Analysis
-
max time kernel
6s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 16:38
Static task
static1
Behavioral task
behavioral1
Sample
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Resource
win7-20220414-en
General
-
Target
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
-
Size
6.2MB
-
MD5
95e661012d34b52fb7e8373a40c7ca68
-
SHA1
10626926b31d603ee17931de6abff60c8b827b1e
-
SHA256
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb
-
SHA512
c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\cqtqtdi\vbbhczk.exe upx C:\Users\Admin\AppData\Local\Temp\cqtqtdi\vbbhczk.exe upx C:\Users\Admin\AppData\Local\Temp\pkrtwrf.exe upx C:\Users\Admin\AppData\Local\Temp\pkrtwrf.exe upx C:\Users\Admin\AppData\Local\Temp\oxmnyqv.exe upx C:\Users\Admin\AppData\Local\Temp\oxmnyqv.exe upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 2192 PING.EXE 3360 PING.EXE 4716 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exepid process 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exedescription pid process Token: SeDebugPrivilege 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exepid process 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exepid process 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exedescription pid process target process PID 4200 wrote to memory of 2336 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe PID 4200 wrote to memory of 2336 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe PID 4200 wrote to memory of 2336 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe"C:\Users\Admin\AppData\Local\Temp\c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exeC:\Users\Admin\AppData\Local\Temp\c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe /nstart2⤵
-
C:\Users\Admin\AppData\Local\Temp\cqtqtdi\vbbhczk.exeC:\Users\Admin\AppData\Local\Temp\cqtqtdi\vbbhczk.exe /nys2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ZNAs2UN.bat3⤵
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\pkrtwrf.exeC:\Users\Admin\AppData\Local\Temp\pkrtwrf.exe /HomeRegAccess102⤵
-
C:\Users\Admin\AppData\Local\Temp\~qctumxi.exeC:\Users\Admin\AppData\Local\Temp\~qctumxi.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn setowner -ownr "n:Administrators"2⤵
-
C:\Users\Admin\AppData\Local\Temp\~qctumxi.exeC:\Users\Admin\AppData\Local\Temp\~qctumxi.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no2⤵
-
C:\Users\Admin\AppData\Local\Temp\oxmnyqv.exeC:\Users\Admin\AppData\Local\Temp\oxmnyqv.exe /HomeRegAccess102⤵
-
C:\Users\Admin\AppData\Local\Temp\~qctumxi.exeC:\Users\Admin\AppData\Local\Temp\~qctumxi.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no2⤵
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.11⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.11⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ZNAs2UN.batFilesize
493B
MD5cdb69e987bd9c31297e53905f0bd8673
SHA12c4348f17eda01cb18c464b416349c50d24927b7
SHA25627770035d6d23d8504c078c8aeff751e5ab8b13893df5e233e0f364eac76d3be
SHA5126c350d3222b4310d2e3010067c1695544c75a8b1bf67c5b76d703f2736bf10f019896d2b32a40ac6cf4c214003e4df5c30a6f644963431bab139d2da4c4e4543
-
C:\Users\Admin\AppData\Local\Temp\cqtqtdi\vbbhczk.exeFilesize
236KB
MD555547e0cd6b935ff494788efb99aaefe
SHA1e5d29d17a27c6df95fb74e43e6b00356117e2bff
SHA25627ade26365b137789b66778b1aa73b018aa1806408d39b338ef5f2d33b7bc5e2
SHA512ef1f8b8f816872902f3535fd56124500121dd3bac4630cfdd5ee2abc55f0438a557dd103dfcf84194b6155c5cadedd6e01bc4b9fa386692e8428d3de517427e2
-
C:\Users\Admin\AppData\Local\Temp\cqtqtdi\vbbhczk.exeFilesize
203KB
MD5bb8a3e3595812b95166b2681b5b81d94
SHA15cad57f2635ea85ed3ced28a6aa14d2a443f536f
SHA256778c0c5dd9b479e2d468ed01291df9b58e063da8b1a4033b68a44689cd300a49
SHA512ff186439b2ad713096fc158f1c99c914e1b161289890634485757f39980b870ed93febdb704ebabd4f7be4a4ef624fc946c47d1ee54d76d1dc2b61dd3af08f46
-
C:\Users\Admin\AppData\Local\Temp\oxmnyqv.exeFilesize
175KB
MD5d2e55105e6420581fb0450494d064a69
SHA13ac9b165b66a5aca74d900184178d7ddebc27d60
SHA25696fe84bff1261ae68ad8758f6a9c1cbf329b6bdb277e735913c078b6ffb5e344
SHA5122090ba579f985ee6439bf64afebddb8f92d4c6e553d277720f455129af8011d5b1782f3224ed2562227bfe80d41e6938f052b1d79ae52968adfda08d1b09ceb0
-
C:\Users\Admin\AppData\Local\Temp\oxmnyqv.exeFilesize
138KB
MD5601b861f24bf4be184b116aa45c24844
SHA1881e0ab8110575a3509ad4c0969d0918d4d86176
SHA256fe21b1969419b3a2bdd0a230474cbe44103229353513544202349d5404aba83e
SHA5120b948fd135482972d71117792e897467f6d361d9ba2184e67e62ac16bfdd4dfe9d22e7b32142314ff4f7bc4ca546fad67ddec8f1dfac4a80b8f963f1c3082146
-
C:\Users\Admin\AppData\Local\Temp\pkrtwrf.exeFilesize
115KB
MD5e04c81e43d5a10334103c15f661535e6
SHA120be91b5329523a966343cb3af946d137311a861
SHA256e4b4a8da1691cc861211c6daa3e006801867ed5b423dda8b3fc3641a63ee4480
SHA512fd07038908fe468516077b6f3a682f65d16f927db18f6a9df845f6ed898e79d85207cbb173fac555350c98a735a137949918c4754eb33bd04b017964eb327498
-
C:\Users\Admin\AppData\Local\Temp\pkrtwrf.exeFilesize
152KB
MD57da71ea4b2e878085dadbc734ba8e7fe
SHA10d215214d372da6c6ed0d2e0888ca98596de6c8f
SHA256d83a17278a646e011beae24461cd23b0ae7ec1a303386375c2894c89ef85d985
SHA512ba1f8e2ebbae27e54e1679ebac3890968b74c52e080abdd843ffe41164813c0e9ee82337d97fa17c184a6fa437c56eac4ab12f430902c09c05bfbcd2a07d3cd5
-
C:\Users\Admin\AppData\Local\Temp\~qctumxi.exeFilesize
187KB
MD56b00bdbb6e37bd2f9689f34d692fce4f
SHA1c75d7d718c1f033fc828119cd4a59714eb764196
SHA25608b91454c5642fb38d0acf1fed777645283691c6fe88af92f3933bb5618de086
SHA512cda80d349bc754da292f8300dcdf2e1a821d0a8066333a0c99c9063bcbda92a79333457b69eb143bfbd976e5ad4e0b003993a4a93346a242b7dd2dea6664dc2e
-
C:\Users\Admin\AppData\Local\Temp\~qctumxi.exeFilesize
154KB
MD51ca43452f491127fc49110bc2771bfbe
SHA1de0106026431d182715ab42c73b82254202500c7
SHA25607085b304ce92fb5906313b648d6a519f02e9d34465fb0e2ae16dfb68096c828
SHA512c116b944af5813f8085fc31d933e1fdc2638541314be92a9a39e242b42efdedf6bb040614907939593c8c2494c6198e7d11d0c28047ed8586016d100c0b209c4
-
C:\Users\Admin\AppData\Local\Temp\~qctumxi.exeFilesize
155KB
MD55704107fd421a7f3e583964652c2bb4e
SHA17759dbd56315d2268575c051254ccfe02441858d
SHA2565ee7004f5f62d7dcd5a88afb6e5981a093bc2fd73131f0c54a6bfe5c2fddf90b
SHA51200d661227b817ff2c5102f8fb774b5552e33ddd0e60459b52dd925ef65d80ab59d9f6c9a75b3ff0b006dc21c6f3a4d1b7c23e9225f43eeb83d9874c08e4daf0b
-
C:\Users\Admin\AppData\Local\Temp\~qctumxi.exeFilesize
113KB
MD5c73fbc90145fe5ea5e4bbdbef0abef6c
SHA19383094279f32cfe4f8229ddda0e1e74185ce0d2
SHA256f9fac29a9e38ca9871af9b967ada82e92c2c45154c6723a66645b83f0a6e2b73
SHA512ccaadb83791031c1ace6c5b0c6485d47a8f8ef12b1dfc366f220abc0c09cb4402e9e03d24f931297e117ae49accce90cc323f6e3885fd615e6c29c92af9164e4
-
memory/1560-147-0x0000000000000000-mapping.dmp
-
memory/2024-145-0x0000000000000000-mapping.dmp
-
memory/2192-150-0x0000000000000000-mapping.dmp
-
memory/2336-130-0x0000000000000000-mapping.dmp
-
memory/2940-137-0x0000000000000000-mapping.dmp
-
memory/3360-149-0x0000000000000000-mapping.dmp
-
memory/4424-131-0x0000000000000000-mapping.dmp
-
memory/4628-140-0x0000000000000000-mapping.dmp
-
memory/4660-142-0x0000000000000000-mapping.dmp
-
memory/4716-151-0x0000000000000000-mapping.dmp
-
memory/4848-134-0x0000000000000000-mapping.dmp