Analysis
-
max time kernel
118s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2022 16:13
Static task
static1
Behavioral task
behavioral1
Sample
9e0f5e7f6f3bf3647948f39e795f1ff6.exe
Resource
win7-20221111-en
General
-
Target
9e0f5e7f6f3bf3647948f39e795f1ff6.exe
-
Size
5.3MB
-
MD5
9e0f5e7f6f3bf3647948f39e795f1ff6
-
SHA1
dc6d84444138c88b1429a8aad6fe04f7f7ef71b5
-
SHA256
68db7ba636a775b8ed355d9b3f4a143fa4c5b080eee5c4c47ad3dc4b982f44d0
-
SHA512
dd2bbf1687c86ac001ef1f67e4f07b6e8406fe70bf68bff220a37cf32a5b618be068226fdb6e043704d65412f1fd996491b8a09cb74432db5c37f9284af1845b
-
SSDEEP
49152:sPFJCvLqOaSTK5ISawpVpVliC8Tkx23fmAmcViw:sPFsjqOaSFUOfmeiw
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
elclass.exeelclass.exepid process 4348 elclass.exe 1364 elclass.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9e0f5e7f6f3bf3647948f39e795f1ff6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 9e0f5e7f6f3bf3647948f39e795f1ff6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
elclass.exedescription pid process target process PID 4348 set thread context of 1364 4348 elclass.exe elclass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
elclass.exepid process 1364 elclass.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
elclass.exedescription pid process Token: SeDebugPrivilege 1364 elclass.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9e0f5e7f6f3bf3647948f39e795f1ff6.exeelclass.exedescription pid process target process PID 4784 wrote to memory of 4348 4784 9e0f5e7f6f3bf3647948f39e795f1ff6.exe elclass.exe PID 4784 wrote to memory of 4348 4784 9e0f5e7f6f3bf3647948f39e795f1ff6.exe elclass.exe PID 4784 wrote to memory of 4348 4784 9e0f5e7f6f3bf3647948f39e795f1ff6.exe elclass.exe PID 4348 wrote to memory of 1364 4348 elclass.exe elclass.exe PID 4348 wrote to memory of 1364 4348 elclass.exe elclass.exe PID 4348 wrote to memory of 1364 4348 elclass.exe elclass.exe PID 4348 wrote to memory of 1364 4348 elclass.exe elclass.exe PID 4348 wrote to memory of 1364 4348 elclass.exe elclass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e0f5e7f6f3bf3647948f39e795f1ff6.exe"C:\Users\Admin\AppData\Local\Temp\9e0f5e7f6f3bf3647948f39e795f1ff6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe"C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe"C:\ProgramData\KisGamesSh0p\KisGamesSh0p\elclass.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD50d68fe1dcf245fb8e8a5f0ce28d97b15
SHA1a40f7ed00bc93c1f134d54712eb71d36ef2fec78
SHA25670d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f
SHA51201b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d
-
Filesize
872KB
MD50d68fe1dcf245fb8e8a5f0ce28d97b15
SHA1a40f7ed00bc93c1f134d54712eb71d36ef2fec78
SHA25670d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f
SHA51201b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d
-
Filesize
872KB
MD50d68fe1dcf245fb8e8a5f0ce28d97b15
SHA1a40f7ed00bc93c1f134d54712eb71d36ef2fec78
SHA25670d8da143a9c64cf96c0bebfbbc6b2fb890ec2a46528f57fb5195f3b38cf007f
SHA51201b8df5eae8dbf9d1b5126158e530c569fdfa4777cc637b43830a73ff0f067ecc5c5ffe456e1949f90cb99da6bb5ff419790562c9ed803355637e48f7abe720d