Analysis
-
max time kernel
124s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 04:43
Behavioral task
behavioral1
Sample
9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe
Resource
win7-20220715-en
General
-
Target
9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe
-
Size
535KB
-
MD5
9160dbb0f8cb800c517bfa988a1eaafb
-
SHA1
a370130363f5a4ade5dee9ad1df75e69d7165ef4
-
SHA256
9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c
-
SHA512
0e2cc51df54b5389e779b23ffa48c97c39c31462c1dafb99f6769b4cb6e399f7bc1c49a31682b6ff957a6be019c02290925f140b62d9cb2d4c75725e1a56e26e
Malware Config
Signatures
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1508 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exepid process 2944 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe 2944 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe 2944 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe 2944 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe 2944 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe 2944 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe 2944 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe 2944 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1508 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.execmd.exedescription pid process target process PID 2944 wrote to memory of 1148 2944 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe cmd.exe PID 2944 wrote to memory of 1148 2944 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe cmd.exe PID 2944 wrote to memory of 1148 2944 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe cmd.exe PID 1148 wrote to memory of 1508 1148 cmd.exe taskkill.exe PID 1148 wrote to memory of 1508 1148 cmd.exe taskkill.exe PID 1148 wrote to memory of 1508 1148 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe"C:\Users\Admin\AppData\Local\Temp\9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe /f & erase C:\Users\Admin\AppData\Local\Temp\9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 9d5ff41c22bde90c318f4f3eb0b8d75d7582ca3c54ae1ea1ddc8666f1298c23c.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken