Analysis
-
max time kernel
89s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/10/2022, 19:56
Static task
static1
Behavioral task
behavioral1
Sample
62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe
Resource
win7-20220812-en
General
-
Target
62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe
-
Size
1.7MB
-
MD5
840c72044af5de505ebe7f1b2f1754db
-
SHA1
9e83dcc92ae041de9e528a021ad0594341316c9e
-
SHA256
62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf
-
SHA512
4eefbb7eacd26d8b9bac439f0362a18d30981564bedd022e517afcf088f419a12b922a8698d595e76d9e02a4e9ee61d0028f062b405992324b4489c68e4174ef
-
SSDEEP
24576:VRoEFOGDF+ErEj4X8ISAv+Gh91Cr9F1sZKTb7z9/GY+i6rpzx6I56L3/UcPX:VXDFXtX8VxGL1OeYb9/GS0iLPUAX
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 2 IoCs
pid Process 1736 1.exe 2032 2.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 whatismyip.com 7 whatismyip.com 10 ip-address.domaintools.com 12 ip-address.domaintools.com 13 ip-address.domaintools.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main 2.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1924 reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1736 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1736 1.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2032 2.exe 2032 2.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1028 wrote to memory of 1736 1028 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 28 PID 1028 wrote to memory of 1736 1028 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 28 PID 1028 wrote to memory of 1736 1028 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 28 PID 1028 wrote to memory of 1736 1028 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 28 PID 1028 wrote to memory of 2032 1028 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 29 PID 1028 wrote to memory of 2032 1028 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 29 PID 1028 wrote to memory of 2032 1028 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 29 PID 1028 wrote to memory of 2032 1028 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 29 PID 1028 wrote to memory of 2032 1028 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 29 PID 1028 wrote to memory of 2032 1028 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 29 PID 1028 wrote to memory of 2032 1028 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 29 PID 1736 wrote to memory of 1352 1736 1.exe 31 PID 1736 wrote to memory of 1352 1736 1.exe 31 PID 1736 wrote to memory of 1352 1736 1.exe 31 PID 1736 wrote to memory of 1352 1736 1.exe 31 PID 1352 wrote to memory of 1924 1352 cmd.exe 33 PID 1352 wrote to memory of 1924 1352 cmd.exe 33 PID 1352 wrote to memory of 1924 1352 cmd.exe 33 PID 1352 wrote to memory of 1924 1352 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe"C:\Users\Admin\AppData\Local\Temp\62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
PID:1924
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2032
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319KB
MD537cc6e07c0d40f74d1da5402a634a3e3
SHA10020b2bbd249f4f60bccab79df3a20f377004fa3
SHA256303c62d4ddf5ef6329f921c486f89ff2114a485b89b194ab8c5f65c8e13eae47
SHA512aa8ba77a51485bfd726cf37bff5f535ce5971e63e842707924f5070db3c5eb3f383be91d6ce01c0f74373d073ff15612bcb35a0dbb1d4d06ce0e160a0ac0c2c5
-
Filesize
319KB
MD537cc6e07c0d40f74d1da5402a634a3e3
SHA10020b2bbd249f4f60bccab79df3a20f377004fa3
SHA256303c62d4ddf5ef6329f921c486f89ff2114a485b89b194ab8c5f65c8e13eae47
SHA512aa8ba77a51485bfd726cf37bff5f535ce5971e63e842707924f5070db3c5eb3f383be91d6ce01c0f74373d073ff15612bcb35a0dbb1d4d06ce0e160a0ac0c2c5
-
Filesize
1.4MB
MD5ddf281d9c41f332328df8599e7e27f57
SHA199c4deb41dd859f8dbe955b995719dc71d1e6689
SHA256a14e8373fa85cbaa5c16e88dc5d5f949e0352fc53d5c74f16bc17b8a31a9ecaf
SHA512ce6a7b609033f3cca0acfc88855fefabcaee9d707a6af7a4ceea898ebaf0076b26da7167f3a1f2c18268552d2e9b842369a59ac2ec7d042ad0d00648e4c7ecb5
-
Filesize
1.4MB
MD5ddf281d9c41f332328df8599e7e27f57
SHA199c4deb41dd859f8dbe955b995719dc71d1e6689
SHA256a14e8373fa85cbaa5c16e88dc5d5f949e0352fc53d5c74f16bc17b8a31a9ecaf
SHA512ce6a7b609033f3cca0acfc88855fefabcaee9d707a6af7a4ceea898ebaf0076b26da7167f3a1f2c18268552d2e9b842369a59ac2ec7d042ad0d00648e4c7ecb5