Overview
overview
10Static
static
107zS8A52FD1...f3.exe
windows7_x64
87zS8A52FD1...f3.exe
windows10-2004_x64
87zS8A52FD1...62.exe
windows7_x64
77zS8A52FD1...62.exe
windows10-2004_x64
77zS8A52FD1...9a.exe
windows7_x64
107zS8A52FD1...9a.exe
windows10-2004_x64
107zS8A52FD1...8a.exe
windows7_x64
107zS8A52FD1...8a.exe
windows10-2004_x64
107zS8A52FD1...f5.exe
windows7_x64
17zS8A52FD1...f5.exe
windows10-2004_x64
17zS8A52FD1...68.exe
windows7_x64
77zS8A52FD1...68.exe
windows10-2004_x64
77zS8A52FD1...41.exe
windows7_x64
77zS8A52FD1...41.exe
windows10-2004_x64
77zS8A52FD1...cd.exe
windows7_x64
87zS8A52FD1...cd.exe
windows10-2004_x64
87zS8A52FD1...71.exe
windows7_x64
57zS8A52FD1...71.exe
windows10-2004_x64
57zS8A52FD1...9c.exe
windows7_x64
107zS8A52FD1...9c.exe
windows10-2004_x64
107zS8A52FD1...0d.exe
windows7_x64
17zS8A52FD1...0d.exe
windows10-2004_x64
17zS8A52FD1...ff.exe
windows7_x64
107zS8A52FD1...ff.exe
windows10-2004_x64
107zS8A52FD1...68.exe
windows7_x64
107zS8A52FD1...68.exe
windows10-2004_x64
107zS8A52FD1...-1.dll
windows7_x64
37zS8A52FD1...-1.dll
windows10-2004_x64
37zS8A52FD1...-6.dll
windows7_x64
37zS8A52FD1...-6.dll
windows10-2004_x64
37zS8A52FD1...-1.dll
windows7_x64
17zS8A52FD1...-1.dll
windows10-2004_x64
1Analysis
-
max time kernel
130s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
09-06-2022 14:12
Behavioral task
behavioral1
Sample
7zS8A52FD1B/62a1ea227dc1c_17ee33ef3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7zS8A52FD1B/62a1ea227dc1c_17ee33ef3.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
7zS8A52FD1B/62a1ea23342ae_c77562.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
7zS8A52FD1B/62a1ea23342ae_c77562.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
7zS8A52FD1B/62a1ea23da745_6e68c9a.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
7zS8A52FD1B/62a1ea23da745_6e68c9a.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
7zS8A52FD1B/62a1ea243386e_a4f8a5d8a.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
7zS8A52FD1B/62a1ea243386e_a4f8a5d8a.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
7zS8A52FD1B/62a1ea2501f48_0371f5.exe
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
7zS8A52FD1B/62a1ea2501f48_0371f5.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
7zS8A52FD1B/62a1ea2a20759_b7a66dc968.exe
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
7zS8A52FD1B/62a1ea2a20759_b7a66dc968.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
7zS8A52FD1B/62a1ea2b65292_c4804f5141.exe
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
7zS8A52FD1B/62a1ea2b65292_c4804f5141.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
7zS8A52FD1B/62a1ea2d09364_3056ccd.exe
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
7zS8A52FD1B/62a1ea2d09364_3056ccd.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
7zS8A52FD1B/62a1ea2df066e_add786971.exe
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
7zS8A52FD1B/62a1ea2df066e_add786971.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
7zS8A52FD1B/62a1ea2f0beee_36a9ec29c.exe
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
7zS8A52FD1B/62a1ea2f0beee_36a9ec29c.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral21
Sample
7zS8A52FD1B/62a1ea2fb0309_1d35870d.exe
Resource
win7-20220414-en
Behavioral task
behavioral22
Sample
7zS8A52FD1B/62a1ea2fb0309_1d35870d.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral23
Sample
7zS8A52FD1B/62a1ea319013f_e64e1ff.exe
Resource
win7-20220414-en
Behavioral task
behavioral24
Sample
7zS8A52FD1B/62a1ea319013f_e64e1ff.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral25
Sample
7zS8A52FD1B/62a1ea3215fd5_67a668.exe
Resource
win7-20220414-en
Behavioral task
behavioral26
Sample
7zS8A52FD1B/62a1ea3215fd5_67a668.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral27
Sample
7zS8A52FD1B/libgcc_s_dw2-1.dll
Resource
win7-20220414-en
Behavioral task
behavioral28
Sample
7zS8A52FD1B/libgcc_s_dw2-1.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral29
Sample
7zS8A52FD1B/libstdc++-6.dll
Resource
win7-20220414-en
Behavioral task
behavioral30
Sample
7zS8A52FD1B/libstdc++-6.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral31
Sample
7zS8A52FD1B/libwinpthread-1.dll
Resource
win7-20220414-en
Behavioral task
behavioral32
Sample
7zS8A52FD1B/libwinpthread-1.dll
Resource
win10v2004-20220414-en
General
-
Target
7zS8A52FD1B/62a1ea3215fd5_67a668.exe
-
Size
78KB
-
MD5
923ba5913c151121517c52f609242616
-
SHA1
7976305e7afb69e70cca1b29b3e9436b2cd08e25
-
SHA256
5d4b830ec56d8bbfdb305e904e6c0f00fc1744a1c7c15e8c71265d08c3aa35e0
-
SHA512
7e03947d789f40aacd131287d445d0e3dbe95e9ff1e6ceea211009c3424ae55884365119aa46e1bef4cc0adba108a036d9c3330ef6f3acf2f97e0f83f7a0a202
Malware Config
Signatures
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
00000029..exepid process 3880 00000029..exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
62a1ea3215fd5_67a668.exe00000029..exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 62a1ea3215fd5_67a668.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 00000029..exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 252 timeout.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
00000029..exedescription pid process Token: SeDebugPrivilege 3880 00000029..exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
62a1ea3215fd5_67a668.execmd.exe00000029..execmd.exedescription pid process target process PID 4836 wrote to memory of 3880 4836 62a1ea3215fd5_67a668.exe 00000029..exe PID 4836 wrote to memory of 3880 4836 62a1ea3215fd5_67a668.exe 00000029..exe PID 4836 wrote to memory of 3880 4836 62a1ea3215fd5_67a668.exe 00000029..exe PID 4836 wrote to memory of 4580 4836 62a1ea3215fd5_67a668.exe cmd.exe PID 4836 wrote to memory of 4580 4836 62a1ea3215fd5_67a668.exe cmd.exe PID 4836 wrote to memory of 4580 4836 62a1ea3215fd5_67a668.exe cmd.exe PID 4580 wrote to memory of 4444 4580 cmd.exe PING.EXE PID 4580 wrote to memory of 4444 4580 cmd.exe PING.EXE PID 4580 wrote to memory of 4444 4580 cmd.exe PING.EXE PID 3880 wrote to memory of 2272 3880 00000029..exe cmd.exe PID 3880 wrote to memory of 2272 3880 00000029..exe cmd.exe PID 3880 wrote to memory of 2272 3880 00000029..exe cmd.exe PID 2272 wrote to memory of 252 2272 cmd.exe timeout.exe PID 2272 wrote to memory of 252 2272 cmd.exe timeout.exe PID 2272 wrote to memory of 252 2272 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea3215fd5_67a668.exe"C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea3215fd5_67a668.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\00000029..exe"C:\Users\Admin\AppData\Roaming\00000029..exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 2 && del "C:\Users\Admin\AppData\Roaming\00000029..exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea3215fd5_67a668.exe" >> NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\00000029..exeFilesize
210KB
MD50e26b7235e0b1d31e8488e20dea0dce4
SHA1a360c46244a1460e48b503037374934fe0c61391
SHA2569bbf733b9b1917d15385efa8928577f81ce7da4b8940a2b7c8bacc5c2b3b5ed3
SHA512a83c1d771b6dc21a264a74873f2c838717d1bfcbcd553be1f84c8da894077de7b8b4c59bf707bf230a0aceec4d6fbf7d092f6672ef8766d8e8ccc8b4fe0a434b
-
C:\Users\Admin\AppData\Roaming\00000029..exeFilesize
210KB
MD50e26b7235e0b1d31e8488e20dea0dce4
SHA1a360c46244a1460e48b503037374934fe0c61391
SHA2569bbf733b9b1917d15385efa8928577f81ce7da4b8940a2b7c8bacc5c2b3b5ed3
SHA512a83c1d771b6dc21a264a74873f2c838717d1bfcbcd553be1f84c8da894077de7b8b4c59bf707bf230a0aceec4d6fbf7d092f6672ef8766d8e8ccc8b4fe0a434b
-
memory/252-140-0x0000000000000000-mapping.dmp
-
memory/2272-139-0x0000000000000000-mapping.dmp
-
memory/3880-130-0x0000000000000000-mapping.dmp
-
memory/3880-133-0x0000000004DB0000-0x0000000004E00000-memory.dmpFilesize
320KB
-
memory/3880-134-0x0000000004E70000-0x0000000004ED6000-memory.dmpFilesize
408KB
-
memory/3880-137-0x0000000005640000-0x00000000056D2000-memory.dmpFilesize
584KB
-
memory/3880-138-0x0000000005C90000-0x0000000006234000-memory.dmpFilesize
5.6MB
-
memory/4444-136-0x0000000000000000-mapping.dmp
-
memory/4580-135-0x0000000000000000-mapping.dmp