Analysis
-
max time kernel
141s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 19:56
Static task
static1
Behavioral task
behavioral1
Sample
62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe
Resource
win7-20220812-en
General
-
Target
62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe
-
Size
1.7MB
-
MD5
840c72044af5de505ebe7f1b2f1754db
-
SHA1
9e83dcc92ae041de9e528a021ad0594341316c9e
-
SHA256
62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf
-
SHA512
4eefbb7eacd26d8b9bac439f0362a18d30981564bedd022e517afcf088f419a12b922a8698d595e76d9e02a4e9ee61d0028f062b405992324b4489c68e4174ef
-
SSDEEP
24576:VRoEFOGDF+ErEj4X8ISAv+Gh91Cr9F1sZKTb7z9/GY+i6rpzx6I56L3/UcPX:VXDFXtX8VxGL1OeYb9/GS0iLPUAX
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 2 IoCs
pid Process 3284 1.exe 612 2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 66 whatismyip.com 68 whatismyip.com 71 ip-address.domaintools.com 73 ip-address.domaintools.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 1776 reg.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3284 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3284 1.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 612 2.exe 612 2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4820 wrote to memory of 3284 4820 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 86 PID 4820 wrote to memory of 3284 4820 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 86 PID 4820 wrote to memory of 3284 4820 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 86 PID 4820 wrote to memory of 612 4820 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 87 PID 4820 wrote to memory of 612 4820 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 87 PID 4820 wrote to memory of 612 4820 62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe 87 PID 3284 wrote to memory of 4352 3284 1.exe 92 PID 3284 wrote to memory of 4352 3284 1.exe 92 PID 3284 wrote to memory of 4352 3284 1.exe 92 PID 4352 wrote to memory of 1776 4352 cmd.exe 94 PID 4352 wrote to memory of 1776 4352 cmd.exe 94 PID 4352 wrote to memory of 1776 4352 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe"C:\Users\Admin\AppData\Local\Temp\62d24c9c7a8c97ecbeb717aaa26bcd65e85e00f71308936ab76b1f056d550ecf.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
PID:1776
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:612
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319KB
MD537cc6e07c0d40f74d1da5402a634a3e3
SHA10020b2bbd249f4f60bccab79df3a20f377004fa3
SHA256303c62d4ddf5ef6329f921c486f89ff2114a485b89b194ab8c5f65c8e13eae47
SHA512aa8ba77a51485bfd726cf37bff5f535ce5971e63e842707924f5070db3c5eb3f383be91d6ce01c0f74373d073ff15612bcb35a0dbb1d4d06ce0e160a0ac0c2c5
-
Filesize
319KB
MD537cc6e07c0d40f74d1da5402a634a3e3
SHA10020b2bbd249f4f60bccab79df3a20f377004fa3
SHA256303c62d4ddf5ef6329f921c486f89ff2114a485b89b194ab8c5f65c8e13eae47
SHA512aa8ba77a51485bfd726cf37bff5f535ce5971e63e842707924f5070db3c5eb3f383be91d6ce01c0f74373d073ff15612bcb35a0dbb1d4d06ce0e160a0ac0c2c5
-
Filesize
1.4MB
MD5ddf281d9c41f332328df8599e7e27f57
SHA199c4deb41dd859f8dbe955b995719dc71d1e6689
SHA256a14e8373fa85cbaa5c16e88dc5d5f949e0352fc53d5c74f16bc17b8a31a9ecaf
SHA512ce6a7b609033f3cca0acfc88855fefabcaee9d707a6af7a4ceea898ebaf0076b26da7167f3a1f2c18268552d2e9b842369a59ac2ec7d042ad0d00648e4c7ecb5
-
Filesize
1.4MB
MD5ddf281d9c41f332328df8599e7e27f57
SHA199c4deb41dd859f8dbe955b995719dc71d1e6689
SHA256a14e8373fa85cbaa5c16e88dc5d5f949e0352fc53d5c74f16bc17b8a31a9ecaf
SHA512ce6a7b609033f3cca0acfc88855fefabcaee9d707a6af7a4ceea898ebaf0076b26da7167f3a1f2c18268552d2e9b842369a59ac2ec7d042ad0d00648e4c7ecb5