Analysis
-
max time kernel
279s -
max time network
285s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
21-03-2022 03:07
Static task
static1
Behavioral task
behavioral1
Sample
b2b_2022-03-20_00-04.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
b2b_2022-03-20_00-04.exe
Resource
win10v2004-20220310-en
General
-
Target
b2b_2022-03-20_00-04.exe
-
Size
298KB
-
MD5
773c9670c70dd5c465ad8e57a39ae55a
-
SHA1
dc117d5ecfdea361e0c31568c3a78714461ad02b
-
SHA256
e6ccc7cc7154361faaf1994b3395a27bb0b8a97f002e28bcdba5e9901793bb00
-
SHA512
265e1d19da3f1a13a25fc2dd6a12cfff484520e1228517d57dfb9cb4ff171bc4d4f986321eba619dbbb77019c714daf1b6bcd7c9dc921ddcee86ef0b25aa2dac
Malware Config
Signatures
-
VKeylogger
A keylogger first seen in Nov 2020.
-
VKeylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3512-136-0x0000000000720000-0x0000000000732000-memory.dmp family_vkeylogger behavioral2/memory/3512-137-0x0000000000400000-0x0000000000474000-memory.dmp family_vkeylogger behavioral2/memory/1500-138-0x0000000000A00000-0x0000000000A13000-memory.dmp family_vkeylogger -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
888.exe108.exepid process 4636 888.exe 4112 108.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ghtrh = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfoedmf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b2b_2022-03-20_00-04.exe" explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b2b_2022-03-20_00-04.exedescription pid process target process PID 3512 set thread context of 1500 3512 b2b_2022-03-20_00-04.exe explorer.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3104 3512 WerFault.exe b2b_2022-03-20_00-04.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
888.exepid process 4636 888.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
b2b_2022-03-20_00-04.exeexplorer.exepid process 3512 b2b_2022-03-20_00-04.exe 1500 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
explorer.exepid process 1500 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 1500 explorer.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
b2b_2022-03-20_00-04.exeexplorer.exedescription pid process target process PID 3512 wrote to memory of 1500 3512 b2b_2022-03-20_00-04.exe explorer.exe PID 3512 wrote to memory of 1500 3512 b2b_2022-03-20_00-04.exe explorer.exe PID 3512 wrote to memory of 1500 3512 b2b_2022-03-20_00-04.exe explorer.exe PID 1500 wrote to memory of 4636 1500 explorer.exe 888.exe PID 1500 wrote to memory of 4636 1500 explorer.exe 888.exe PID 1500 wrote to memory of 4112 1500 explorer.exe 108.exe PID 1500 wrote to memory of 4112 1500 explorer.exe 108.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2b_2022-03-20_00-04.exe"C:\Users\Admin\AppData\Local\Temp\b2b_2022-03-20_00-04.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\888.exe"C:\Users\Admin\AppData\Local\Temp\888.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\108.exe"C:\Users\Admin\AppData\Local\Temp\108.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 2882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3512 -ip 35121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\108.exeMD5
b3bb91ad96f2d4c041861ce59ba6ac73
SHA1e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3
SHA2560581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
SHA512e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd
-
C:\Users\Admin\AppData\Local\Temp\108.exeMD5
b3bb91ad96f2d4c041861ce59ba6ac73
SHA1e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3
SHA2560581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
SHA512e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd
-
C:\Users\Admin\AppData\Local\Temp\888.exeMD5
b3bb91ad96f2d4c041861ce59ba6ac73
SHA1e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3
SHA2560581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
SHA512e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd
-
C:\Users\Admin\AppData\Local\Temp\888.exeMD5
b3bb91ad96f2d4c041861ce59ba6ac73
SHA1e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3
SHA2560581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
SHA512e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd
-
memory/1500-138-0x0000000000A00000-0x0000000000A13000-memory.dmpFilesize
76KB
-
memory/3512-134-0x00000000007ED000-0x00000000007FD000-memory.dmpFilesize
64KB
-
memory/3512-135-0x00000000007ED000-0x00000000007FD000-memory.dmpFilesize
64KB
-
memory/3512-136-0x0000000000720000-0x0000000000732000-memory.dmpFilesize
72KB
-
memory/3512-137-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB