Overview
overview
10Static
static
8trojan/1.exe
windows7_x64
10trojan/1.exe
windows10-2004_x64
10trojan/10.exe
windows7_x64
10trojan/10.exe
windows10-2004_x64
8trojan/2.exe
windows7_x64
3trojan/2.exe
windows10-2004_x64
5trojan/3.exe
windows7_x64
10trojan/3.exe
windows10-2004_x64
10trojan/4.exe
windows7_x64
8trojan/4.exe
windows10-2004_x64
8trojan/5.exe
windows7_x64
8trojan/5.exe
windows10-2004_x64
8trojan/6.exe
windows7_x64
10trojan/6.exe
windows10-2004_x64
10trojan/7.exe
windows7_x64
10trojan/7.exe
windows10-2004_x64
10trojan/8.exe
windows7_x64
trojan/8.exe
windows10-2004_x64
10trojan/9.exe
windows7_x64
8trojan/9.exe
windows10-2004_x64
8Analysis
-
max time kernel
204s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 09:24
Static task
static1
Behavioral task
behavioral1
Sample
trojan/1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
trojan/1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
trojan/10.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
trojan/10.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
trojan/2.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
trojan/2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
trojan/3.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
trojan/3.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
trojan/4.exe
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
trojan/4.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
trojan/5.exe
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
trojan/5.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
trojan/6.exe
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
trojan/6.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
trojan/7.exe
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
trojan/7.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
trojan/8.exe
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
trojan/8.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
trojan/9.exe
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
trojan/9.exe
Resource
win10v2004-20220414-en
General
-
Target
trojan/9.exe
-
Size
12.0MB
-
MD5
84bb70a4861bffd2852ed7fe6e71ec9b
-
SHA1
e25e727215abcd5317236d8919f85a6e251f8367
-
SHA256
a44cc1193a4f20d0c1e94841b21b0bcfeec45a30dc68ba6eb68d0ea5aef6c942
-
SHA512
42749e3034a2027cc658c03ec1ff7191d643bced89d887cfef5f84127d785fc3b948a1dade7db209fc5a5bb258de831d116e3ca46f8740540603937a1203e3f3
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
NDRSTU54369LVG.7180882.2731677.System.52900.exesvchost.exepid process 1884 NDRSTU54369LVG.7180882.2731677.System.52900.exe 2020 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\svchost.exe" 9.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\X: svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
9.exesvchost.exedescription ioc process File created C:\Windows\svchost.exe 9.exe File created C:\Windows\screen.zip svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9.exedescription pid process target process PID 1096 wrote to memory of 2020 1096 9.exe svchost.exe PID 1096 wrote to memory of 2020 1096 9.exe svchost.exe PID 1096 wrote to memory of 2020 1096 9.exe svchost.exe PID 1096 wrote to memory of 2020 1096 9.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\trojan\9.exe"C:\Users\Admin\AppData\Local\Temp\trojan\9.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\trojan\NDRSTU54369LVG.7180882.2731677.System.52900.exeC:\Users\Admin\AppData\Local\Temp\trojan\\NDRSTU54369LVG.7180882.2731677.System.52900.exe2⤵
- Executes dropped EXE
-
C:\Windows\svchost.exeC:\Windows\svchost.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\trojan\NDRSTU54369LVG.7180882.2731677.System.52900.exeFilesize
3.4MB
MD537caf406fe061351e4ce8f23bf122671
SHA1b11d2e72ae284b3ea6c2019dbdfc05193c5ecec5
SHA256854c298c121401b0f012aaa2dd895efcc3cd5c113cdbe4c0a7ef1c36a7de3d34
SHA5125ed013deb27de8bd322444c4e1971f8c9d204001d0fc607e5c9a8f10432a2603c46090eca1e099609565f93e0ec19e14932799a57fa9636d7b7bdaee1f00f943
-
C:\Windows\svchost.exeFilesize
8.6MB
MD5577a87ffa171d9aca7d2feff94af70f1
SHA11d15652841e9b86748135070f8bcc2d9048125dc
SHA25668f85c550888a8ef8e49eddae8020ad45aeeb15c961fbc55af08fe3e07dfda6e
SHA512debd5e89eea4f0e7dcb70812675715e175e5e5f284f7c0b5475513cf54c7dfc5b58a1e9dd2a4cca64c592a673b3463cd224070da61b32c24bde48dccd89ab8e5
-
C:\Windows\svchost.exeFilesize
8.6MB
MD5577a87ffa171d9aca7d2feff94af70f1
SHA11d15652841e9b86748135070f8bcc2d9048125dc
SHA25668f85c550888a8ef8e49eddae8020ad45aeeb15c961fbc55af08fe3e07dfda6e
SHA512debd5e89eea4f0e7dcb70812675715e175e5e5f284f7c0b5475513cf54c7dfc5b58a1e9dd2a4cca64c592a673b3463cd224070da61b32c24bde48dccd89ab8e5
-
memory/1096-54-0x00000000752A1000-0x00000000752A3000-memory.dmpFilesize
8KB
-
memory/2020-56-0x0000000000000000-mapping.dmp