Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2022 21:49

General

  • Target

    d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd.exe

  • Size

    123KB

  • MD5

    1a07b35055a94e295213e75c7252b96f

  • SHA1

    137aaec61339f2adadba840544da32458f19e445

  • SHA256

    d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

  • SHA512

    1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

  • SSDEEP

    3072:e2LHmekMbYIAcKnRRytZwUB9ra3YR78DL+YQLeT8HGj4IsxfO:e2DiMb6cKRRFUi3YvWj4IwfO

Score
10/10

Malware Config

Extracted

Family

allcome

C2

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=eblon

Wallets

DUQm48oydKgNwdYn4PzPZYxY9smehcHVjB

rGzqdqBk9a5BGhC4JWBSmwQiBy8zdnR7Tn

0x379844563B2947bCf8Ee7660d674E91704ba85cc

Xuz8aqGG2mBWXt4gDRMDkSseFKKe6zziyi

TNCZ8Qu1GQqV5Fi6iZBdiHXMxVu1LYFqQX

t1LyGvKhU1Gc14vvoR1fugvb5D3ueGdKkvz

GAHOFB2SVCUHKTB6F5L7GGDHAK7JLJJL73B6NBTB4WFB2GDDJZIDJDCX

46udGK3EgNQKESwPaYA8EQNLkxMhYZChhGxGJDtL112b15yVDPUiitoDZ6J152778r87B8HYaoWZzgdE32Fo4V8ZBDtnYjh

qpmxvq0yc6vzh8p24ytkck4zwyeuwpxmnvy9m48hvv

bc1qr8qp3yvj5t46tx2c0h3rt2g2jzunwafr2h6wwf

0x81B94C343661fbE735d2560c8190241f9958e94d

Lega1BRXbYREKUP64MxdWZXF8XkaT4R79f

ronin:41e9c027a808f6c59579a67e1a9a898c2ad1206a

+79889916188

+79889916188

+79889916188

P1074987499

Lega1BRXbYREKUP64MxdWZXF8XkaT4R79f

ltc1qpu9glf7q3d05dknexcl7alw6y8k3rcelmteu24

bc1qr8qp3yvj5t46tx2c0h3rt2g2jzunwafr2h6wwf

Signatures

  • Allcome

    A clipbanker that supports stealing different cryptocurrency wallets and payment forms.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd.exe
    "C:\Users\Admin\AppData\Local\Temp\d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
      2⤵
      • Creates scheduled task(s)
      PID:5060
  • C:\Users\Admin\AppData\Local\cache\MoUSO.exe
    C:\Users\Admin\AppData\Local\cache\MoUSO.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\cache\MoUSO.exe
    Filesize

    123KB

    MD5

    1a07b35055a94e295213e75c7252b96f

    SHA1

    137aaec61339f2adadba840544da32458f19e445

    SHA256

    d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

    SHA512

    1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

  • C:\Users\Admin\AppData\Local\cache\MoUSO.exe
    Filesize

    123KB

    MD5

    1a07b35055a94e295213e75c7252b96f

    SHA1

    137aaec61339f2adadba840544da32458f19e445

    SHA256

    d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

    SHA512

    1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

  • memory/5060-132-0x0000000000000000-mapping.dmp