Analysis
-
max time kernel
207s -
max time network
220s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 09:20
Static task
static1
Behavioral task
behavioral1
Sample
311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe
Resource
win7-20220812-en
General
-
Target
311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe
-
Size
1.8MB
-
MD5
a3476e4532c77e8ee20ecabd1035d3fd
-
SHA1
15d58869b7ed04c16b3143ab1ee0e085056363bd
-
SHA256
311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2
-
SHA512
7d64b2923bc4a501af7afe21cf7be36a4f947e18a753be7307982d65b221ee3de410f11d9a314b894d8de33b8031dec7feaf2e874e847187c1e7245c7849759b
-
SSDEEP
49152:Mh+ZkldoPK8Yadnm74l1QeWRCZuC4gOZtHN:d2cPK8r7XbWRCZhOZtH
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\1\Information.txt
qulab
http://teleg.run/QulabZ
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000022e36-133.dat acprotect behavioral2/files/0x0007000000022e36-134.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 224 dxtrans.module.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1700 attrib.exe 4884 attrib.exe -
resource yara_rule behavioral2/files/0x0007000000022e36-133.dat upx behavioral2/files/0x0007000000022e36-134.dat upx behavioral2/files/0x0009000000022e19-140.dat upx behavioral2/memory/224-141-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/files/0x0009000000022e19-142.dat upx behavioral2/memory/224-145-0x0000000000400000-0x000000000047D000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 4376 dxtrans.exe 4376 dxtrans.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 47 ipapi.co 48 ipapi.co 63 ipapi.co -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ dxtrans.exe File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ dxtrans.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ 311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe File opened for modification C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\winmgmts:\localhost\ dxtrans.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4376 dxtrans.exe 4376 dxtrans.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2496 311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 224 dxtrans.module.exe Token: 35 224 dxtrans.module.exe Token: SeSecurityPrivilege 224 dxtrans.module.exe Token: SeSecurityPrivilege 224 dxtrans.module.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2496 wrote to memory of 4376 2496 311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe 84 PID 2496 wrote to memory of 4376 2496 311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe 84 PID 2496 wrote to memory of 4376 2496 311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe 84 PID 4376 wrote to memory of 224 4376 dxtrans.exe 87 PID 4376 wrote to memory of 224 4376 dxtrans.exe 87 PID 4376 wrote to memory of 224 4376 dxtrans.exe 87 PID 4376 wrote to memory of 1700 4376 dxtrans.exe 96 PID 4376 wrote to memory of 1700 4376 dxtrans.exe 96 PID 4376 wrote to memory of 1700 4376 dxtrans.exe 96 PID 4376 wrote to memory of 4884 4376 dxtrans.exe 98 PID 4376 wrote to memory of 4884 4376 dxtrans.exe 98 PID 4376 wrote to memory of 4884 4376 dxtrans.exe 98 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1700 attrib.exe 4884 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe"C:\Users\Admin\AppData\Local\Temp\311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe"1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exeC:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe2⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exeC:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\ENU_801FE97447113F3E9D41.7z" "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\1\*"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1700
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4884
-
-
-
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exeC:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe1⤵
- Drops file in System32 directory
PID:4808
-
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exeC:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe1⤵
- Drops file in System32 directory
PID:1292
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5d9586d9ffb65f1164faffdb26bf72566
SHA10f20c4fe825647eb776a82f3a6ea17ebd6415206
SHA256c090f90d8ec9633bc1bdb5ab5844d71129d20aef9aca9d5dab7519361161e676
SHA5126b948919d2fc4bc891b329f2c34d83656d4a59ad425876a2b9fd9a6030b683397e98d0eab7029d4bce68c0855f73a91a1eb71028717db7cb59dee75da57d8f08
-
Filesize
51KB
MD5b13e504a9d0953e9d6074578b892e7f6
SHA1e6aa814c6e0af2fba447568f2520a1f569c1c4fa
SHA256c5a04a55f24a1ba389bbf5796ebb058812b464792dca9a7116305bc2750aa9a9
SHA5127b9cdf7dfd6e4fcd66aa421bb5355e2c9fcd22e7fd7d508c7dee5a519542a976b97538b0c5c8f5747d670c83015ca0c2508a1b0b7382cbf185ba430176c2db5f
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02
-
Filesize
360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02