Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 06:12
Static task
static1
Behavioral task
behavioral1
Sample
950a2d9a7a0f39f9ab008c76c96e9fc8a93a0eefa5031d0aa01453657df07c18.exe
Resource
win7-20220718-en
General
-
Target
950a2d9a7a0f39f9ab008c76c96e9fc8a93a0eefa5031d0aa01453657df07c18.exe
-
Size
35.9MB
-
MD5
1aa9acffe0e10bbb240e0dfa07936d38
-
SHA1
f0624cc7588dd3d8cb0a5f618afa518097aabb69
-
SHA256
950a2d9a7a0f39f9ab008c76c96e9fc8a93a0eefa5031d0aa01453657df07c18
-
SHA512
cd89eb5ab041a81f77f015b13485010b105704fc04125177c7045c950a4c40759a1f5359ec2e1f590bb8ee493e7b7f04e84f362c232953de6bbb32a386841b55
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 900 Decoder.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 4 api.ipify.org 6 freegeoip.app 7 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Decoder.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Decoder.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 568 timeout.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 900 Decoder.exe 900 Decoder.exe 900 Decoder.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 540 950a2d9a7a0f39f9ab008c76c96e9fc8a93a0eefa5031d0aa01453657df07c18.exe Token: SeDebugPrivilege 900 Decoder.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 540 wrote to memory of 900 540 950a2d9a7a0f39f9ab008c76c96e9fc8a93a0eefa5031d0aa01453657df07c18.exe 29 PID 540 wrote to memory of 900 540 950a2d9a7a0f39f9ab008c76c96e9fc8a93a0eefa5031d0aa01453657df07c18.exe 29 PID 540 wrote to memory of 900 540 950a2d9a7a0f39f9ab008c76c96e9fc8a93a0eefa5031d0aa01453657df07c18.exe 29 PID 540 wrote to memory of 900 540 950a2d9a7a0f39f9ab008c76c96e9fc8a93a0eefa5031d0aa01453657df07c18.exe 29 PID 540 wrote to memory of 1168 540 950a2d9a7a0f39f9ab008c76c96e9fc8a93a0eefa5031d0aa01453657df07c18.exe 30 PID 540 wrote to memory of 1168 540 950a2d9a7a0f39f9ab008c76c96e9fc8a93a0eefa5031d0aa01453657df07c18.exe 30 PID 540 wrote to memory of 1168 540 950a2d9a7a0f39f9ab008c76c96e9fc8a93a0eefa5031d0aa01453657df07c18.exe 30 PID 1168 wrote to memory of 568 1168 cmd.exe 32 PID 1168 wrote to memory of 568 1168 cmd.exe 32 PID 1168 wrote to memory of 568 1168 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\950a2d9a7a0f39f9ab008c76c96e9fc8a93a0eefa5031d0aa01453657df07c18.exe"C:\Users\Admin\AppData\Local\Temp\950a2d9a7a0f39f9ab008c76c96e9fc8a93a0eefa5031d0aa01453657df07c18.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540 -
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:568
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
490KB
MD5c29c0d495ed13e703f433d53bdffdab8
SHA174ed36e6b6027b61abcfe2956670ffd9de7fd71a
SHA25620309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b
SHA512fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426
-
Filesize
28B
MD5217407484aac2673214337def8886072
SHA10f8c4c94064ce1f7538c43987feb5bb2d7fec0c6
SHA256467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797
SHA5128466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330