Analysis
-
max time kernel
93s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-06-2022 03:38
Static task
static1
Behavioral task
behavioral1
Sample
1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe
Resource
win7-20220414-en
General
-
Target
1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe
-
Size
1.0MB
-
MD5
b38094dd1906ba24beb97ec7055b21b1
-
SHA1
6aabc056817369549cb8c0c857395aa3ec6530ed
-
SHA256
1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567
-
SHA512
54a1347d8e63e54ed6781323384a22d16a3cf5cac1e477508ac7b59cee12b6642b2cfbdab46d2bb9cbc898af6e7149214a9564dcb2e694e8d3d94e3e3c18119b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
DePass_Micro.exepid process 800 DePass_Micro.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe -
Loads dropped DLL 1 IoCs
Processes:
DePass_Micro.exepid process 800 DePass_Micro.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.execmd.execmd.exedescription pid process target process PID 4368 wrote to memory of 624 4368 1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe cmd.exe PID 4368 wrote to memory of 624 4368 1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe cmd.exe PID 4368 wrote to memory of 624 4368 1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe cmd.exe PID 624 wrote to memory of 1432 624 cmd.exe cmd.exe PID 624 wrote to memory of 1432 624 cmd.exe cmd.exe PID 624 wrote to memory of 1432 624 cmd.exe cmd.exe PID 1432 wrote to memory of 800 1432 cmd.exe DePass_Micro.exe PID 1432 wrote to memory of 800 1432 cmd.exe DePass_Micro.exe PID 1432 wrote to memory of 800 1432 cmd.exe DePass_Micro.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe"C:\Users\Admin\AppData\Local\Temp\1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Local\RSA\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K 2.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\H8563f34fR_7T45Basd35S4E\DePass_Micro.exeDePass_Micro.exe /Silent /nm4⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\H8563f34fR_7T45Basd35S4E\DePass_Micro.exeFilesize
1.7MB
MD585ebf9e998f85b243775f42df3d79047
SHA17b8d3bda72e8911c3a18f6b0d14aec8b0d6d6bad
SHA25672e7492411ac46f5309fe9ba075fcc8097fd766f269aca04aca10c787f4e69e7
SHA51262f8246aef6271a34700542484362988f6873437b0ca49b1e25fb1932ee3d330795041dcee8cb9dd3bb5c0e7b93f8f3b2ffc5edc973c8a1efba19d257b0ca168
-
C:\Users\Admin\AppData\Local\Temp\H8563f34fR_7T45Basd35S4E\DePass_Micro.exeFilesize
1.7MB
MD585ebf9e998f85b243775f42df3d79047
SHA17b8d3bda72e8911c3a18f6b0d14aec8b0d6d6bad
SHA25672e7492411ac46f5309fe9ba075fcc8097fd766f269aca04aca10c787f4e69e7
SHA51262f8246aef6271a34700542484362988f6873437b0ca49b1e25fb1932ee3d330795041dcee8cb9dd3bb5c0e7b93f8f3b2ffc5edc973c8a1efba19d257b0ca168
-
C:\Users\Admin\AppData\Local\Temp\sqlite3.tmpFilesize
590KB
MD59120403115f68fc32af4a1794e39cc8e
SHA143c29dcd4594436e2007900fd9d45a68e443ad44
SHA256079f4cfc92f694308376df5339e72eeda850f81664a510405d563c0a711ca2a3
SHA512c2c22500cee61b1328c1d28820b1003bae00118255ff9dfc49359a13af841a17df2032f74d42e3e61fceb1cd53d61ab606b38a45ea7a7ae113189a33dd6f919a
-
C:\Users\Admin\AppData\Roaming\Local\RSA\1.batFilesize
37B
MD5b5cc8da101df807fc8c932b3d26b6e47
SHA1e2e36f03d4c61dcd351763b677b84fa099dc2604
SHA256d1c5e037e959eb214638ec6630b9f1e4a58082c11439d23a17e7bae097631d61
SHA5122f3cb8c3d54c499d1fd1cccc6b7e9c24595bcc8a5e91a0294ac07712f4311b3cb2f6d606ec1d82163d55e8f98b5b3a11942a4af6ab6e97dcf08fef5c4cd873b7
-
C:\Users\Admin\AppData\Roaming\Local\RSA\2.batFilesize
547B
MD54bdd56492f538d4e8eef5d7c879b64a6
SHA128a2e301887b65171ee35bcd460aa1e360ebb874
SHA25659687b9bdd72edaa3519504f5b7688a659b9d66ee03c29686dcd68470034e827
SHA512f45a202f86562f65f5a1d280dbc7ba7c57ca26a684bcc40eb3ce3b8e4405e1570d85d24975bc7d6eb7ba62fbeaac0203deca4224d688f4368d113101ec54dd67
-
C:\Users\Admin\AppData\Roaming\Local\RSA\DePass_Micro.exeFilesize
1.7MB
MD585ebf9e998f85b243775f42df3d79047
SHA17b8d3bda72e8911c3a18f6b0d14aec8b0d6d6bad
SHA25672e7492411ac46f5309fe9ba075fcc8097fd766f269aca04aca10c787f4e69e7
SHA51262f8246aef6271a34700542484362988f6873437b0ca49b1e25fb1932ee3d330795041dcee8cb9dd3bb5c0e7b93f8f3b2ffc5edc973c8a1efba19d257b0ca168
-
C:\Users\Admin\AppData\Roaming\Local\RSA\fcp.exeFilesize
472KB
MD5d86fd26b2340cead820b2a905c177c63
SHA1313334f1d8e1a8a9c7473dead0a839c3f9855b86
SHA2566ece2458ddfc2bc9be6d14d1c377b2a52bf502f3757ba8024de383d85899e21b
SHA512b3dc478779d0e2a93e8fcac0e0a34e3737c8a08b0479203c73fda8f3e3345618d06485a070f17cc6d880d07c3436af4b4ba8df29dc184b0717f3a2753cbb6413
-
C:\Users\Admin\AppData\Roaming\Local\RSA\pthreadGC.dllFilesize
50KB
MD52d6a905cbe6766adf6da9d4f5a461571
SHA14700349f065e96c40eb5f50aff554bf5b2eb2c21
SHA256d47dc7d06a2873c65758568a16aee0349d87de35d8d6e7c4249f1276e81f14fa
SHA51284e79aa2cf1d7d1d31224572f193ce5527504fb58ef79aa5e4fb672188b9dae4a5ebb4e1ba3a7d2958a0a43095023ed9ba2d36604570575fdd594d9b42786848
-
memory/624-130-0x0000000000000000-mapping.dmp
-
memory/800-137-0x0000000000000000-mapping.dmp
-
memory/1432-132-0x0000000000000000-mapping.dmp