Overview

overview

10

Static

static

72c4c09093...20.exe

windows7-x64

10

72c4c09093...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 07:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    72c4c09093663a7bb67f3f5b2da6b7d8b9d9016ca9bb91268434e6a518beab20.exe

  • Size

    684KB

  • MD5

    93533097a256398b5acdbe8983acdacd

  • SHA1

    1c12702a274ae43d4d712afe3c2f438d6020a0dd

  • SHA256

    72c4c09093663a7bb67f3f5b2da6b7d8b9d9016ca9bb91268434e6a518beab20

  • SHA512

    e0bdd70f4594e4fae097a414bebf4accbce7c85b2e68ed809c947032bcb408cbcb6c7174ba64c380f69963db88e470f36f7412e5c262a59bf86456db8c52a468

  • SSDEEP

    12288:0/XM4DShe9EcHPLrLZ5AICgkTP3/j3r3ZBIRjD68wBxGsHmmvV9RnCbzvYej:AM4DSs9FvzAICgkTjjZB2oGmvDRnY1

Score
10/10
evasionspywarestealer

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72c4c09093663a7bb67f3f5b2da6b7d8b9d9016ca9bb91268434e6a518beab20.exe
    "C:\Users\Admin\AppData\Local\Temp\72c4c09093663a7bb67f3f5b2da6b7d8b9d9016ca9bb91268434e6a518beab20.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Users\Admin\AppData\Roaming\work1.exe
      "C:\Users\Admin\AppData\Roaming\work1.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\PIF\cmd.vbe"
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\PIF\firewall.vbe"
          4⤵
          • Modifies firewall policy service
          PID:1140
        • C:\Windows\SysWOW64\regedit.exe
          "C:\Windows\regedit.exe" /s C:\Windows\PIF\reg.reg
          4⤵
          • Runs .reg file with regedit
          PID:4052
        • C:\Windows\SysWOW64\regedit.exe
          "C:\Windows\regedit.exe" /s C:\Windows\PIF\reg1.reg
          4⤵
          • Runs .reg file with regedit
          PID:4060
        • C:\Windows\PIF\smss.exe
          "C:\Windows\PIF\smss.exe" /install /silence
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4612
        • C:\Windows\PIF\smss.exe
          "C:\Windows\PIF\smss.exe" /pass:xplicit /port:5445 /save /silence
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4692
        • C:\Windows\PIF\smss.exe
          "C:\Windows\PIF\smss.exe" /start /silence
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1048
  • C:\Windows\PIF\smss.exe
    "C:\Windows\PIF\smss.exe" /service
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:4476

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\work1.exe
          Filesize

          317KB

          MD5

          e2981acd6aad63030a427c8fbe23214d

          SHA1

          114917d24670c37c5323fd3d14ad8f4859efa47a

          SHA256

          c64dc6b16fbf9875acad2bc192e0ea9a964100d1ba78207695d96cf088786a37

          SHA512

          4dd1c84f143ebef5945144c505c395eab20a09a3edbbe14be30eb164aa21db0e9c64af909e2950b70afb6248a06f8bfc232106a0fc1ae7e4495ea9eaba4b0f05

          Download Submit

        • C:\Users\Admin\AppData\Roaming\work1.exe
          Filesize

          317KB

          MD5

          e2981acd6aad63030a427c8fbe23214d

          SHA1

          114917d24670c37c5323fd3d14ad8f4859efa47a

          SHA256

          c64dc6b16fbf9875acad2bc192e0ea9a964100d1ba78207695d96cf088786a37

          SHA512

          4dd1c84f143ebef5945144c505c395eab20a09a3edbbe14be30eb164aa21db0e9c64af909e2950b70afb6248a06f8bfc232106a0fc1ae7e4495ea9eaba4b0f05

          Download Submit

        • C:\Windows\PIF\ADMDLL.dll
          Filesize

          88KB

          MD5

          c915181e93fe3d4c41b1963180d3c535

          SHA1

          f35e66bec967d4254338a120eea8159f29c06a99

          SHA256

          d8fc5d545e684a4d5001004463f762d190bee478eb3a329f65998bad53d3c958

          SHA512

          2a5ceeb919546a713e172823da75e8f58c98c1dcedfaa7cacbd48af57bcb8da49c6289908c6c2a1bb6bda4cc7fac58adffae4a500dfe0c503397ca9aa8e92e21

          Download Submit

        • C:\Windows\PIF\AdmDll.dll
          Filesize

          88KB

          MD5

          c915181e93fe3d4c41b1963180d3c535

          SHA1

          f35e66bec967d4254338a120eea8159f29c06a99

          SHA256

          d8fc5d545e684a4d5001004463f762d190bee478eb3a329f65998bad53d3c958

          SHA512

          2a5ceeb919546a713e172823da75e8f58c98c1dcedfaa7cacbd48af57bcb8da49c6289908c6c2a1bb6bda4cc7fac58adffae4a500dfe0c503397ca9aa8e92e21

          Download Submit

        • C:\Windows\PIF\AdmDll.dll
          Filesize

          88KB

          MD5

          c915181e93fe3d4c41b1963180d3c535

          SHA1

          f35e66bec967d4254338a120eea8159f29c06a99

          SHA256

          d8fc5d545e684a4d5001004463f762d190bee478eb3a329f65998bad53d3c958

          SHA512

          2a5ceeb919546a713e172823da75e8f58c98c1dcedfaa7cacbd48af57bcb8da49c6289908c6c2a1bb6bda4cc7fac58adffae4a500dfe0c503397ca9aa8e92e21

          Download Submit

        • C:\Windows\PIF\AdmDll.dll
          Filesize

          88KB

          MD5

          c915181e93fe3d4c41b1963180d3c535

          SHA1

          f35e66bec967d4254338a120eea8159f29c06a99

          SHA256

          d8fc5d545e684a4d5001004463f762d190bee478eb3a329f65998bad53d3c958

          SHA512

          2a5ceeb919546a713e172823da75e8f58c98c1dcedfaa7cacbd48af57bcb8da49c6289908c6c2a1bb6bda4cc7fac58adffae4a500dfe0c503397ca9aa8e92e21

          Download Submit

        • C:\Windows\PIF\AdmDll.dll
          Filesize

          88KB

          MD5

          c915181e93fe3d4c41b1963180d3c535

          SHA1

          f35e66bec967d4254338a120eea8159f29c06a99

          SHA256

          d8fc5d545e684a4d5001004463f762d190bee478eb3a329f65998bad53d3c958

          SHA512

          2a5ceeb919546a713e172823da75e8f58c98c1dcedfaa7cacbd48af57bcb8da49c6289908c6c2a1bb6bda4cc7fac58adffae4a500dfe0c503397ca9aa8e92e21

          Download Submit

        • C:\Windows\PIF\cmd.vbe
          Filesize

          531B

          MD5

          40b7488181074032b35b36f790e3b4d7

          SHA1

          495fbb91d17a22a211c99ffba757c612d220fd1d

          SHA256

          32ff28bc0fa11dafa988824e9c02b7f52082884ac09135d440a6df135092f3aa

          SHA512

          0d981d4ae16a6d0712b3c583e07126f64b490c599d3bdbdf7f72016499f37b6785c1c217cb41d5854126aa0634a8a51cbf7fd4c90c875e7ac645bc33478823c4

          Download Submit

        • C:\Windows\PIF\firewall.vbe
          Filesize

          267B

          MD5

          30088192ecd38db91bb8332e3f4cbdec

          SHA1

          dbd421b46a212d047eb5cbf79d233e6557feed57

          SHA256

          4a3a6938cb7b4501982cee517b6d21007e855c1ea4d3ffe229a44fe4facd6e8d

          SHA512

          cd8df66bb39e0f3d5cea106b8dd4ea34ddf562f9b828e803243b3345bea9f681fab9b02168cd264ee19ad3a9f8c41ec513ca207a320b097f9dea17b16a425b0d

          Download Submit

        • C:\Windows\PIF\reg.reg
          Filesize

          828B

          MD5

          e483050e5285a268eeb7730eabcfa03f

          SHA1

          c93cb3b84db521051f713afb192987bc356bb593

          SHA256

          bc35a9c29f2b75aa4c42a2ac403b25f26bb93a42cf76be5d3a5674e0d9ebbe8f

          SHA512

          0bbb51b583af80b81184ff1d9f50601424c69012301ef5bf82d0c9cef9f2271a460abddded0639f27eef808d539dbd4619de94851a731114d20cca1e1f4ab4bb

          Download Submit

        • C:\Windows\PIF\reg1.reg
          Filesize

          258B

          MD5

          852bca3a6be73d7ba1d0cac7c2bb5603

          SHA1

          a93b0be44178620a548899b42c5d304185c83a99

          SHA256

          31550d77b0358435287e357b84958dd1c4787e838a3cb774e0c4b410aab10ecc

          SHA512

          5f99803f3099d6df552793b95f7685e82d284f079733fffcd4fc8557d395d7bf985026608eea522bfef9cc99ec2cf117633d6a42f85240b13703c1c898d69c3e

          Download Submit

        • C:\Windows\PIF\smss.exe
          Filesize

          240KB

          MD5

          58aa9c1c75bfd50fe0dd98dff7934250

          SHA1

          659085afa2dab8ee8abca7071e329f13b003051b

          SHA256

          122080d3f810d1e32206bf8dd23dee3fee26fe1ab562dff1f61acc1353a5b2ec

          SHA512

          02c3d9ae0c34d0155fe5b847780ab4a4045ed117df6605905e60ae23a629383e2a2c351d659278a5e728ed39a4c375db585d64e1c782d7da305ca9ded256f684

          Download Submit

        • C:\Windows\PIF\smss.exe
          Filesize

          240KB

          MD5

          58aa9c1c75bfd50fe0dd98dff7934250

          SHA1

          659085afa2dab8ee8abca7071e329f13b003051b

          SHA256

          122080d3f810d1e32206bf8dd23dee3fee26fe1ab562dff1f61acc1353a5b2ec

          SHA512

          02c3d9ae0c34d0155fe5b847780ab4a4045ed117df6605905e60ae23a629383e2a2c351d659278a5e728ed39a4c375db585d64e1c782d7da305ca9ded256f684

          Download Submit

        • C:\Windows\PIF\smss.exe
          Filesize

          240KB

          MD5

          58aa9c1c75bfd50fe0dd98dff7934250

          SHA1

          659085afa2dab8ee8abca7071e329f13b003051b

          SHA256

          122080d3f810d1e32206bf8dd23dee3fee26fe1ab562dff1f61acc1353a5b2ec

          SHA512

          02c3d9ae0c34d0155fe5b847780ab4a4045ed117df6605905e60ae23a629383e2a2c351d659278a5e728ed39a4c375db585d64e1c782d7da305ca9ded256f684

          Download Submit

        • C:\Windows\PIF\smss.exe
          Filesize

          240KB

          MD5

          58aa9c1c75bfd50fe0dd98dff7934250

          SHA1

          659085afa2dab8ee8abca7071e329f13b003051b

          SHA256

          122080d3f810d1e32206bf8dd23dee3fee26fe1ab562dff1f61acc1353a5b2ec

          SHA512

          02c3d9ae0c34d0155fe5b847780ab4a4045ed117df6605905e60ae23a629383e2a2c351d659278a5e728ed39a4c375db585d64e1c782d7da305ca9ded256f684

          Download Submit

        • C:\Windows\PIF\smss.exe
          Filesize

          240KB

          MD5

          58aa9c1c75bfd50fe0dd98dff7934250

          SHA1

          659085afa2dab8ee8abca7071e329f13b003051b

          SHA256

          122080d3f810d1e32206bf8dd23dee3fee26fe1ab562dff1f61acc1353a5b2ec

          SHA512

          02c3d9ae0c34d0155fe5b847780ab4a4045ed117df6605905e60ae23a629383e2a2c351d659278a5e728ed39a4c375db585d64e1c782d7da305ca9ded256f684

          Download Submit

        • memory/1048-158-0x0000000000E30000-0x0000000000E9E000-memory.dmp

          Filesize

          440KB

          Download

        • memory/1048-159-0x0000000000E30000-0x0000000000E9E000-memory.dmp

          Filesize

          440KB

          Download

        • memory/4476-160-0x0000000000F00000-0x0000000000F6E000-memory.dmp

          Filesize

          440KB

          Download

        • memory/4612-148-0x0000000000F70000-0x0000000000FDE000-memory.dmp

          Filesize

          440KB

          Download

        • memory/4692-152-0x0000000000E30000-0x0000000000E9E000-memory.dmp

          Filesize

          440KB

          Download