Analysis
-
max time kernel
112s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:31
Static task
static1
Behavioral task
behavioral1
Sample
SRUYM9J4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SRUYM9J4.exe
Resource
win10v2004-20220414-en
General
-
Target
SRUYM9J4.exe
-
Size
475KB
-
MD5
5fc1b1f7d19c60e9776c53deab129960
-
SHA1
655038400c51c6e137206f79fb9995b432665f93
-
SHA256
1fc23a174b140e18c483571695a84360667aa1c719451bba5c73a4ffe4da48d2
-
SHA512
2090df70e0073b04a93407e6f00ca235425a8d1076c12f7bfb2766e7da103d23600539015f47d7075c995add45accbfc15a18415be4a99e1a43a448e23af8a6d
Malware Config
Extracted
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
coronavirus2020
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SRUYM9J4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation SRUYM9J4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SRUYM9J4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SRUYM9J4.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SRUYM9J4.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SRUYM9J4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SRUYM9J4.exepid process 4556 SRUYM9J4.exe 4556 SRUYM9J4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SRUYM9J4.exedescription pid process Token: SeDebugPrivilege 4556 SRUYM9J4.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SRUYM9J4.exedescription pid process target process PID 4556 wrote to memory of 4316 4556 SRUYM9J4.exe schtasks.exe PID 4556 wrote to memory of 4316 4556 SRUYM9J4.exe schtasks.exe PID 4556 wrote to memory of 4316 4556 SRUYM9J4.exe schtasks.exe PID 4556 wrote to memory of 1732 4556 SRUYM9J4.exe netsh.exe PID 4556 wrote to memory of 1732 4556 SRUYM9J4.exe netsh.exe PID 4556 wrote to memory of 1732 4556 SRUYM9J4.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
SRUYM9J4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SRUYM9J4.exe -
outlook_win_path 1 IoCs
Processes:
SRUYM9J4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SRUYM9J4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SRUYM9J4.exe"C:\Users\Admin\AppData\Local\Temp\SRUYM9J4.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GbfZvLasxAqaty" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD73A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD73A.tmpFilesize
1KB
MD5b3702c6d4cf3dd931799ec3bec15e346
SHA13fda6bb557d3bf5863cf011c217a423619698103
SHA256c2af915abce042fbdb29d96d76579f00a4ef781b737f1461d857a286edc124c6
SHA512495ee1c8b1fd3adbcc817b3526c4af60fd25a8948d33bf21b9a7046bc21bd9a759a61b52b62f7914935545c0997694106f80877a6b2ac15b79de5fcb3a184363
-
memory/1732-138-0x0000000000000000-mapping.dmp
-
memory/4316-135-0x0000000000000000-mapping.dmp
-
memory/4556-130-0x0000000000A50000-0x0000000000ACE000-memory.dmpFilesize
504KB
-
memory/4556-131-0x0000000007EF0000-0x0000000008494000-memory.dmpFilesize
5.6MB
-
memory/4556-132-0x00000000079E0000-0x0000000007A72000-memory.dmpFilesize
584KB
-
memory/4556-133-0x0000000007950000-0x000000000795A000-memory.dmpFilesize
40KB
-
memory/4556-134-0x000000000B440000-0x000000000B4DC000-memory.dmpFilesize
624KB
-
memory/4556-137-0x000000000BE50000-0x000000000BEB6000-memory.dmpFilesize
408KB
-
memory/4556-139-0x000000000BD60000-0x000000000BDB0000-memory.dmpFilesize
320KB