Analysis
-
max time kernel
64s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 17:04
Static task
static1
Behavioral task
behavioral1
Sample
60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe
Resource
win10v2004-20220812-en
General
-
Target
60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe
-
Size
60KB
-
MD5
1e09e010663bbd014f81439498831690
-
SHA1
fb2bd4db019e29629840b1b1e0f7cba8c78019f0
-
SHA256
60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51
-
SHA512
2c5914f615c3b0b5edaa8fc10e57162096ad443292716f1470a425f52c3680831dedf3a21c09c0c6fe1687aed232f2752d61c69b1cd7f75c86c206fec4cb51b0
-
SSDEEP
768:MTi6KchHpfzXAZfyooDmIBXmq2Upj9c6FVNTyHtQvKuzkE5nwGc:dHch5oIoA9c6vNTyaSuzkqw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exepid process 1480 60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe\"" 60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exedescription pid process Token: SeDebugPrivilege 784 60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe Token: SeDebugPrivilege 1480 60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exepid process 784 60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe 1480 60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.execmd.exedescription pid process target process PID 784 wrote to memory of 1272 784 60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe cmd.exe PID 784 wrote to memory of 1272 784 60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe cmd.exe PID 784 wrote to memory of 1272 784 60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe cmd.exe PID 1272 wrote to memory of 1592 1272 cmd.exe PING.EXE PID 1272 wrote to memory of 1592 1272 cmd.exe PING.EXE PID 1272 wrote to memory of 1592 1272 cmd.exe PING.EXE PID 1272 wrote to memory of 1480 1272 cmd.exe 60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe PID 1272 wrote to memory of 1480 1272 cmd.exe 60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe PID 1272 wrote to memory of 1480 1272 cmd.exe 60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe"C:\Users\Admin\AppData\Local\Temp\60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe"&"C:\Users\Admin\AppData\Roaming\60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 33⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe"C:\Users\Admin\AppData\Roaming\60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exeFilesize
60KB
MD51e09e010663bbd014f81439498831690
SHA1fb2bd4db019e29629840b1b1e0f7cba8c78019f0
SHA25660448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51
SHA5122c5914f615c3b0b5edaa8fc10e57162096ad443292716f1470a425f52c3680831dedf3a21c09c0c6fe1687aed232f2752d61c69b1cd7f75c86c206fec4cb51b0
-
C:\Users\Admin\AppData\Roaming\60448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51.exeFilesize
60KB
MD51e09e010663bbd014f81439498831690
SHA1fb2bd4db019e29629840b1b1e0f7cba8c78019f0
SHA25660448f74827af1b2e85e1593c51bd0ff449e19dd3db6055e4ea778333565de51
SHA5122c5914f615c3b0b5edaa8fc10e57162096ad443292716f1470a425f52c3680831dedf3a21c09c0c6fe1687aed232f2752d61c69b1cd7f75c86c206fec4cb51b0
-
memory/784-54-0x000007FEF3D10000-0x000007FEF4733000-memory.dmpFilesize
10.1MB
-
memory/784-55-0x000007FEEE3F0000-0x000007FEEF486000-memory.dmpFilesize
16.6MB
-
memory/784-56-0x000007FEFB871000-0x000007FEFB873000-memory.dmpFilesize
8KB
-
memory/1272-57-0x0000000000000000-mapping.dmp
-
memory/1480-60-0x0000000000000000-mapping.dmp
-
memory/1480-62-0x000007FEF3D10000-0x000007FEF4733000-memory.dmpFilesize
10.1MB
-
memory/1480-63-0x000007FEEE3F0000-0x000007FEEF486000-memory.dmpFilesize
16.6MB
-
memory/1592-58-0x0000000000000000-mapping.dmp