Analysis
-
max time kernel
118s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
15-11-2022 16:13
General
-
Target
9e0f5e7f6f3bf3647948f39e795f1ff6.exe
-
Size
5.3MB
-
MD5
9e0f5e7f6f3bf3647948f39e795f1ff6
-
SHA1
dc6d84444138c88b1429a8aad6fe04f7f7ef71b5
-
SHA256
68db7ba636a775b8ed355d9b3f4a143fa4c5b080eee5c4c47ad3dc4b982f44d0
-
SHA512
dd2bbf1687c86ac001ef1f67e4f07b6e8406fe70bf68bff220a37cf32a5b618be068226fdb6e043704d65412f1fd996491b8a09cb74432db5c37f9284af1845b
-
SSDEEP
49152:sPFJCvLqOaSTK5ISawpVpVliC8Tkx23fmAmcViw:sPFsjqOaSFUOfmeiw
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e0f5e7f6f3bf3647948f39e795f1ff6.exe"C:\Users\Admin\AppData\Local\Temp\9e0f5e7f6f3bf3647948f39e795f1ff6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe"C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe"C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD50d68fe1dcf245fb8e8a5f0ce28d97b15
SHA1a40f7ed00bc93c1f134d54712eb71d36ef2fec78
SHA25670d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f
SHA51201b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d
-
Filesize
872KB
MD50d68fe1dcf245fb8e8a5f0ce28d97b15
SHA1a40f7ed00bc93c1f134d54712eb71d36ef2fec78
SHA25670d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f
SHA51201b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d
-
Filesize
872KB
MD50d68fe1dcf245fb8e8a5f0ce28d97b15
SHA1a40f7ed00bc93c1f134d54712eb71d36ef2fec78
SHA25670d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f
SHA51201b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d
-
Filesize
5.6MB
-
Filesize
408KB
-
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
5.2MB
-
Filesize
584KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
260KB
-
Filesize
1.8MB
-
-
Filesize
448KB