Analysis
-
max time kernel
138s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:40
Static task
static1
Behavioral task
behavioral1
Sample
PO 4800049984.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO 4800049984.exe
Resource
win10v2004-20220414-en
General
-
Target
PO 4800049984.exe
-
Size
405KB
-
MD5
ad5ecefbac91d7cee3191da22872e2ec
-
SHA1
c4c6bc3ce6e2ee682982403e97eb5364ebd9b01d
-
SHA256
301c31d38f7cb13d8128b53666c66e251d7a398c1b0fdae66d52ab0d377852ef
-
SHA512
0375ba09e09e00c63aa8d20d3c25751139c2b5bfc98f8664258349b696a0edc001c5070a38968325887943b8b07a8c6b8f89a8ca1c10c41db7113c2ae568cd87
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PO 4800049984.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation PO 4800049984.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PO 4800049984.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO 4800049984.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO 4800049984.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO 4800049984.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PO 4800049984.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe" PO 4800049984.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PO 4800049984.exepid process 4472 PO 4800049984.exe 4472 PO 4800049984.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
PO 4800049984.exepid process 4472 PO 4800049984.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO 4800049984.exedescription pid process Token: SeDebugPrivilege 4472 PO 4800049984.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
PO 4800049984.exedescription pid process target process PID 4472 wrote to memory of 2880 4472 PO 4800049984.exe schtasks.exe PID 4472 wrote to memory of 2880 4472 PO 4800049984.exe schtasks.exe PID 4472 wrote to memory of 2880 4472 PO 4800049984.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
PO 4800049984.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO 4800049984.exe -
outlook_win_path 1 IoCs
Processes:
PO 4800049984.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO 4800049984.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 4800049984.exe"C:\Users\Admin\AppData\Local\Temp\PO 4800049984.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eGVoQgH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4B70.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4B70.tmpFilesize
1KB
MD5cb9d93ebd2ad9dd3f91837e0dedbb328
SHA177d405c833dca690c65c5f34f671aeff2382e650
SHA25629b53a9f52ee51f712767d11cb477aa54d87ff16c5a7c277ce1c73357d6d3e99
SHA512f97caf56d724df54c90d409633529541902a1a4d9f058036d68b8342f099f8fb72d437743ad626dffbb0305b04eba33058327bb28420ac90fb58af5c0ce69920
-
memory/2880-134-0x0000000000000000-mapping.dmp
-
memory/4472-130-0x00000000009C0000-0x0000000000A2C000-memory.dmpFilesize
432KB
-
memory/4472-131-0x00000000059B0000-0x0000000005F54000-memory.dmpFilesize
5MB
-
memory/4472-132-0x0000000005400000-0x0000000005492000-memory.dmpFilesize
584KB
-
memory/4472-133-0x00000000062A0000-0x000000000633C000-memory.dmpFilesize
624KB
-
memory/4472-136-0x0000000006F20000-0x0000000006F86000-memory.dmpFilesize
408KB
-
memory/4472-137-0x00000000068F0000-0x0000000006940000-memory.dmpFilesize
320KB
-
memory/4472-138-0x00000000068A0000-0x00000000068AA000-memory.dmpFilesize
40KB