Analysis

  • max time kernel
    138s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 12:40

General

  • Target

    PO 4800049984.exe

  • Size

    405KB

  • MD5

    ad5ecefbac91d7cee3191da22872e2ec

  • SHA1

    c4c6bc3ce6e2ee682982403e97eb5364ebd9b01d

  • SHA256

    301c31d38f7cb13d8128b53666c66e251d7a398c1b0fdae66d52ab0d377852ef

  • SHA512

    0375ba09e09e00c63aa8d20d3c25751139c2b5bfc98f8664258349b696a0edc001c5070a38968325887943b8b07a8c6b8f89a8ca1c10c41db7113c2ae568cd87

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO 4800049984.exe
    "C:\Users\Admin\AppData\Local\Temp\PO 4800049984.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:4472
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eGVoQgH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4B70.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4B70.tmp
    Filesize

    1KB

    MD5

    cb9d93ebd2ad9dd3f91837e0dedbb328

    SHA1

    77d405c833dca690c65c5f34f671aeff2382e650

    SHA256

    29b53a9f52ee51f712767d11cb477aa54d87ff16c5a7c277ce1c73357d6d3e99

    SHA512

    f97caf56d724df54c90d409633529541902a1a4d9f058036d68b8342f099f8fb72d437743ad626dffbb0305b04eba33058327bb28420ac90fb58af5c0ce69920

  • memory/2880-134-0x0000000000000000-mapping.dmp
  • memory/4472-130-0x00000000009C0000-0x0000000000A2C000-memory.dmp
    Filesize

    432KB

  • memory/4472-131-0x00000000059B0000-0x0000000005F54000-memory.dmp
    Filesize

    5MB

  • memory/4472-132-0x0000000005400000-0x0000000005492000-memory.dmp
    Filesize

    584KB

  • memory/4472-133-0x00000000062A0000-0x000000000633C000-memory.dmp
    Filesize

    624KB

  • memory/4472-136-0x0000000006F20000-0x0000000006F86000-memory.dmp
    Filesize

    408KB

  • memory/4472-137-0x00000000068F0000-0x0000000006940000-memory.dmp
    Filesize

    320KB

  • memory/4472-138-0x00000000068A0000-0x00000000068AA000-memory.dmp
    Filesize

    40KB