Analysis
-
max time kernel
4294211s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
04-04-2022 03:42
Static task
static1
Behavioral task
behavioral1
Sample
Service.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
Service.exe
Resource
win10v2004-20220310-en
General
-
Target
Service.exe
-
Size
385KB
-
MD5
45abb1bedf83daf1f2ebbac86e2fa151
-
SHA1
7d9ccba675478ab65707a28fd277a189450fc477
-
SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f
-
SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1248 jm235Pg5NufPS8T2Br5Niylp.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation jm235Pg5NufPS8T2Br5Niylp.exe -
Loads dropped DLL 7 IoCs
pid Process 1220 Service.exe 1248 jm235Pg5NufPS8T2Br5Niylp.exe 700 WerFault.exe 700 WerFault.exe 700 WerFault.exe 700 WerFault.exe 700 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ipinfo.io 33 ipinfo.io 34 ipinfo.io 16 ipinfo.io -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe Service.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 700 1248 WerFault.exe 29 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1520 schtasks.exe 392 schtasks.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 Service.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 Service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118 Service.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1248 jm235Pg5NufPS8T2Br5Niylp.exe 1248 jm235Pg5NufPS8T2Br5Niylp.exe 1248 jm235Pg5NufPS8T2Br5Niylp.exe 1248 jm235Pg5NufPS8T2Br5Niylp.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe 1548 xhHdjGYIwFulfOaZIwhO9BKf.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1220 wrote to memory of 1248 1220 Service.exe 29 PID 1220 wrote to memory of 1248 1220 Service.exe 29 PID 1220 wrote to memory of 1248 1220 Service.exe 29 PID 1220 wrote to memory of 1248 1220 Service.exe 29 PID 1220 wrote to memory of 1520 1220 Service.exe 30 PID 1220 wrote to memory of 1520 1220 Service.exe 30 PID 1220 wrote to memory of 1520 1220 Service.exe 30 PID 1220 wrote to memory of 1520 1220 Service.exe 30 PID 1220 wrote to memory of 392 1220 Service.exe 31 PID 1220 wrote to memory of 392 1220 Service.exe 31 PID 1220 wrote to memory of 392 1220 Service.exe 31 PID 1220 wrote to memory of 392 1220 Service.exe 31 PID 1248 wrote to memory of 1548 1248 jm235Pg5NufPS8T2Br5Niylp.exe 34 PID 1248 wrote to memory of 1548 1248 jm235Pg5NufPS8T2Br5Niylp.exe 34 PID 1248 wrote to memory of 1548 1248 jm235Pg5NufPS8T2Br5Niylp.exe 34 PID 1248 wrote to memory of 1548 1248 jm235Pg5NufPS8T2Br5Niylp.exe 34 PID 1248 wrote to memory of 700 1248 jm235Pg5NufPS8T2Br5Niylp.exe 35 PID 1248 wrote to memory of 700 1248 jm235Pg5NufPS8T2Br5Niylp.exe 35 PID 1248 wrote to memory of 700 1248 jm235Pg5NufPS8T2Br5Niylp.exe 35 PID 1248 wrote to memory of 700 1248 jm235Pg5NufPS8T2Br5Niylp.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Service.exe"C:\Users\Admin\AppData\Local\Temp\Service.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe"C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe"C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 3643⤵
- Loads dropped DLL
- Program crash
PID:700
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:1520
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:392
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD581180798f4d48d852ec031c3eed10781
SHA1b66bbc8d7a8e5e0c65b0d9c624f2c13e6bfe8c61
SHA256f901a508db08da3d9cc47b3eade0ddc2bbb273b92cccecfe26df7a6df9f9e4bc
SHA5124de8e91721ce37693c410a38ee5fb73ca260b8006904916fbb1892114918b2ced1bfb1d5a4195e666d94ae1fdfbef4932c128b5c2e8e76036869ea11a1a31c58
-
Filesize
232KB
MD55546c1ab6768292b78c746d9ea627f4a
SHA1be3bf3f21b6101099bcfd7203a179829aea4b435
SHA25693708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA51290d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f
-
Filesize
232KB
MD55546c1ab6768292b78c746d9ea627f4a
SHA1be3bf3f21b6101099bcfd7203a179829aea4b435
SHA25693708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA51290d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f
-
Filesize
318KB
MD53f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
Filesize
232KB
MD55546c1ab6768292b78c746d9ea627f4a
SHA1be3bf3f21b6101099bcfd7203a179829aea4b435
SHA25693708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA51290d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f
-
Filesize
232KB
MD55546c1ab6768292b78c746d9ea627f4a
SHA1be3bf3f21b6101099bcfd7203a179829aea4b435
SHA25693708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA51290d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f
-
Filesize
232KB
MD55546c1ab6768292b78c746d9ea627f4a
SHA1be3bf3f21b6101099bcfd7203a179829aea4b435
SHA25693708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA51290d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f
-
Filesize
232KB
MD55546c1ab6768292b78c746d9ea627f4a
SHA1be3bf3f21b6101099bcfd7203a179829aea4b435
SHA25693708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA51290d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f
-
Filesize
232KB
MD55546c1ab6768292b78c746d9ea627f4a
SHA1be3bf3f21b6101099bcfd7203a179829aea4b435
SHA25693708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA51290d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f
-
Filesize
232KB
MD55546c1ab6768292b78c746d9ea627f4a
SHA1be3bf3f21b6101099bcfd7203a179829aea4b435
SHA25693708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA51290d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f
-
Filesize
318KB
MD53f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f