Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
25-11-2022 22:39
General
-
Target
16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe
-
Size
670KB
-
MD5
5f0f3b5dcbd27b8f3934f384450086bb
-
SHA1
ba87d32df44d97bd231f568369bac31d891b9159
-
SHA256
16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410
-
SHA512
35f79bc5556c0ec7750971a067115568e22847a3ee40e4a79cdd664056e782743a33359f8ae21e78568fe8f22c7f66d9be6ad56c4cd45fd5d868e38901a605f1
-
SSDEEP
12288:X3nZMhJ+ubNUpl9J86HqNUJ5YBoHZ2U24wW3vcGbjfBWq/Y6LFnXdgInFBSS5cqT:X3nZqfbGT9J5bCBo5x2/W30GvJWxqQmd
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe"C:\Users\Admin\AppData\Local\Temp\16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\chromenet.exe"C:\Users\Admin\AppData\Roaming\chromenet.exe" +e2⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Roaming\wget.exewget.exe -O "C:\Users\Admin\AppData\Roaming\arsiv.exe" ""3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
765KB
MD56dbcb3103f2d5dfb21352fdfa23b2a1e
SHA140ea01327ac749cb4f524873613f21a5f0e078fc
SHA256509ca6b1ef90d93d31a33823716b3664167c1feb3eaaee8e8e3de238b72ddea5
SHA5129867e2657b4a17214dc28d9449e15be74e8086fd2966ce268f2725b9f60efc4ff164d34af3abbab4b67cd43e5168b8b2c7ea8ce3fd20d56deecfc382b1c5debc
-
Filesize
765KB
MD56dbcb3103f2d5dfb21352fdfa23b2a1e
SHA140ea01327ac749cb4f524873613f21a5f0e078fc
SHA256509ca6b1ef90d93d31a33823716b3664167c1feb3eaaee8e8e3de238b72ddea5
SHA5129867e2657b4a17214dc28d9449e15be74e8086fd2966ce268f2725b9f60efc4ff164d34af3abbab4b67cd43e5168b8b2c7ea8ce3fd20d56deecfc382b1c5debc
-
Filesize
71KB
MD5f98d5a7924143f6e687dd92d9af8f3a9
SHA1330482f12ddf5b3b1934cfec485be52a0009a241
SHA256d9db6823fe6daa9747c54b468b030f934120552edaa11b383c87fed1dacc7754
SHA51208bfa84b7645ef10ff4b968c6cfe66c6689445e182ea23c12b6a64431735fc00bf4984e0a9f5f381e9d463cdcce2c9d860124aeae3fa404cd93c25f23b5caf23
-
Filesize
71KB
MD5f98d5a7924143f6e687dd92d9af8f3a9
SHA1330482f12ddf5b3b1934cfec485be52a0009a241
SHA256d9db6823fe6daa9747c54b468b030f934120552edaa11b383c87fed1dacc7754
SHA51208bfa84b7645ef10ff4b968c6cfe66c6689445e182ea23c12b6a64431735fc00bf4984e0a9f5f381e9d463cdcce2c9d860124aeae3fa404cd93c25f23b5caf23
-
-
-
Filesize
192KB