Overview

overview

10

Static

static

5

2a4569106e...45.exe

windows7_x64

10

2a4569106e...45.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    124s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 00:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe

  • Size

    7.1MB

  • MD5

    1291d0e7259bebe1ae1677716093faa1

  • SHA1

    bc000650222b120acc6b041dc70744a0b73e1dce

  • SHA256

    2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45

  • SHA512

    ede41f8ad4bfbfdf5b21a4ead8bf375740e9af7047ac7efca2f95f957ac20344e6f3e5f8cf31e59d6028b003bd59504cdd10729acdca58d4d391f9146ad02193

Score
10/10
discoveryevasionspywarestealersuricataupx

Malware Config

Signatures

  • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 7 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe
    "C:\Users\Admin\AppData\Local\Temp\2a4569106eacda6cc815b3c68db2c7596e3c029878ec7d33ece28d87fe9f4c45.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\_CoordinationEau.exe
      "C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\_CoordinationEau.exe"
      2⤵
      • Executes dropped EXE
      PID:4948
    • C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\Build.exe
      "C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\Build.exe"
      2⤵
      • Executes dropped EXE
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
        C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.module.exe
          C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\msil_system.messaging\ENU_801FE970A758A6AE9D41.7z" "C:\Users\Admin\AppData\Roaming\msil_system.messaging\1\*"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4032
        • C:\Windows\SysWOW64\attrib.exe
          attrib +s +h "C:\Users\Admin\AppData\Roaming\msil_system.messaging"
          4⤵
          • Views/modifies file attributes
          PID:5072
    • C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\loader.exe
      "C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\loader.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      PID:4796
  • C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
    C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:1456
  • C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
    C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:2260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2
T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2
T1158

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\Build.exe
    Filesize

    1.8MB

    MD5

    1a13e8dfe125935fd89adb3af9aac59e

    SHA1

    c6c1b2a7b1e1feca80d04977d92c04e665fccb0e

    SHA256

    4039ab9faff6461db91d129828014b45cb1b1162482d023a12accd7788c27b98

    SHA512

    26584a612470b1ac28b57ac80a1aeda28ad4f5a17c8ec893a911b4ddec55f0f47e74e96bc08d1439d242333559185d157b755727d4d4abf7832177b8222346c1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\Build.exe
    Filesize

    1.8MB

    MD5

    1a13e8dfe125935fd89adb3af9aac59e

    SHA1

    c6c1b2a7b1e1feca80d04977d92c04e665fccb0e

    SHA256

    4039ab9faff6461db91d129828014b45cb1b1162482d023a12accd7788c27b98

    SHA512

    26584a612470b1ac28b57ac80a1aeda28ad4f5a17c8ec893a911b4ddec55f0f47e74e96bc08d1439d242333559185d157b755727d4d4abf7832177b8222346c1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\_CoordinationEau.exe
    Filesize

    11.8MB

    MD5

    50647575d19d0feafffed45d81ba035c

    SHA1

    4d8500ee73f7ffe98132d4cddc6ddca34be06f8d

    SHA256

    395eaeca6fdc7e124ff08d4b6f10fa2bdb65e1724a82cce3aee9c5bdbf164183

    SHA512

    1daa9ac96434c9c925762251494729b402e78832a336a8433b6480c13f9caecd701b991ceb2fda33f66fa90153f9caf5d55f684ce4edcdf921d247c72c019289

    Download Submit
  • C:\Users\Admin\AppData\Roaming\iTFOPWREYzdMtrNpkvF5Y\loader.exe
    Filesize

    1.0MB

    MD5

    51eeeb83de020e18ac94f72dbab96af6

    SHA1

    e8ce8c5811eb0e5569aa8d50b496e7a2bf2a243f

    SHA256

    2530c65e04c0da13b2664e2d5df1d5d3a284c283dcb22a0acb9803a962470766

    SHA512

    0da9b5aa8013b7d02677b517341f882bbd0da305cc18eba1ad5c8c759c064adb74fb74c8a8f6973cb0772af5d834b2d497404006500b9e42806fca66d08bde52

    Download Submit
  • C:\Users\Admin\AppData\Roaming\msil_system.messaging\1\Information.txt
    Filesize

    3KB

    MD5

    9e69c2aeeddabc6454929a82587f32e4

    SHA1

    672984b84236f9e00c6940f8e73e7001e271dc4d

    SHA256

    9b4a3c4fc6279b992b886eda5c184135ec3e6fbc3713bdb7bfde77a4d1f2a829

    SHA512

    8851f44b28b53a95cd47a9f1dd58355837364a5a03c271f00db387f1791261215140bef8552e8a4500d1d96fbc953f081a87ee1e42676886c892a412dd630470

    Download Submit
  • C:\Users\Admin\AppData\Roaming\msil_system.messaging\1\Screen.jpg
    Filesize

    49KB

    MD5

    659699ff52160e903bad30479e68fb9a

    SHA1

    e7e177f3d4d4e4ce91be62e7b02bdbba9e93676e

    SHA256

    f282eb1ce3905db50440b156071ccbf2578e5c0467ba77d9155a70b36285ee6e

    SHA512

    ba042ab3e1ceacb8db61da5c41d4ea2a43cb5bf9ecdc3eb6b926d161977a1b05541f123e18a4096436dec793752823d1caf81393b2a13fbc374163e3cac641c0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
    Filesize

    1.8MB

    MD5

    1a13e8dfe125935fd89adb3af9aac59e

    SHA1

    c6c1b2a7b1e1feca80d04977d92c04e665fccb0e

    SHA256

    4039ab9faff6461db91d129828014b45cb1b1162482d023a12accd7788c27b98

    SHA512

    26584a612470b1ac28b57ac80a1aeda28ad4f5a17c8ec893a911b4ddec55f0f47e74e96bc08d1439d242333559185d157b755727d4d4abf7832177b8222346c1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
    Filesize

    1.8MB

    MD5

    1a13e8dfe125935fd89adb3af9aac59e

    SHA1

    c6c1b2a7b1e1feca80d04977d92c04e665fccb0e

    SHA256

    4039ab9faff6461db91d129828014b45cb1b1162482d023a12accd7788c27b98

    SHA512

    26584a612470b1ac28b57ac80a1aeda28ad4f5a17c8ec893a911b4ddec55f0f47e74e96bc08d1439d242333559185d157b755727d4d4abf7832177b8222346c1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.exe
    Filesize

    1.8MB

    MD5

    1a13e8dfe125935fd89adb3af9aac59e

    SHA1

    c6c1b2a7b1e1feca80d04977d92c04e665fccb0e

    SHA256

    4039ab9faff6461db91d129828014b45cb1b1162482d023a12accd7788c27b98

    SHA512

    26584a612470b1ac28b57ac80a1aeda28ad4f5a17c8ec893a911b4ddec55f0f47e74e96bc08d1439d242333559185d157b755727d4d4abf7832177b8222346c1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.module.exe
    Filesize

    197KB

    MD5

    946285055913d457fda78a4484266e96

    SHA1

    668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

    SHA256

    23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

    SHA512

    30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

    Download Submit
  • C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.module.exe
    Filesize

    197KB

    MD5

    946285055913d457fda78a4484266e96

    SHA1

    668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

    SHA256

    23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

    SHA512

    30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

    Download Submit
  • C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.sqlite3.module.dll
    Filesize

    360KB

    MD5

    8c127ce55bfbb55eb9a843c693c9f240

    SHA1

    75c462c935a7ff2c90030c684440d61d48bb1858

    SHA256

    4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

    SHA512

    d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

    Download Submit
  • C:\Users\Admin\AppData\Roaming\msil_system.messaging\srclient.sqlite3.module.dll
    Filesize

    360KB

    MD5

    8c127ce55bfbb55eb9a843c693c9f240

    SHA1

    75c462c935a7ff2c90030c684440d61d48bb1858

    SHA256

    4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

    SHA512

    d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

    Download Submit
  • memory/1104-137-0x0000000000000000-mapping.dmp
    Download
  • memory/4032-141-0x0000000000000000-mapping.dmp
    Download
  • memory/4796-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4948-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4964-132-0x0000000000000000-mapping.dmp
    Download
  • memory/5072-146-0x0000000000000000-mapping.dmp
    Download