Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
23-11-2022 09:40
General
-
Target
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
-
Size
606KB
-
MD5
720d10b1cf1f0ffea760e4614547a371
-
SHA1
a68f59f07bbacbd75e1951082bf2a66cc3936c9e
-
SHA256
86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c
-
SHA512
2efe8967868821c934ce4bf2c55b486ad9f2942dbb2b4509938a6d6273b1a7d7d2644bcb93cbe63298669d257871fc2a38aecf33e73ac0849c58e3d9d7029019
-
SSDEEP
12288:lZ72G7ahUmH2fG+nW6ITjKdXix4ZQ/gyblukHCGrFp:n729UmH2++XIa12lbQYCGBp
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Nirsoft 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe"C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe"C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD581cd48fa8f0a70fe3872780af4f96055
SHA1fe725ffab8ad3be4df9b6205894a665f67668af5
SHA25666dcd6ab5721af5efce98e4d04dc46059f59480481b60f675cbe05fc0758b991
SHA512ad22d4a56f9d86ca4d80b9fd51151fbf8b71b2f96a5a95999a582ab9cf5626e8e2b4cc71a0ff27cf581d7091f842222ac9538eced4847572d28948446e66d1e7
-
Filesize
6KB
MD581cd48fa8f0a70fe3872780af4f96055
SHA1fe725ffab8ad3be4df9b6205894a665f67668af5
SHA25666dcd6ab5721af5efce98e4d04dc46059f59480481b60f675cbe05fc0758b991
SHA512ad22d4a56f9d86ca4d80b9fd51151fbf8b71b2f96a5a95999a582ab9cf5626e8e2b4cc71a0ff27cf581d7091f842222ac9538eced4847572d28948446e66d1e7
-
Filesize
5.7MB
-
Filesize
5.7MB
-
-
Filesize
5.7MB
-
-
Filesize
528KB
-
Filesize
5.7MB