Analysis

  • max time kernel
    133s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    26-03-2022 23:16

General

  • Target

    8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe

  • Size

    440KB

  • MD5

    a3b4d25af01edf5fe34fd6e13a1381e6

  • SHA1

    3a60499205fa92a581d3b6cb232fc8ed8d750088

  • SHA256

    8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f

  • SHA512

    d9269e5c8bbf672ef32e8f74d61bdd3abaa991a74fb092ca5dc7f9a25b8bb7cd0dc09b59b823336edcc9b18d226b9b8e518ac2ca710e2c9bd8ce5452b9ccc5b0

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe
    "C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4380
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1572
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8C6E.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4060
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2348
      • C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
        "C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:1284
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2572

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    b597c90d8967bc27104d9fc54c32a6d4

    SHA1

    d6d0182c3367bf7b87941f05baff2d27532ec1be

    SHA256

    c57652ded43ff393f9d0b51c1709b30c4c8ebedf6040942f3b2510dc3dd15b46

    SHA512

    8e7211b0dd60683c11491c3ef23ade022aa2900e7ffec304e4d183bbc0668121f7440d36af113cc8074d504698d1269f0c46a555ac460d72bda1ff01997bbb72

  • C:\Users\Admin\AppData\Local\Temp\tmp8C6E.tmp.bat

    Filesize

    160B

    MD5

    f0a2091e01c4caab167d64d2c14a3c2d

    SHA1

    83536fd7b95ee98438506cfde8c006514c814ae1

    SHA256

    0157ebb01fc0604d0e798097286f2b6bfac6bcbaf93d71a117c7431c9ac7c23b

    SHA512

    3e65d18ba27477230b2cd3c6eb077b186add49d6c35c8cb11007ae89a5e400958c3e0e91096f9ca9b7158377403ebe78639fb174824342b8e78d08515b94eab8

  • C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

    Filesize

    440KB

    MD5

    a3b4d25af01edf5fe34fd6e13a1381e6

    SHA1

    3a60499205fa92a581d3b6cb232fc8ed8d750088

    SHA256

    8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f

    SHA512

    d9269e5c8bbf672ef32e8f74d61bdd3abaa991a74fb092ca5dc7f9a25b8bb7cd0dc09b59b823336edcc9b18d226b9b8e518ac2ca710e2c9bd8ce5452b9ccc5b0

  • C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

    Filesize

    440KB

    MD5

    a3b4d25af01edf5fe34fd6e13a1381e6

    SHA1

    3a60499205fa92a581d3b6cb232fc8ed8d750088

    SHA256

    8b88a1b3eeaae266280873836b1a2059a90233e4bc315634ea09a70697af7d6f

    SHA512

    d9269e5c8bbf672ef32e8f74d61bdd3abaa991a74fb092ca5dc7f9a25b8bb7cd0dc09b59b823336edcc9b18d226b9b8e518ac2ca710e2c9bd8ce5452b9ccc5b0

  • memory/1284-171-0x0000000004963000-0x0000000004965000-memory.dmp

    Filesize

    8KB

  • memory/1284-170-0x0000000008140000-0x0000000008190000-memory.dmp

    Filesize

    320KB

  • memory/2572-173-0x000000006F650000-0x000000006F69C000-memory.dmp

    Filesize

    304KB

  • memory/2572-174-0x0000000002695000-0x0000000002697000-memory.dmp

    Filesize

    8KB

  • memory/2960-154-0x0000000004835000-0x0000000004837000-memory.dmp

    Filesize

    8KB

  • memory/2960-156-0x0000000074C70000-0x0000000074CBC000-memory.dmp

    Filesize

    304KB

  • memory/2960-147-0x0000000004DD0000-0x0000000004E36000-memory.dmp

    Filesize

    408KB

  • memory/2960-146-0x0000000004B30000-0x0000000004B52000-memory.dmp

    Filesize

    136KB

  • memory/2960-167-0x0000000007130000-0x0000000007138000-memory.dmp

    Filesize

    32KB

  • memory/2960-153-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

    Filesize

    120KB

  • memory/2960-166-0x0000000007150000-0x000000000716A000-memory.dmp

    Filesize

    104KB

  • memory/2960-155-0x00000000060C0000-0x00000000060F2000-memory.dmp

    Filesize

    200KB

  • memory/2960-164-0x0000000007090000-0x0000000007126000-memory.dmp

    Filesize

    600KB

  • memory/2960-157-0x0000000006090000-0x00000000060AE000-memory.dmp

    Filesize

    120KB

  • memory/2960-145-0x0000000004E70000-0x0000000005498000-memory.dmp

    Filesize

    6.2MB

  • memory/2960-143-0x00000000021E0000-0x0000000002216000-memory.dmp

    Filesize

    216KB

  • memory/2960-165-0x0000000007040000-0x000000000704E000-memory.dmp

    Filesize

    56KB

  • memory/2960-161-0x0000000007460000-0x0000000007ADA000-memory.dmp

    Filesize

    6.5MB

  • memory/2960-162-0x0000000006E10000-0x0000000006E2A000-memory.dmp

    Filesize

    104KB

  • memory/2960-163-0x0000000006E80000-0x0000000006E8A000-memory.dmp

    Filesize

    40KB

  • memory/3948-134-0x0000000000070000-0x00000000000E2000-memory.dmp

    Filesize

    456KB

  • memory/3948-142-0x00000000086E0000-0x000000000877C000-memory.dmp

    Filesize

    624KB

  • memory/3948-144-0x0000000004B03000-0x0000000004B05000-memory.dmp

    Filesize

    8KB

  • memory/3948-140-0x00000000084D0000-0x0000000008536000-memory.dmp

    Filesize

    408KB

  • memory/3948-139-0x0000000007010000-0x000000000702E000-memory.dmp

    Filesize

    120KB

  • memory/3948-138-0x0000000007060000-0x00000000070D6000-memory.dmp

    Filesize

    472KB

  • memory/3948-137-0x0000000004AB0000-0x0000000004ABA000-memory.dmp

    Filesize

    40KB

  • memory/3948-136-0x0000000004B10000-0x0000000004BA2000-memory.dmp

    Filesize

    584KB

  • memory/3948-135-0x00000000050C0000-0x0000000005664000-memory.dmp

    Filesize

    5.6MB