Analysis
-
max time kernel
113s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 09:33
Static task
static1
Behavioral task
behavioral1
Sample
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe
Resource
win10v2004-20220414-en
General
-
Target
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe
-
Size
615KB
-
MD5
d9eea652e097a3f9f950fc6998682ad0
-
SHA1
773a2461085609843b85a605a80cc2fc9a79d5de
-
SHA256
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af
-
SHA512
19dae35b5136ead7009957b678db5e2659b3ae6ef353471ff1379791add8f8a39797ab4b361efecb4d0537bf8eb11a3da7595c1ed10bd54868c62b89698ea000
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
index.exeindex.exepid process 1484 index.exe 1060 index.exe -
Loads dropped DLL 1 IoCs
Processes:
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exepid process 1464 26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
index.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 index.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 index.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 index.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\index = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\index.exe -boot" 26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
index.exedescription pid process target process PID 1484 set thread context of 1060 1484 index.exe index.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
index.exepid process 1060 index.exe 1060 index.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exeindex.exeindex.exedescription pid process Token: SeDebugPrivilege 1464 26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe Token: SeDebugPrivilege 1484 index.exe Token: SeDebugPrivilege 1060 index.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
index.exepid process 1060 index.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exeindex.exedescription pid process target process PID 1464 wrote to memory of 1484 1464 26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe index.exe PID 1464 wrote to memory of 1484 1464 26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe index.exe PID 1464 wrote to memory of 1484 1464 26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe index.exe PID 1464 wrote to memory of 1484 1464 26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe index.exe PID 1484 wrote to memory of 1060 1484 index.exe index.exe PID 1484 wrote to memory of 1060 1484 index.exe index.exe PID 1484 wrote to memory of 1060 1484 index.exe index.exe PID 1484 wrote to memory of 1060 1484 index.exe index.exe PID 1484 wrote to memory of 1060 1484 index.exe index.exe PID 1484 wrote to memory of 1060 1484 index.exe index.exe PID 1484 wrote to memory of 1060 1484 index.exe index.exe PID 1484 wrote to memory of 1060 1484 index.exe index.exe PID 1484 wrote to memory of 1060 1484 index.exe index.exe -
outlook_office_path 1 IoCs
Processes:
index.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 index.exe -
outlook_win_path 1 IoCs
Processes:
index.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 index.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe"C:\Users\Admin\AppData\Local\Temp\26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exeFilesize
615KB
MD5d9eea652e097a3f9f950fc6998682ad0
SHA1773a2461085609843b85a605a80cc2fc9a79d5de
SHA25626212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af
SHA51219dae35b5136ead7009957b678db5e2659b3ae6ef353471ff1379791add8f8a39797ab4b361efecb4d0537bf8eb11a3da7595c1ed10bd54868c62b89698ea000
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exeFilesize
615KB
MD5d9eea652e097a3f9f950fc6998682ad0
SHA1773a2461085609843b85a605a80cc2fc9a79d5de
SHA25626212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af
SHA51219dae35b5136ead7009957b678db5e2659b3ae6ef353471ff1379791add8f8a39797ab4b361efecb4d0537bf8eb11a3da7595c1ed10bd54868c62b89698ea000
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exeFilesize
615KB
MD5d9eea652e097a3f9f950fc6998682ad0
SHA1773a2461085609843b85a605a80cc2fc9a79d5de
SHA25626212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af
SHA51219dae35b5136ead7009957b678db5e2659b3ae6ef353471ff1379791add8f8a39797ab4b361efecb4d0537bf8eb11a3da7595c1ed10bd54868c62b89698ea000
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exeFilesize
615KB
MD5d9eea652e097a3f9f950fc6998682ad0
SHA1773a2461085609843b85a605a80cc2fc9a79d5de
SHA25626212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af
SHA51219dae35b5136ead7009957b678db5e2659b3ae6ef353471ff1379791add8f8a39797ab4b361efecb4d0537bf8eb11a3da7595c1ed10bd54868c62b89698ea000
-
memory/1060-70-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/1060-65-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/1060-66-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/1060-73-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/1060-75-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/1060-77-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/1464-61-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/1464-55-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/1464-54-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB
-
memory/1484-57-0x0000000000000000-mapping.dmp
-
memory/1484-62-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/1484-63-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/1484-76-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB