Analysis
-
max time kernel
126s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 03:36
Static task
static1
Behavioral task
behavioral1
Sample
4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe
Resource
win10v2004-20220414-en
General
-
Target
4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe
-
Size
182KB
-
MD5
87ad62ff5669b41f8994695b3aa05cbf
-
SHA1
c6eb9d9a0df8ca97784b57ebe719b227ebfaf262
-
SHA256
4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403
-
SHA512
2b728b84f8377f407e293e723c5bb7813320e371d4e604323ddb397f418a367df8d925ac7d69dd53137df67f8d5b460f730f19cb94949dd14ab37da170cc47fd
Malware Config
Extracted
buer
https://gstatiknetiplist.cc/
https://gstatiknetiplist.com/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ErrorResponder\\responder.exe\"" responder.exe -
resource yara_rule behavioral1/memory/1664-57-0x0000000000020000-0x000000000002A000-memory.dmp buer behavioral1/memory/1664-58-0x0000000040000000-0x00000000429E4000-memory.dmp buer behavioral1/memory/1276-66-0x0000000040000000-0x00000000429E4000-memory.dmp buer -
Executes dropped EXE 1 IoCs
pid Process 1276 responder.exe -
Deletes itself 1 IoCs
pid Process 1276 responder.exe -
Loads dropped DLL 2 IoCs
pid Process 1664 4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe 1664 4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: responder.exe File opened (read-only) \??\E: responder.exe File opened (read-only) \??\H: responder.exe File opened (read-only) \??\F: responder.exe File opened (read-only) \??\J: responder.exe File opened (read-only) \??\K: responder.exe File opened (read-only) \??\L: responder.exe File opened (read-only) \??\O: responder.exe File opened (read-only) \??\S: responder.exe File opened (read-only) \??\A: responder.exe File opened (read-only) \??\B: responder.exe File opened (read-only) \??\W: responder.exe File opened (read-only) \??\Y: responder.exe File opened (read-only) \??\Z: responder.exe File opened (read-only) \??\U: responder.exe File opened (read-only) \??\V: responder.exe File opened (read-only) \??\P: responder.exe File opened (read-only) \??\Q: responder.exe File opened (read-only) \??\R: responder.exe File opened (read-only) \??\I: responder.exe File opened (read-only) \??\M: responder.exe File opened (read-only) \??\X: responder.exe File opened (read-only) \??\G: responder.exe File opened (read-only) \??\T: responder.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1276 responder.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1664 wrote to memory of 1276 1664 4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe 28 PID 1664 wrote to memory of 1276 1664 4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe 28 PID 1664 wrote to memory of 1276 1664 4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe 28 PID 1664 wrote to memory of 1276 1664 4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe 28 PID 1276 wrote to memory of 1328 1276 responder.exe 29 PID 1276 wrote to memory of 1328 1276 responder.exe 29 PID 1276 wrote to memory of 1328 1276 responder.exe 29 PID 1276 wrote to memory of 1328 1276 responder.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe"C:\Users\Admin\AppData\Local\Temp\4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\ProgramData\ErrorResponder\responder.exeC:\ProgramData\ErrorResponder\responder.exe "C:\Users\Admin\AppData\Local\Temp\4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\ErrorResponder\responder.exe3⤵PID:1328
-
-
Network
-
Remote address:8.8.8.8:53Requestgstatiknetiplist.ccIN AResponse
-
Remote address:8.8.8.8:53Requestgstatiknetiplist.comIN AResponse
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182KB
MD587ad62ff5669b41f8994695b3aa05cbf
SHA1c6eb9d9a0df8ca97784b57ebe719b227ebfaf262
SHA2564aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403
SHA5122b728b84f8377f407e293e723c5bb7813320e371d4e604323ddb397f418a367df8d925ac7d69dd53137df67f8d5b460f730f19cb94949dd14ab37da170cc47fd
-
Filesize
114KB
MD52f820b8db532422a9cce2aca2fb415bd
SHA180d5aa9bff3086d24777b07c75fda5fd9b271628
SHA256500a8fb1c6e3f687375f5dbdfa1a8c384e9519ea8b3579ca87653a06a8433a70
SHA512b299a0b548456164963eed1e2699373e0eefea22801bdc5d576d96b441fe74ca1d38deb2669ed68ab12e1173d53db4349e91b7c78d03ed051e2c1871c25728d4
-
Filesize
182KB
MD587ad62ff5669b41f8994695b3aa05cbf
SHA1c6eb9d9a0df8ca97784b57ebe719b227ebfaf262
SHA2564aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403
SHA5122b728b84f8377f407e293e723c5bb7813320e371d4e604323ddb397f418a367df8d925ac7d69dd53137df67f8d5b460f730f19cb94949dd14ab37da170cc47fd
-
Filesize
182KB
MD587ad62ff5669b41f8994695b3aa05cbf
SHA1c6eb9d9a0df8ca97784b57ebe719b227ebfaf262
SHA2564aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403
SHA5122b728b84f8377f407e293e723c5bb7813320e371d4e604323ddb397f418a367df8d925ac7d69dd53137df67f8d5b460f730f19cb94949dd14ab37da170cc47fd