Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 09:56
Static task
static1
Behavioral task
behavioral1
Sample
3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exe
Resource
win10v2004-20220414-en
General
-
Target
3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exe
-
Size
564KB
-
MD5
8581c725f6f67c689a28937690b7edba
-
SHA1
1b7706404eaac00e1150c83f837a6209115264ee
-
SHA256
3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551
-
SHA512
7b96484be7360e494cc16c94bc44f61aa6286e33031cfb4117763dd43c345dd4f609adb1dfc70e27dd6cc95f70a8e808f6b62cdf11edb876ee27c96b06c4d241
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
filename.exefilename.exepid process 2140 filename.exe 3452 filename.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation WScript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
filename.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook filename.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook filename.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook filename.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Registry Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\filename.vbs" WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
filename.exedescription pid process target process PID 2140 set thread context of 3452 2140 filename.exe filename.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings 3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
filename.exedescription pid process Token: SeDebugPrivilege 3452 filename.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exefilename.exepid process 1228 3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exe 2140 filename.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exeWScript.exefilename.exedescription pid process target process PID 1228 wrote to memory of 3500 1228 3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exe WScript.exe PID 1228 wrote to memory of 3500 1228 3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exe WScript.exe PID 1228 wrote to memory of 3500 1228 3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exe WScript.exe PID 3500 wrote to memory of 2140 3500 WScript.exe filename.exe PID 3500 wrote to memory of 2140 3500 WScript.exe filename.exe PID 3500 wrote to memory of 2140 3500 WScript.exe filename.exe PID 2140 wrote to memory of 3452 2140 filename.exe filename.exe PID 2140 wrote to memory of 3452 2140 filename.exe filename.exe PID 2140 wrote to memory of 3452 2140 filename.exe filename.exe PID 2140 wrote to memory of 3452 2140 filename.exe filename.exe PID 2140 wrote to memory of 3452 2140 filename.exe filename.exe PID 2140 wrote to memory of 3452 2140 filename.exe filename.exe PID 2140 wrote to memory of 3452 2140 filename.exe filename.exe PID 2140 wrote to memory of 3452 2140 filename.exe filename.exe PID 2140 wrote to memory of 3452 2140 filename.exe filename.exe PID 2140 wrote to memory of 3452 2140 filename.exe filename.exe -
outlook_office_path 1 IoCs
Processes:
filename.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook filename.exe -
outlook_win_path 1 IoCs
Processes:
filename.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook filename.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exe"C:\Users\Admin\AppData\Local\Temp\3bb34756a2c094cb51e9de7325b34ca0a540ea22c50dfa07e63d408dff194551.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exeFilesize
564KB
MD58bcecb719f8bc6d9577bfdce03f91733
SHA10e87ce5ac4973a2995d63a345c2d63234bb59182
SHA2567926f16c171339403e61105ea52dafc8c735a1dde615d897edb8f56dbf949f82
SHA512e06abf371f490fca9c47b573fa1a6c15c98167d9c5d27e60d227e8ed78ad7ff93b8e2d25bf0a93648f6559553b3a138dbd1a993bb619fbd43d80ce1564ee0ab7
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exeFilesize
564KB
MD58bcecb719f8bc6d9577bfdce03f91733
SHA10e87ce5ac4973a2995d63a345c2d63234bb59182
SHA2567926f16c171339403e61105ea52dafc8c735a1dde615d897edb8f56dbf949f82
SHA512e06abf371f490fca9c47b573fa1a6c15c98167d9c5d27e60d227e8ed78ad7ff93b8e2d25bf0a93648f6559553b3a138dbd1a993bb619fbd43d80ce1564ee0ab7
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exeFilesize
564KB
MD58bcecb719f8bc6d9577bfdce03f91733
SHA10e87ce5ac4973a2995d63a345c2d63234bb59182
SHA2567926f16c171339403e61105ea52dafc8c735a1dde615d897edb8f56dbf949f82
SHA512e06abf371f490fca9c47b573fa1a6c15c98167d9c5d27e60d227e8ed78ad7ff93b8e2d25bf0a93648f6559553b3a138dbd1a993bb619fbd43d80ce1564ee0ab7
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbsFilesize
1024B
MD54edd06f7850d9c0be2933f139defc809
SHA1a9296ee86fa7d35c61b086fce248ff09f79956cf
SHA25655c25ac53f1c1190c200abcb955058f1e766947daff9e4e94160dbccdba1e32c
SHA512fb9597ed5305e3f339e96258c857d4752e1a320706c8410b3f462d09c32d46326c74647621f582412b46179a17494e2f586902482473aab01afff9e5ceb9cf93
-
memory/1228-132-0x00000000007C0000-0x00000000007C6000-memory.dmpFilesize
24KB
-
memory/2140-136-0x0000000000000000-mapping.dmp
-
memory/3452-140-0x0000000000000000-mapping.dmp
-
memory/3452-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3452-145-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3452-146-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3452-147-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3452-148-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3500-133-0x0000000000000000-mapping.dmp