aa2ecddb3b50f68d5b32d8542e3a3aeaf3f2920e2285d3b75ebb81b9eb9fb9e0a446af5a3708720e07672874d5d38871dbdcd09483449c
-
\Users\Admin\AppData\Local\Temp\RtkBtManServ.exeMD5
88ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
memory/1316-57-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/1316-56-0x0000000000A90000-0x0000000000D8C000-memory.dmpFilesize
3.0MB
-
memory/1316-55-0x0000000074B10000-0x00000000751FE000-memory.dmpFilesize
6.9MB
-
memory/1396-66-0x000000001BA20000-0x000000001BAD0000-memory.dmpFilesize
704KB
-
memory/1396-63-0x000000001B170000-0x000000001B4B2000-memory.dmpFilesize
3.3MB
-
memory/1396-64-0x0000000000820000-0x0000000000826000-memory.dmpFilesize
24KB
-
memory/1396-65-0x000000001AE00000-0x000000001AE02000-memory.dmpFilesize
8KB
-
memory/1396-62-0x00000000003D0000-0x00000000006AA000-memory.dmpFilesize
2.9MB
-
memory/1396-61-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmpFilesize
9.9MB
-
memory/1396-68-0x0000000002170000-0x00000000021A0000-memory.dmpFilesize
192KB
-
memory/1396-69-0x0000000000AA0000-0x0000000000AAC000-memory.dmpFilesize
48KB
-
memory/1396-70-0x0000000002230000-0x000000000224A000-memory.dmpFilesize
104KB
-
memory/1396-71-0x00000000022D0000-0x0000000002302000-memory.dmpFilesize
200KB
-
memory/1396-72-0x000000001AFB0000-0x000000001B052000-memory.dmpFilesize
648KB
-
memory/1396-73-0x000000001A990000-0x000000001A998000-memory.dmpFilesize
32KB