Analysis
-
max time kernel
89s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 01:56
Static task
static1
Behavioral task
behavioral1
Sample
4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe
Resource
win7-20221111-en
General
-
Target
4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe
-
Size
600KB
-
MD5
27d84e58000078a566602e597aa73186
-
SHA1
0521b65491fedad4f142baef107f4a691f3f5c06
-
SHA256
4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88
-
SHA512
1c26a751ca202de1deb6aee5da533b5fcedea4b530bb15f3e8ca06398519d6180e6735bd522949d2a3d0091ff804036278c79b87dc1e3bb84d9234606c8736c8
-
SSDEEP
12288:MBtdzSMfWEGgEgt1rrRRXV3p+96cQP48KieqFrAoZlNFKihqw8:MBt89EbEe1rrV3p+9VQPFeqFrVZNP
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
overcomer123
Signatures
-
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral2/memory/5092-141-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/5092-143-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/5092-144-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft -
Disables RegEdit via registry modification 1 IoCs
Processes:
PO 2.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" PO 2.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
PO 2.exepid process 4632 PO 2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO 2.exedescription pid process target process PID 4632 set thread context of 5092 4632 PO 2.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
PO 2.exedw20.exedescription pid process Token: SeDebugPrivilege 4632 PO 2.exe Token: SeRestorePrivilege 4236 dw20.exe Token: SeBackupPrivilege 4236 dw20.exe Token: SeBackupPrivilege 4236 dw20.exe Token: SeBackupPrivilege 4236 dw20.exe Token: SeBackupPrivilege 4236 dw20.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PO 2.exepid process 4632 PO 2.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exePO 2.exedescription pid process target process PID 3444 wrote to memory of 4632 3444 4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe PO 2.exe PID 3444 wrote to memory of 4632 3444 4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe PO 2.exe PID 3444 wrote to memory of 4632 3444 4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe PO 2.exe PID 4632 wrote to memory of 4236 4632 PO 2.exe dw20.exe PID 4632 wrote to memory of 4236 4632 PO 2.exe dw20.exe PID 4632 wrote to memory of 4236 4632 PO 2.exe dw20.exe PID 4632 wrote to memory of 5092 4632 PO 2.exe vbc.exe PID 4632 wrote to memory of 5092 4632 PO 2.exe vbc.exe PID 4632 wrote to memory of 5092 4632 PO 2.exe vbc.exe PID 4632 wrote to memory of 5092 4632 PO 2.exe vbc.exe PID 4632 wrote to memory of 5092 4632 PO 2.exe vbc.exe PID 4632 wrote to memory of 5092 4632 PO 2.exe vbc.exe PID 4632 wrote to memory of 5092 4632 PO 2.exe vbc.exe PID 4632 wrote to memory of 5092 4632 PO 2.exe vbc.exe PID 4632 wrote to memory of 5092 4632 PO 2.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe"C:\Users\Admin\AppData\Local\Temp\4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO 2.exe"C:\Users\Admin\AppData\Local\Temp\PO 2.exe"2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 22883⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PO 2.exeFilesize
444KB
MD5e832e6b1625bd33408fe293f2a303ed9
SHA1dc79ad7fd138003025304e9d0bbfff35a2929722
SHA2568327ef22aeeb0cf938d9adbf3e0710a0b354ad7d0022b9ae1233b8d179aefd3d
SHA5129bf39dc015378a41580760a0b972a8aa3fa215cec99c1f5167134cd4cb322390ed2f233cad59fb375cbfc9e86ada246907262615bca40950e9381957985761c8
-
C:\Users\Admin\AppData\Local\Temp\PO 2.exeFilesize
444KB
MD5e832e6b1625bd33408fe293f2a303ed9
SHA1dc79ad7fd138003025304e9d0bbfff35a2929722
SHA2568327ef22aeeb0cf938d9adbf3e0710a0b354ad7d0022b9ae1233b8d179aefd3d
SHA5129bf39dc015378a41580760a0b972a8aa3fa215cec99c1f5167134cd4cb322390ed2f233cad59fb375cbfc9e86ada246907262615bca40950e9381957985761c8
-
memory/3444-137-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/3444-132-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/4236-139-0x0000000000000000-mapping.dmp
-
memory/4632-138-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/4632-136-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/4632-133-0x0000000000000000-mapping.dmp
-
memory/4632-145-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/5092-140-0x0000000000000000-mapping.dmp
-
memory/5092-141-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/5092-143-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/5092-144-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB