Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 06:47
Static task
static1
Behavioral task
behavioral1
Sample
f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe
Resource
win10v2004-20221111-en
General
-
Target
f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe
-
Size
1.2MB
-
MD5
a2aad753587a08feeb95e997e0b50b06
-
SHA1
44e7398af49003fa3d8632519af7910360f9bb93
-
SHA256
f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8
-
SHA512
4283eb55e555019e0b6bc8bb6399080a780c648fb02a9778435d2b4fc8eb8369aea291cc36940aad4a3e322af9b87152adc0c297d98e011dc85077709419b96d
-
SSDEEP
24576:w32K9nTaIi6fKcs2RDCZ3uBs0Sb9m3n7IWOZp46aE9RAW:w3MIimKZ8mBuBs0S58nbOZ1aE9O
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
cpuid.exepid process 5040 cpuid.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\cpuid.exe upx C:\Users\Admin\AppData\Roaming\cpuid.exe upx behavioral2/memory/5040-143-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/5040-144-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/5040-146-0x0000000000400000-0x00000000004C1000-memory.dmp upx -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\"" f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/5040-143-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/5040-144-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/5040-146-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exedescription pid process target process PID 2612 set thread context of 2216 2612 f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
cpuid.exepid process 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe -
Suspicious use of SendNotifyMessage 11 IoCs
Processes:
cpuid.exepid process 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe 5040 cpuid.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exevbc.execpuid.exedescription pid process target process PID 2612 wrote to memory of 2216 2612 f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe vbc.exe PID 2612 wrote to memory of 2216 2612 f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe vbc.exe PID 2612 wrote to memory of 2216 2612 f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe vbc.exe PID 2612 wrote to memory of 2216 2612 f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe vbc.exe PID 2612 wrote to memory of 2216 2612 f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe vbc.exe PID 2612 wrote to memory of 2216 2612 f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe vbc.exe PID 2612 wrote to memory of 2216 2612 f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe vbc.exe PID 2612 wrote to memory of 2216 2612 f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe vbc.exe PID 2612 wrote to memory of 2216 2612 f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe vbc.exe PID 2216 wrote to memory of 5040 2216 vbc.exe cpuid.exe PID 2216 wrote to memory of 5040 2216 vbc.exe cpuid.exe PID 2216 wrote to memory of 5040 2216 vbc.exe cpuid.exe PID 5040 wrote to memory of 1744 5040 cpuid.exe cmd.exe PID 5040 wrote to memory of 1744 5040 cpuid.exe cmd.exe PID 5040 wrote to memory of 1744 5040 cpuid.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe"C:\Users\Admin\AppData\Local\Temp\f2bd8dad0865697b7422f3ef00bd860c3616e8080dbf12c7e6b0e5828cebf0d8.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\cpuid.exe"C:\Users\Admin\AppData\Roaming\cpuid.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s /a "C:\Users\Admin\AppData\Roaming\*.dat"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\cpuid.exeFilesize
376KB
MD53f941c126d0b8babc471e0e91c49a5bf
SHA16f7b63fbdf1bd596a4c87c04a023b6ab75c8b1d7
SHA256357aeae30cfdc314f327d40f9be6e95a7b6bdb2688fe8fc0102a8a19c88c5af8
SHA512ee09f0b1d43055714cd209141454114e190b0e36f16aeeb0b2368f7ff7bb9f6cdaf7b963e57059182121b530dd9f56bfd9077b83cddb522f04e5802ea6045a72
-
C:\Users\Admin\AppData\Roaming\cpuid.exeFilesize
376KB
MD53f941c126d0b8babc471e0e91c49a5bf
SHA16f7b63fbdf1bd596a4c87c04a023b6ab75c8b1d7
SHA256357aeae30cfdc314f327d40f9be6e95a7b6bdb2688fe8fc0102a8a19c88c5af8
SHA512ee09f0b1d43055714cd209141454114e190b0e36f16aeeb0b2368f7ff7bb9f6cdaf7b963e57059182121b530dd9f56bfd9077b83cddb522f04e5802ea6045a72
-
memory/1744-145-0x0000000000000000-mapping.dmp
-
memory/2216-142-0x0000000000400000-0x00000000004BB000-memory.dmpFilesize
748KB
-
memory/2216-138-0x0000000000400000-0x00000000004BB000-memory.dmpFilesize
748KB
-
memory/2216-136-0x0000000000400000-0x00000000004BB000-memory.dmpFilesize
748KB
-
memory/2216-134-0x0000000000400000-0x00000000004BB000-memory.dmpFilesize
748KB
-
memory/2216-133-0x0000000000000000-mapping.dmp
-
memory/2612-137-0x0000000075270000-0x0000000075821000-memory.dmpFilesize
5.7MB
-
memory/2612-132-0x0000000075270000-0x0000000075821000-memory.dmpFilesize
5.7MB
-
memory/5040-139-0x0000000000000000-mapping.dmp
-
memory/5040-143-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/5040-144-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/5040-146-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB