Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
09-08-2022 16:02
Static task
static1
Behavioral task
behavioral1
Sample
ETRANSFER_RECEIPT.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ETRANSFER_RECEIPT.exe
Resource
win10v2004-20220721-en
General
-
Target
ETRANSFER_RECEIPT.exe
-
Size
300.0MB
-
MD5
8dac8b61bf8c23264873a3f3bee260f5
-
SHA1
ba581c38574794324ea714a48671fad7f2384dbe
-
SHA256
7e4a1f93d53d3962a913e000524344bdcccd6d36d0856b3df38df57d4a8e1df3
-
SHA512
65ef0b281583e1f8303ff470dc134d8d35ccc394521fd93294cd251220af501137b17d39af91829efe0191e395c2494e1652565895647bf04a46b56fe0eae163
Malware Config
Extracted
bitrat
1.38
bitrat9300.duckdns.org:9300
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
olkij.exepid process 904 olkij.exe -
Processes:
resource yara_rule behavioral1/memory/1612-59-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1612-61-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1612-62-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1612-65-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1612-64-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1612-68-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1612-69-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1612-70-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1612-71-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
RegAsm.exepid process 1612 RegAsm.exe 1612 RegAsm.exe 1612 RegAsm.exe 1612 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ETRANSFER_RECEIPT.exedescription pid process target process PID 1148 set thread context of 1612 1148 ETRANSFER_RECEIPT.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1612 RegAsm.exe Token: SeShutdownPrivilege 1612 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid process 1612 RegAsm.exe 1612 RegAsm.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
ETRANSFER_RECEIPT.execmd.exetaskeng.exedescription pid process target process PID 1148 wrote to memory of 976 1148 ETRANSFER_RECEIPT.exe cmd.exe PID 1148 wrote to memory of 976 1148 ETRANSFER_RECEIPT.exe cmd.exe PID 1148 wrote to memory of 976 1148 ETRANSFER_RECEIPT.exe cmd.exe PID 1148 wrote to memory of 976 1148 ETRANSFER_RECEIPT.exe cmd.exe PID 1148 wrote to memory of 896 1148 ETRANSFER_RECEIPT.exe cmd.exe PID 1148 wrote to memory of 896 1148 ETRANSFER_RECEIPT.exe cmd.exe PID 1148 wrote to memory of 896 1148 ETRANSFER_RECEIPT.exe cmd.exe PID 1148 wrote to memory of 896 1148 ETRANSFER_RECEIPT.exe cmd.exe PID 976 wrote to memory of 368 976 cmd.exe schtasks.exe PID 976 wrote to memory of 368 976 cmd.exe schtasks.exe PID 976 wrote to memory of 368 976 cmd.exe schtasks.exe PID 976 wrote to memory of 368 976 cmd.exe schtasks.exe PID 1148 wrote to memory of 1612 1148 ETRANSFER_RECEIPT.exe RegAsm.exe PID 1148 wrote to memory of 1612 1148 ETRANSFER_RECEIPT.exe RegAsm.exe PID 1148 wrote to memory of 1612 1148 ETRANSFER_RECEIPT.exe RegAsm.exe PID 1148 wrote to memory of 1612 1148 ETRANSFER_RECEIPT.exe RegAsm.exe PID 1148 wrote to memory of 1612 1148 ETRANSFER_RECEIPT.exe RegAsm.exe PID 1148 wrote to memory of 1612 1148 ETRANSFER_RECEIPT.exe RegAsm.exe PID 1148 wrote to memory of 1612 1148 ETRANSFER_RECEIPT.exe RegAsm.exe PID 1148 wrote to memory of 1612 1148 ETRANSFER_RECEIPT.exe RegAsm.exe PID 1148 wrote to memory of 1612 1148 ETRANSFER_RECEIPT.exe RegAsm.exe PID 1148 wrote to memory of 1612 1148 ETRANSFER_RECEIPT.exe RegAsm.exe PID 1148 wrote to memory of 1612 1148 ETRANSFER_RECEIPT.exe RegAsm.exe PID 1980 wrote to memory of 904 1980 taskeng.exe olkij.exe PID 1980 wrote to memory of 904 1980 taskeng.exe olkij.exe PID 1980 wrote to memory of 904 1980 taskeng.exe olkij.exe PID 1980 wrote to memory of 904 1980 taskeng.exe olkij.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ETRANSFER_RECEIPT.exe"C:\Users\Admin\AppData\Local\Temp\ETRANSFER_RECEIPT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Local\Temp\olkij.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Local\Temp\olkij.exe'" /f3⤵
- Creates scheduled task(s)
PID:368
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Local\Temp\olkij.exe"2⤵PID:896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1612
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4F15B8A4-4414-4759-940F-E1A037E5EDF4} S-1-5-21-4084403625-2215941253-1760665084-1000:LDLTPJLN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\olkij.exeC:\Users\Admin\AppData\Local\Temp\olkij.exe2⤵
- Executes dropped EXE
PID:904
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
234.2MB
MD580d52e07bb4a1c67332e79446872543d
SHA1293aee909b3f9dd4cc7452837bd43f66d486ef9e
SHA256f0a9d9ff79135b19fe1954921be39b51f59ccc85a57a8c6f171d7c35a1b08aa0
SHA51229d4f58255bc24806d0197657b7849351f1fbeb71ee36f97ff307301b18988920ed0490971a53bf9ae86b1a3fb7e57d51be46246baa71f29679b3130cd95fb43
-
Filesize
234.6MB
MD585add4fbfe08f33ddb54465c3f09606c
SHA18d199b769de4e5cc69aa3127366238dfaba163be
SHA25632b712fa8be19cd10e6a6188a60fafb52d4dac8cd0e86b5d63954d901d88e75e
SHA51292022732d69f7e45bfcb08a2b89646b99f18a80866bd21556d01f91f84ba7f16ae5145f5229e545d80b1063bacec0530ea533afc9b5b0c5871c3f686b1e8e3c2