Analysis
-
max time kernel
39s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 04:43
Behavioral task
behavioral1
Sample
9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe
Resource
win7-20220715-en
General
-
Target
9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe
-
Size
535KB
-
MD5
9160dbb0f8cb800c517bfa988a1eaafb
-
SHA1
a370130363f5a4ade5dee9ad1df75e69d7165ef4
-
SHA256
9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c
-
SHA512
0e2cc51df54b5389e779b23ffa48c97c39c31462c1dafb99f6769b4cb6e399f7bc1c49a31682b6ff957a6be019c02290925f140b62d9cb2d4c75725e1a56e26e
Malware Config
Signatures
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 576 cmd.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 640 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exepid process 1564 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe 1564 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe 1564 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe 1564 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 640 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.execmd.exedescription pid process target process PID 1564 wrote to memory of 576 1564 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe cmd.exe PID 1564 wrote to memory of 576 1564 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe cmd.exe PID 1564 wrote to memory of 576 1564 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe cmd.exe PID 1564 wrote to memory of 576 1564 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe cmd.exe PID 576 wrote to memory of 640 576 cmd.exe taskkill.exe PID 576 wrote to memory of 640 576 cmd.exe taskkill.exe PID 576 wrote to memory of 640 576 cmd.exe taskkill.exe PID 576 wrote to memory of 640 576 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe"C:\Users\Admin\AppData\Local\Temp\9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe /f & erase C:\Users\Admin\AppData\Local\Temp\9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken