Analysis
-
max time kernel
384s -
max time network
449s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:46
Static task
static1
Behavioral task
behavioral1
Sample
d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107.exe
Resource
win10v2004-20221111-en
General
-
Target
d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107.exe
-
Size
479KB
-
MD5
2df68ab29c946eeba1b06bf56f221d09
-
SHA1
2c00c9f6d0064fc681a65fa64b8cfe78695dce2d
-
SHA256
d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107
-
SHA512
0ef9e7fe97a2496e5464b34f9e60247a7a81c764bd21c5790257c592c36296a3dac06751262f28564237319efb49de6cc8d0c09731d4c387bbe0ec604854b51a
-
SSDEEP
12288:ULoNMMMMMMMMMMMMMMMMMMEMMMMMMMMMMMMMMMMMMAHMMMMMMMMMMMMMMMMMMeyB:RMMMMMMMMMMMMMMMMMMEMMMMMMMMMMMb
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule C:\Windows\SysWOW64\123.exe MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Windows\SysWOW64\123.exe WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\123.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
123.exe123.exepid process 716 123.exe 3816 123.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
123.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 123.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107.exe -
Drops file in System32 directory 3 IoCs
Processes:
123.exedescription ioc process File created C:\WINDOWS\SysWOW64\__tmp_rar_sfx_access_check_240925609 123.exe File created C:\WINDOWS\SysWOW64\123.exe 123.exe File opened for modification C:\WINDOWS\SysWOW64\123.exe 123.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107.exe123.exedescription pid process target process PID 1248 wrote to memory of 716 1248 d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107.exe 123.exe PID 1248 wrote to memory of 716 1248 d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107.exe 123.exe PID 1248 wrote to memory of 716 1248 d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107.exe 123.exe PID 716 wrote to memory of 3816 716 123.exe 123.exe PID 716 wrote to memory of 3816 716 123.exe 123.exe PID 716 wrote to memory of 3816 716 123.exe 123.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107.exe"C:\Users\Admin\AppData\Local\Temp\d9d28ca9c0e5837618925687970d0f7a2edb1c52594ff82af64a32d82ef1e107.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\123.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\123.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\123.exe"C:\WINDOWS\system32\123.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\123.exeFilesize
351KB
MD58cebc4f2dad6490bb0da9cec4188978c
SHA180fcaf5e74bbcd1a54beb4883f4d4b6c86a2aa8f
SHA256ac13eaab3c040527471bb1b6f9702d239ee7f22bb535d02783fb93d63a87f6ec
SHA51250e29f959c5f0c294c34fabea5dddcc8664ed9639e2cdc250ad65f242384d66c23505140871748593ce2e85eb777d3b79d1e493635bfb09ce395b10aa8f3ad45
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\123.exeFilesize
351KB
MD58cebc4f2dad6490bb0da9cec4188978c
SHA180fcaf5e74bbcd1a54beb4883f4d4b6c86a2aa8f
SHA256ac13eaab3c040527471bb1b6f9702d239ee7f22bb535d02783fb93d63a87f6ec
SHA51250e29f959c5f0c294c34fabea5dddcc8664ed9639e2cdc250ad65f242384d66c23505140871748593ce2e85eb777d3b79d1e493635bfb09ce395b10aa8f3ad45
-
C:\Windows\SysWOW64\123.exeFilesize
521KB
MD5c19ff74ab7824992d94abb9262ebb172
SHA1a0a6bb0a41a3d5182f8eccf51bbd99a4aca82062
SHA2568108db0f6b3498f140e9e3535105d6cf348a6a479f10875708440fba6335cfb3
SHA512fbebdf17b7767f33f44f1178fa2a5132bd362659c16d1eca0d4e2181b80d755264f9e6cad1c8cb2f85c289053627dab4fc42b40be08dc018536d0b09ccbb1220
-
memory/716-132-0x0000000000000000-mapping.dmp
-
memory/3816-135-0x0000000000000000-mapping.dmp