Analysis
-
max time kernel
43s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:39
Static task
static1
Behavioral task
behavioral1
Sample
39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe
Resource
win7-20220414-en
General
-
Target
39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe
-
Size
403KB
-
MD5
7b14a66b08d68be48ee440e519a6e823
-
SHA1
74a5709d1704574b8a8aff95e5ca1a7fe55b9259
-
SHA256
39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614
-
SHA512
c4b2bfb426adf7ec56043300d5fe87ca3b6f2203f9bcc9dc4346e0b44a87bf9a1b702e5d851dcb22ede5b36b990f8bfad97b7410500800ffc93bc7f4758dd54f
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
XXMBK.exeSSJK.exeCDGH.exepid process 1620 XXMBK.exe 960 SSJK.exe 1800 CDGH.exe -
Loads dropped DLL 5 IoCs
Processes:
39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exeXXMBK.exepid process 1612 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe 1620 XXMBK.exe 1620 XXMBK.exe 1620 XXMBK.exe 1612 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
SSJK.exepid process 960 SSJK.exe 960 SSJK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\CDGH.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\CDGH.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\CDGH.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\CDGH.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\CDGH.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\CDGH.exe nsis_installer_2 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exeXXMBK.exedescription pid process target process PID 1612 wrote to memory of 1620 1612 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe XXMBK.exe PID 1612 wrote to memory of 1620 1612 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe XXMBK.exe PID 1612 wrote to memory of 1620 1612 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe XXMBK.exe PID 1612 wrote to memory of 1620 1612 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe XXMBK.exe PID 1620 wrote to memory of 960 1620 XXMBK.exe SSJK.exe PID 1620 wrote to memory of 960 1620 XXMBK.exe SSJK.exe PID 1620 wrote to memory of 960 1620 XXMBK.exe SSJK.exe PID 1620 wrote to memory of 960 1620 XXMBK.exe SSJK.exe PID 1612 wrote to memory of 1800 1612 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe CDGH.exe PID 1612 wrote to memory of 1800 1612 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe CDGH.exe PID 1612 wrote to memory of 1800 1612 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe CDGH.exe PID 1612 wrote to memory of 1800 1612 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe CDGH.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe"C:\Users\Admin\AppData\Local\Temp\39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe"C:\Users\Admin\AppData\Local\Temp\XXMBK.exe" -s -pfsdgsdfvsdzcxfsDC2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Roaming\SSJK.exe"C:\Users\Admin\AppData\Roaming\SSJK.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:960 -
C:\Users\Admin\AppData\Local\Temp\CDGH.exe"C:\Users\Admin\AppData\Local\Temp\CDGH.exe"2⤵
- Executes dropped EXE
PID:1800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CDGH.exeFilesize
35KB
MD5b5510faf54af520660525417de2c8b06
SHA178351c3549d5bb4883a3072d2fc5ac78cf6a5a6e
SHA256a7b031025f3ce486240f885081cd93a282bf00738fb1d1a9f031c59614624c00
SHA5127ca920945773e08e16e297a56c01bb0fb7eea9c8461553c7545f3d485ea12c4367ba02967ab1d5e3cba36d52ed2906cadeef68543529dddef0bd5c539ec8238e
-
C:\Users\Admin\AppData\Local\Temp\CDGH.exeFilesize
35KB
MD5b5510faf54af520660525417de2c8b06
SHA178351c3549d5bb4883a3072d2fc5ac78cf6a5a6e
SHA256a7b031025f3ce486240f885081cd93a282bf00738fb1d1a9f031c59614624c00
SHA5127ca920945773e08e16e297a56c01bb0fb7eea9c8461553c7545f3d485ea12c4367ba02967ab1d5e3cba36d52ed2906cadeef68543529dddef0bd5c539ec8238e
-
C:\Users\Admin\AppData\Local\Temp\XXMBK.exeFilesize
444KB
MD5e793c4bd1cece8d27b7aaf4050d58e79
SHA185c374c976623c265f0609445de296662427029a
SHA256d9a6f2d2ed74136c67f9a640bb12ea18d0f057fb0c40ba59f99a7a8be3606ac0
SHA5127327b3dc1ab4d493cde1cfeeb1d2680ff823ab6e8feb53213565798b6ba195b1b60e9e374af6c6fbfae3d54ecfb83ae68fac5381c9bc71a437ce43188b5ef6ce
-
C:\Users\Admin\AppData\Local\Temp\XXMBK.exeFilesize
444KB
MD5e793c4bd1cece8d27b7aaf4050d58e79
SHA185c374c976623c265f0609445de296662427029a
SHA256d9a6f2d2ed74136c67f9a640bb12ea18d0f057fb0c40ba59f99a7a8be3606ac0
SHA5127327b3dc1ab4d493cde1cfeeb1d2680ff823ab6e8feb53213565798b6ba195b1b60e9e374af6c6fbfae3d54ecfb83ae68fac5381c9bc71a437ce43188b5ef6ce
-
C:\Users\Admin\AppData\Roaming\SSJK.exeFilesize
339KB
MD574d54a45f28379b31334ff97dcf2bae7
SHA15d9de494e7f04e576b03fc25d295349129e601d1
SHA256342efce61c6c6666b35e1a46cc962ec48a128462702ccf9217f0de2c077925de
SHA51238c63133f4c8a6305d6006e2144c65fa8c42dc18d662350716d197ab621b5942b632e241fc00eb0a963f8ab2b83e638de6630140b4d67f3ac8d42195c064a70f
-
C:\Users\Admin\AppData\Roaming\SSJK.exeFilesize
339KB
MD574d54a45f28379b31334ff97dcf2bae7
SHA15d9de494e7f04e576b03fc25d295349129e601d1
SHA256342efce61c6c6666b35e1a46cc962ec48a128462702ccf9217f0de2c077925de
SHA51238c63133f4c8a6305d6006e2144c65fa8c42dc18d662350716d197ab621b5942b632e241fc00eb0a963f8ab2b83e638de6630140b4d67f3ac8d42195c064a70f
-
\Users\Admin\AppData\Local\Temp\CDGH.exeFilesize
35KB
MD5b5510faf54af520660525417de2c8b06
SHA178351c3549d5bb4883a3072d2fc5ac78cf6a5a6e
SHA256a7b031025f3ce486240f885081cd93a282bf00738fb1d1a9f031c59614624c00
SHA5127ca920945773e08e16e297a56c01bb0fb7eea9c8461553c7545f3d485ea12c4367ba02967ab1d5e3cba36d52ed2906cadeef68543529dddef0bd5c539ec8238e
-
\Users\Admin\AppData\Local\Temp\XXMBK.exeFilesize
444KB
MD5e793c4bd1cece8d27b7aaf4050d58e79
SHA185c374c976623c265f0609445de296662427029a
SHA256d9a6f2d2ed74136c67f9a640bb12ea18d0f057fb0c40ba59f99a7a8be3606ac0
SHA5127327b3dc1ab4d493cde1cfeeb1d2680ff823ab6e8feb53213565798b6ba195b1b60e9e374af6c6fbfae3d54ecfb83ae68fac5381c9bc71a437ce43188b5ef6ce
-
\Users\Admin\AppData\Roaming\SSJK.exeFilesize
339KB
MD574d54a45f28379b31334ff97dcf2bae7
SHA15d9de494e7f04e576b03fc25d295349129e601d1
SHA256342efce61c6c6666b35e1a46cc962ec48a128462702ccf9217f0de2c077925de
SHA51238c63133f4c8a6305d6006e2144c65fa8c42dc18d662350716d197ab621b5942b632e241fc00eb0a963f8ab2b83e638de6630140b4d67f3ac8d42195c064a70f
-
\Users\Admin\AppData\Roaming\SSJK.exeFilesize
339KB
MD574d54a45f28379b31334ff97dcf2bae7
SHA15d9de494e7f04e576b03fc25d295349129e601d1
SHA256342efce61c6c6666b35e1a46cc962ec48a128462702ccf9217f0de2c077925de
SHA51238c63133f4c8a6305d6006e2144c65fa8c42dc18d662350716d197ab621b5942b632e241fc00eb0a963f8ab2b83e638de6630140b4d67f3ac8d42195c064a70f
-
\Users\Admin\AppData\Roaming\SSJK.exeFilesize
339KB
MD574d54a45f28379b31334ff97dcf2bae7
SHA15d9de494e7f04e576b03fc25d295349129e601d1
SHA256342efce61c6c6666b35e1a46cc962ec48a128462702ccf9217f0de2c077925de
SHA51238c63133f4c8a6305d6006e2144c65fa8c42dc18d662350716d197ab621b5942b632e241fc00eb0a963f8ab2b83e638de6630140b4d67f3ac8d42195c064a70f
-
memory/960-63-0x0000000000000000-mapping.dmp
-
memory/1612-54-0x0000000075721000-0x0000000075723000-memory.dmpFilesize
8KB
-
memory/1620-56-0x0000000000000000-mapping.dmp
-
memory/1800-67-0x0000000000000000-mapping.dmp