b1256289d4aaada74a40b6ca52aa0d382b7660943ea31744486007653ee925ad

Analysis

max time kernel
193s
max time network
247s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Member Stealer.exe
Size

24.3MB
MD5

e3c9d895497ffded48073eee0295bea4
SHA1

9ddaca27638db15427aca282b5a16c20eda6184e
SHA256

b1256289d4aaada74a40b6ca52aa0d382b7660943ea31744486007653ee925ad
SHA512

6a46f8041c2c85ea1adde62167bf4f054b9303eebb56fc5f14c116dd90a31faa088c50059c9c1d8cef8fa150ee64dfcef7fc64da502e7c3b6209f097b673d855
SSDEEP

393216:vmnJPDpxSBQjE7v4/Gx3OajsPk/SRSu8LrB2KNIWHzQUfUKls0p8lzOoVty:WIBQjUSq3OLk/VjLt2m1Bs0pa/y

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

Member Stealer.tmpMember Stealer.tmpVC_redist.x64.exeVC_redist.x64.exeVC_redist.x64.exe

pid process

4644 Member Stealer.tmp
3996 Member Stealer.tmp
636 VC_redist.x64.exe
5076 VC_redist.x64.exe
4724 VC_redist.x64.exe

pid	process
4644	Member Stealer.tmp
3996	Member Stealer.tmp
636	VC_redist.x64.exe
5076	VC_redist.x64.exe
4724	VC_redist.x64.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Member Stealer.tmpVC_redist.x64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Member Stealer.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	VC_redist.x64.exe

Loads dropped DLL 1 IoCs

Processes:

VC_redist.x64.exe

pid process

5076 VC_redist.x64.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
5076	VC_redist.x64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b9e60d2ecf4958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b9e60d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809000b9e60d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Member Stealer.tmp

pid process

3996 Member Stealer.tmp
3996 Member Stealer.tmp
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3100 vssvc.exe
Token: SeRestorePrivilege 3100 vssvc.exe
Token: SeAuditPrivilege 3100 vssvc.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Member Stealer.tmp

pid process

3996 Member Stealer.tmp

pid	process
3996	Member Stealer.tmp
3996	Member Stealer.tmp

description	pid	process
Token: SeBackupPrivilege	3100	vssvc.exe
Token: SeRestorePrivilege	3100	vssvc.exe
Token: SeAuditPrivilege	3100	vssvc.exe

pid	process
3996	Member Stealer.tmp

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Member Stealer.exeMember Stealer.tmpMember Stealer.exeMember Stealer.tmpVC_redist.x64.exeVC_redist.x64.exe

description	pid	process	target process
PID 852 wrote to memory of 4644	852	Member Stealer.exe	Member Stealer.tmp
PID 852 wrote to memory of 4644	852	Member Stealer.exe	Member Stealer.tmp
PID 852 wrote to memory of 4644	852	Member Stealer.exe	Member Stealer.tmp
PID 4644 wrote to memory of 1648	4644	Member Stealer.tmp	Member Stealer.exe
PID 4644 wrote to memory of 1648	4644	Member Stealer.tmp	Member Stealer.exe
PID 4644 wrote to memory of 1648	4644	Member Stealer.tmp	Member Stealer.exe
PID 1648 wrote to memory of 3996	1648	Member Stealer.exe	Member Stealer.tmp
PID 1648 wrote to memory of 3996	1648	Member Stealer.exe	Member Stealer.tmp
PID 1648 wrote to memory of 3996	1648	Member Stealer.exe	Member Stealer.tmp
PID 3996 wrote to memory of 636	3996	Member Stealer.tmp	VC_redist.x64.exe
PID 3996 wrote to memory of 636	3996	Member Stealer.tmp	VC_redist.x64.exe
PID 3996 wrote to memory of 636	3996	Member Stealer.tmp	VC_redist.x64.exe
PID 636 wrote to memory of 5076	636	VC_redist.x64.exe	VC_redist.x64.exe
PID 636 wrote to memory of 5076	636	VC_redist.x64.exe	VC_redist.x64.exe
PID 636 wrote to memory of 5076	636	VC_redist.x64.exe	VC_redist.x64.exe
PID 5076 wrote to memory of 4724	5076	VC_redist.x64.exe	VC_redist.x64.exe
PID 5076 wrote to memory of 4724	5076	VC_redist.x64.exe	VC_redist.x64.exe
PID 5076 wrote to memory of 4724	5076	VC_redist.x64.exe	VC_redist.x64.exe

C:\Users\Admin\AppData\Local\Temp\Member Stealer.exe
"C:\Users\Admin\AppData\Local\Temp\Member Stealer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\is-IUAD6.tmp\Member Stealer.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IUAD6.tmp\Member Stealer.tmp" /SL5="$901D8,24626888,780800,C:\Users\Admin\AppData\Local\Temp\Member Stealer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4644

C:\Users\Admin\AppData\Local\Temp\Member Stealer.exe
"C:\Users\Admin\AppData\Local\Temp\Member Stealer.exe" /SILENT
3⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\is-FPDCB.tmp\Member Stealer.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FPDCB.tmp\Member Stealer.tmp" /SL5="$5002A,24626888,780800,C:\Users\Admin\AppData\Local\Temp\Member Stealer.exe" /SILENT
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\is-E52J8.tmp\VC_redist.x64.exe
"C:\Users\Admin\AppData\Local\Temp\is-E52J8.tmp\VC_redist.x64.exe" /install /quiet
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\Temp\{949DD5D3-B780-46AD-BEE6-591AE6141191}\.cr\VC_redist.x64.exe
"C:\Windows\Temp\{949DD5D3-B780-46AD-BEE6-591AE6141191}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-E52J8.tmp\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\Temp\{291E588D-EA12-4D75-BE6C-7DF9C78AE7D7}\.be\VC_redist.x64.exe
"C:\Windows\Temp\{291E588D-EA12-4D75-BE6C-7DF9C78AE7D7}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{A203BCAA-3C93-4E49-AD1B-0F5D34F0ADC5} {502852AE-3477-4C89-A7CF-8BB213CA5E28} 5076
7⤵
- Executes dropped EXE
PID:4724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-E52J8.tmp\VC_redist.x64.exe
Filesize
24.3MB

MD5
703bd677778f2a1ba1eb4338bac3b868

SHA1
a176f140e942920b777f80de89e16ea57ee32be8

SHA256
2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9

SHA512
a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E52J8.tmp\VC_redist.x64.exe
Filesize
24.3MB

MD5
703bd677778f2a1ba1eb4338bac3b868

SHA1
a176f140e942920b777f80de89e16ea57ee32be8

SHA256
2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9

SHA512
a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPDCB.tmp\Member Stealer.tmp
Filesize
2.9MB

MD5
e2a184e42d11e6c36694ce8d5c736983

SHA1
5189de9245ab16fa619e70dde2bb6fb642ea823c

SHA256
c674e8f8a590def5a2e13f77c2ea3fc044869bc613c99f7ee86a13654748a964

SHA512
1cf2ec3aa15299ac01adb878803e92c619957e9febb621f688cba9c38b0fd2f0ef58c87f566676c9df0e81b73d6492a0fc0a5cc47679ebbd495125c20c756551

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IUAD6.tmp\Member Stealer.tmp
Filesize
2.9MB

MD5
e2a184e42d11e6c36694ce8d5c736983

SHA1
5189de9245ab16fa619e70dde2bb6fb642ea823c

SHA256
c674e8f8a590def5a2e13f77c2ea3fc044869bc613c99f7ee86a13654748a964

SHA512
1cf2ec3aa15299ac01adb878803e92c619957e9febb621f688cba9c38b0fd2f0ef58c87f566676c9df0e81b73d6492a0fc0a5cc47679ebbd495125c20c756551

Download Submit
C:\Windows\Temp\{291E588D-EA12-4D75-BE6C-7DF9C78AE7D7}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{291E588D-EA12-4D75-BE6C-7DF9C78AE7D7}\.be\VC_redist.x64.exe
Filesize
635KB

MD5
848da6b57cb8acc151a8d64d15ba383d

SHA1
8f4d4a1afa9fd985c67642213b3e7ccf415591da

SHA256
5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12

SHA512
ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

Download Submit
C:\Windows\Temp\{291E588D-EA12-4D75-BE6C-7DF9C78AE7D7}\.be\VC_redist.x64.exe
Filesize
635KB

MD5
848da6b57cb8acc151a8d64d15ba383d

SHA1
8f4d4a1afa9fd985c67642213b3e7ccf415591da

SHA256
5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12

SHA512
ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

Download Submit
C:\Windows\Temp\{949DD5D3-B780-46AD-BEE6-591AE6141191}\.cr\VC_redist.x64.exe
Filesize
635KB

MD5
848da6b57cb8acc151a8d64d15ba383d

SHA1
8f4d4a1afa9fd985c67642213b3e7ccf415591da

SHA256
5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12

SHA512
ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

Download Submit
C:\Windows\Temp\{949DD5D3-B780-46AD-BEE6-591AE6141191}\.cr\VC_redist.x64.exe
Filesize
635KB

MD5
848da6b57cb8acc151a8d64d15ba383d

SHA1
8f4d4a1afa9fd985c67642213b3e7ccf415591da

SHA256
5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12

SHA512
ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

Download Submit
memory/636-145-0x0000000000000000-mapping.dmp

Download
memory/852-144-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/852-132-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/852-137-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/852-134-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1648-141-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1648-139-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1648-138-0x0000000000000000-mapping.dmp

Download
memory/1648-155-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3996-142-0x0000000000000000-mapping.dmp

Download
memory/4644-135-0x0000000000000000-mapping.dmp

Download
memory/4724-152-0x0000000000000000-mapping.dmp

Download
memory/5076-148-0x0000000000000000-mapping.dmp

Download