Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    26-03-2022 16:54

General

  • Target

    63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe

  • Size

    411KB

  • MD5

    4bf2b285e0392f1be1e357503cead553

  • SHA1

    0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b

  • SHA256

    63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2

  • SHA512

    4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe
    "C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4312
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1116
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC7C2.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3692
      • C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe
        "C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:4516
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1848

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    6cb00dfdc232993fd6de2662f82b62c2

    SHA1

    105bae854b351a3e1cb2f496e755a9d7e50fb406

    SHA256

    433778ebe953b35c28ea23860891e19cfaa41fdfdf82380b5b9d51688a07de94

    SHA512

    e0b897b67a24d35af2b44174ee7e9bdedaa2f6bd094daf5e15927e6492608d5c2806c41ad12a68f653cf073c695d96cc40cc5cacf24ac7b5d3adda61bae441c9

  • C:\Users\Admin\AppData\Local\Temp\tmpC7C2.tmp.bat

    Filesize

    160B

    MD5

    f88ad9870be1dd67ffad820daa81088d

    SHA1

    909816936d9c19b481d9adaff26294f699969e11

    SHA256

    de8c3af9c2e24e598937672ab8125e2848762964c248740b536fecd603ba4a66

    SHA512

    e91159cba46ac5a787fced3609ef7c5ee03c228e954f3270e3c2b58ca20af0e80c554b6795b3eeaf69744cacbb0d09402aa5a1459081a877a9577d0fe981473e

  • C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

    Filesize

    411KB

    MD5

    4bf2b285e0392f1be1e357503cead553

    SHA1

    0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b

    SHA256

    63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2

    SHA512

    4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1

  • C:\Users\Admin\AppData\Roaming\zygolen\nslookup.exe

    Filesize

    411KB

    MD5

    4bf2b285e0392f1be1e357503cead553

    SHA1

    0c3e961e3cb3ab244211a82a24c3d4a6d5713e1b

    SHA256

    63c8f95c4f3a0e075e95be7cbae84a946c01515655ca894a4e87d07aaee928e2

    SHA512

    4547de80c187a3355a533d84dfabd0ca205fb73c915f2a0913ff3d2e644debefced5ed6c001ba3b7711c76a58bf9bd2707ca62d51c1cbd41dbe6333360f1c8c1

  • memory/1848-168-0x000000006EF90000-0x000000006EFDC000-memory.dmp

    Filesize

    304KB

  • memory/1848-167-0x00000000044E5000-0x00000000044E7000-memory.dmp

    Filesize

    8KB

  • memory/3980-137-0x0000000008770000-0x000000000880C000-memory.dmp

    Filesize

    624KB

  • memory/3980-136-0x0000000004D30000-0x00000000052D4000-memory.dmp

    Filesize

    5.6MB

  • memory/3980-134-0x0000000008660000-0x00000000086C6000-memory.dmp

    Filesize

    408KB

  • memory/3980-133-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

    Filesize

    40KB

  • memory/3980-132-0x0000000004E10000-0x0000000004EA2000-memory.dmp

    Filesize

    584KB

  • memory/3980-130-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/3980-131-0x00000000052E0000-0x0000000005884000-memory.dmp

    Filesize

    5.6MB

  • memory/4312-157-0x0000000006DF0000-0x0000000006DFA000-memory.dmp

    Filesize

    40KB

  • memory/4312-158-0x0000000007000000-0x0000000007096000-memory.dmp

    Filesize

    600KB

  • memory/4312-151-0x0000000006060000-0x0000000006092000-memory.dmp

    Filesize

    200KB

  • memory/4312-152-0x0000000074CC0000-0x0000000074D0C000-memory.dmp

    Filesize

    304KB

  • memory/4312-153-0x0000000006040000-0x000000000605E000-memory.dmp

    Filesize

    120KB

  • memory/4312-154-0x0000000004555000-0x0000000004557000-memory.dmp

    Filesize

    8KB

  • memory/4312-155-0x00000000073C0000-0x0000000007A3A000-memory.dmp

    Filesize

    6.5MB

  • memory/4312-156-0x0000000006D80000-0x0000000006D9A000-memory.dmp

    Filesize

    104KB

  • memory/4312-147-0x0000000005A90000-0x0000000005AAE000-memory.dmp

    Filesize

    120KB

  • memory/4312-159-0x0000000006FB0000-0x0000000006FBE000-memory.dmp

    Filesize

    56KB

  • memory/4312-160-0x00000000070C0000-0x00000000070DA000-memory.dmp

    Filesize

    104KB

  • memory/4312-161-0x00000000070A0000-0x00000000070A8000-memory.dmp

    Filesize

    32KB

  • memory/4312-141-0x0000000005390000-0x00000000053F6000-memory.dmp

    Filesize

    408KB

  • memory/4312-138-0x00000000044A0000-0x00000000044D6000-memory.dmp

    Filesize

    216KB

  • memory/4312-140-0x00000000051F0000-0x0000000005212000-memory.dmp

    Filesize

    136KB

  • memory/4312-139-0x0000000004B90000-0x00000000051B8000-memory.dmp

    Filesize

    6.2MB

  • memory/4516-166-0x0000000005130000-0x00000000056D4000-memory.dmp

    Filesize

    5.6MB

  • memory/4516-163-0x0000000008970000-0x00000000089C0000-memory.dmp

    Filesize

    320KB