Analysis
-
max time kernel
107s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 21:06
Static task
static1
Behavioral task
behavioral1
Sample
4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe
Resource
win10v2004-20220718-en
General
-
Target
4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe
-
Size
829KB
-
MD5
2cfe62a4b6477f49bcb39489ac799406
-
SHA1
ad1ea2f9cc41d380508bf9d7a53ad69096133a32
-
SHA256
4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6
-
SHA512
0d186ab978618c0ac5ef4e561d3b4964e23b6fd3868cf67380e866a100a6fb948f6e40975d192cb9cac542ca830fc2defa72b10168230967bf1adae46d9afea1
Malware Config
Extracted
Protocol: ftp- Host:
ftp.spytector.com - Port:
21 - Username:
[email protected] - Password:
751g902S
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wintask.scrpid process 1636 wintask.scr -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Control Panel\International\Geo\Nation 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe Key opened \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe Key opened \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wintask.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scheduler = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wintask.scr" wintask.scr -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 myexternalip.com 2 myexternalip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4448 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exepid process 3448 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe 3448 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe 3448 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe 3448 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe 3448 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe 3448 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEwintask.scrpid process 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 4448 EXCEL.EXE 1636 wintask.scr 1636 wintask.scr 4448 EXCEL.EXE 4448 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exedescription pid process target process PID 3448 wrote to memory of 1636 3448 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe wintask.scr PID 3448 wrote to memory of 1636 3448 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe wintask.scr PID 3448 wrote to memory of 1636 3448 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe wintask.scr PID 3448 wrote to memory of 4448 3448 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe EXCEL.EXE PID 3448 wrote to memory of 4448 3448 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe EXCEL.EXE PID 3448 wrote to memory of 4448 3448 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe EXCEL.EXE -
outlook_office_path 1 IoCs
Processes:
4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe -
outlook_win_path 1 IoCs
Processes:
4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe"C:\Users\Admin\AppData\Local\Temp\4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\wintask.scr"C:\Users\Admin\AppData\Local\Temp\wintask.scr"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1636 -
C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE" Microsoft Excel2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4448
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DXWRK.htmlFilesize
885B
MD503e2b533f23caf6c973e1b03dd7a22eb
SHA1d84c87b19b0e716a0b59eeda47f967e706d64f57
SHA2565d4c4a23cfa76c2e9c985a098985c411e31ca6facd7805f3b885038c1e78500f
SHA512807e7f7327b634863f5e9aa9eec19f2bf449fcf23adce758c028fa76bf62ccb298a03c1d0b1980604efb777d55c4e9c332a0f1c92ddaeb41575b8d111d2cd372
-
C:\Users\Admin\AppData\Local\Temp\Logs.htmlMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\wintask.scrFilesize
829KB
MD52cfe62a4b6477f49bcb39489ac799406
SHA1ad1ea2f9cc41d380508bf9d7a53ad69096133a32
SHA2564fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6
SHA5120d186ab978618c0ac5ef4e561d3b4964e23b6fd3868cf67380e866a100a6fb948f6e40975d192cb9cac542ca830fc2defa72b10168230967bf1adae46d9afea1
-
C:\Users\Admin\AppData\Local\Temp\wintask.scrFilesize
829KB
MD52cfe62a4b6477f49bcb39489ac799406
SHA1ad1ea2f9cc41d380508bf9d7a53ad69096133a32
SHA2564fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6
SHA5120d186ab978618c0ac5ef4e561d3b4964e23b6fd3868cf67380e866a100a6fb948f6e40975d192cb9cac542ca830fc2defa72b10168230967bf1adae46d9afea1
-
memory/1636-130-0x0000000000000000-mapping.dmp
-
memory/4448-137-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmpFilesize
64KB
-
memory/4448-136-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmpFilesize
64KB
-
memory/4448-138-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmpFilesize
64KB
-
memory/4448-135-0x0000000000000000-mapping.dmp
-
memory/4448-139-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmpFilesize
64KB
-
memory/4448-140-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmpFilesize
64KB
-
memory/4448-141-0x00007FFED6A60000-0x00007FFED6A70000-memory.dmpFilesize
64KB
-
memory/4448-142-0x00007FFED6A60000-0x00007FFED6A70000-memory.dmpFilesize
64KB
-
memory/4448-144-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmpFilesize
64KB
-
memory/4448-145-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmpFilesize
64KB
-
memory/4448-146-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmpFilesize
64KB
-
memory/4448-147-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmpFilesize
64KB