Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
18-10-2022 21:50
General
-
Target
81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a.exe
-
Size
227KB
-
MD5
51e5a087d3ef2140a2b4b921cec3de42
-
SHA1
2b4bc51bc96cf3cbf50ffe03b5819fb812a34c19
-
SHA256
81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a
-
SHA512
9a23fe082db3896cc1a268fde0fefb16d495a563708171cb475afd4148f56877ee777bf2edf8bd9a9f630322d4bebd2be5518166c7d47a9d823f78a4498f4f1f
-
SSDEEP
3072:YsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRmRuq:ZR5IuMQoseGk7RZBGxAycKpSPX2Fq
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a.exe"C:\Users\Admin\AppData\Local\Temp\81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\format32.exe"C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\format32.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\microsoft.net\framework\v2.0.50727\InstallUtil.exe"c:\windows\microsoft.net\framework\v2.0.50727\\InstallUtil.exe" C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\format32.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn Admin /tr "\"C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\format32.exe\" arguments" /sc MINUTE /mo 13⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 && del "C:\Users\Admin\AppData\Local\Temp\81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a.exe" && del "C:\Users\Admin\AppData\Local\Temp\81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a.exe.config"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {28FF882B-63E6-4876-BE37-A062D9612225} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\format32.exeC:\Users\Admin\AppData\Local\_foldernamelocalappdata_\format32.exe arguments2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\format32.exeC:\Users\Admin\AppData\Local\_foldernamelocalappdata_\format32.exe arguments2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
227KB
MD55c0d97618ae9a791191badd14c914df2
SHA13b20aa145232fca0c0224b7d5984bd81445c1b44
SHA256d83e85ff5f16361074f50f9601d4e2653cb6e26e184f415447416fddd8c42ccb
SHA5128fb57830ffdcb6613cfb27f90d65a20c578fa8fb711ff193cbe4ed4fa2dd75ef4635267466aba51c9bcdab94e2bca05aab222678e54af17842dfb3f441abbc0e
-
Filesize
227KB
MD55c0d97618ae9a791191badd14c914df2
SHA13b20aa145232fca0c0224b7d5984bd81445c1b44
SHA256d83e85ff5f16361074f50f9601d4e2653cb6e26e184f415447416fddd8c42ccb
SHA5128fb57830ffdcb6613cfb27f90d65a20c578fa8fb711ff193cbe4ed4fa2dd75ef4635267466aba51c9bcdab94e2bca05aab222678e54af17842dfb3f441abbc0e
-
Filesize
227KB
MD55c0d97618ae9a791191badd14c914df2
SHA13b20aa145232fca0c0224b7d5984bd81445c1b44
SHA256d83e85ff5f16361074f50f9601d4e2653cb6e26e184f415447416fddd8c42ccb
SHA5128fb57830ffdcb6613cfb27f90d65a20c578fa8fb711ff193cbe4ed4fa2dd75ef4635267466aba51c9bcdab94e2bca05aab222678e54af17842dfb3f441abbc0e
-
Filesize
227KB
MD55c0d97618ae9a791191badd14c914df2
SHA13b20aa145232fca0c0224b7d5984bd81445c1b44
SHA256d83e85ff5f16361074f50f9601d4e2653cb6e26e184f415447416fddd8c42ccb
SHA5128fb57830ffdcb6613cfb27f90d65a20c578fa8fb711ff193cbe4ed4fa2dd75ef4635267466aba51c9bcdab94e2bca05aab222678e54af17842dfb3f441abbc0e
-
Filesize
1KB
MD5dd3d04c365984b4ec57a80503f81fddf
SHA1c55fbcb61818e47dac9aae465faff91f0805bd7c
SHA25640a59ca9744dc3d4647f246b2dc553f37f8095418c1b48a9bd94cdb5c03dbc5c
SHA5120dd459def2abe9e3f0d1251049a0755c63f7dd3d85e91dba272c3f479f2578e3f3f2379e1cd6913190f7f596af721201eb5d9423ab28aed72bde5cd3cac7f785
-
Filesize
124KB
-
-
Filesize
10.1MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
124KB
-
-
-
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
16.6MB
-
Filesize
10.1MB
-
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
16.6MB
-
-
Filesize
32KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
-
Filesize
32KB
-