Overview

overview

10

Static

static

0f1502b9e8...d3.exe

windows7-x64

10

0f1502b9e8...d3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 17:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3.exe

  • Size

    716KB

  • MD5

    925d83f35c3f88ca7523723e2c8c85e0

  • SHA1

    faee021043c5b09704e692eb7aaeb21301c70b9d

  • SHA256

    0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3

  • SHA512

    5a8f3ac798140ca5119ed416559649f0272b9f9482db1679d9f0fe4bc7826884818b917bb920f50e25e06ba58fd70bd84f4e95b5aad1d351cf6c2e7288a3b923

  • SSDEEP

    12288:S2Zw/eTW0JYVFBgcX9jCVBBQExGI7/WOpNrDRnHEWupTyOtq/RuGOWgj:tW/eTWdEyjEBBQ6WENnRkWupTSZz+

Score
10/10
persistencespywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ebuka6733

Signatures

  • Nirsoft 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3.exe
    "C:\Users\Admin\AppData\Local\Temp\0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
      "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"
        3⤵
        • Executes dropped EXE
        PID:3376
      • C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4888
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe"
          4⤵
          • Drops startup file
          PID:4972
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 2456
          4⤵
          • Drops file in Windows directory
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:1356
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
          4⤵
            PID:4900

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
      Filesize

      4KB

      MD5

      e1190859ab4f21e58d1873afc1b3cff2

      SHA1

      50d4f9f444dba70b9918c4b812b5d9a098e0f867

      SHA256

      9b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73

      SHA512

      f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
      Filesize

      4KB

      MD5

      e1190859ab4f21e58d1873afc1b3cff2

      SHA1

      50d4f9f444dba70b9918c4b812b5d9a098e0f867

      SHA256

      9b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73

      SHA512

      f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
      Filesize

      4KB

      MD5

      e1190859ab4f21e58d1873afc1b3cff2

      SHA1

      50d4f9f444dba70b9918c4b812b5d9a098e0f867

      SHA256

      9b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73

      SHA512

      f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
      Filesize

      716KB

      MD5

      925d83f35c3f88ca7523723e2c8c85e0

      SHA1

      faee021043c5b09704e692eb7aaeb21301c70b9d

      SHA256

      0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3

      SHA512

      5a8f3ac798140ca5119ed416559649f0272b9f9482db1679d9f0fe4bc7826884818b917bb920f50e25e06ba58fd70bd84f4e95b5aad1d351cf6c2e7288a3b923

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
      Filesize

      716KB

      MD5

      925d83f35c3f88ca7523723e2c8c85e0

      SHA1

      faee021043c5b09704e692eb7aaeb21301c70b9d

      SHA256

      0f1502b9e88b65a84347da4c922933f7c8b8c2436d1d850f8f923bdb259d4bd3

      SHA512

      5a8f3ac798140ca5119ed416559649f0272b9f9482db1679d9f0fe4bc7826884818b917bb920f50e25e06ba58fd70bd84f4e95b5aad1d351cf6c2e7288a3b923

      Download Submit
    • memory/1356-147-0x0000000000000000-mapping.dmp
      Download
    • memory/3092-132-0x00007FFE7F8A0000-0x00007FFE802D6000-memory.dmp
      Filesize

      10.2MB

      Download
    • memory/4708-136-0x00007FFE7F8A0000-0x00007FFE802D6000-memory.dmp
      Filesize

      10.2MB

      Download
    • memory/4708-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4888-138-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4888-139-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4888-145-0x0000000075260000-0x0000000075811000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4888-148-0x0000000075260000-0x0000000075811000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4888-140-0x0000000000400000-0x0000000000476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4888-153-0x0000000075260000-0x0000000075811000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4888-142-0x00000000004708DE-mapping.dmp
      Download
    • memory/4900-152-0x0000000000400000-0x0000000000418000-memory.dmp
      Filesize

      96KB

      Download
    • memory/4900-154-0x0000000000400000-0x0000000000418000-memory.dmp
      Filesize

      96KB

      Download
    • memory/4900-149-0x0000000000000000-mapping.dmp
      Download
    • memory/4900-150-0x0000000000400000-0x0000000000418000-memory.dmp
      Filesize

      96KB

      Download
    • memory/4972-146-0x0000000000000000-mapping.dmp
      Download