Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
27/11/2022, 05:29
General
-
Target
637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe
-
Size
102KB
-
MD5
0229ca666a0db66270c417ec65dfa466
-
SHA1
c8b6160b670e1365e6ea1180472e9356f58ad855
-
SHA256
637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e
-
SHA512
eeb276563a3f13eb4ff4baa2e38baaba382698eacd919423e93f0b98a6f452a8fa357f20df99f40fc1a33ebb11ec330ff319d20c28706a3577d9320ed4323930
-
SSDEEP
1536:zxgp2ZUpdiEnPVtp0rZrEfl1RKbAkzZd3DMtvLu+DIACfucWRwH+oTfQ9:zxgQWimp0rqffc8aZdgLu+8ACn5+oA
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe"C:\Users\Admin\AppData\Local\Temp\637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Datas\setup.exe"C:\Datas\setup.exe" launch2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\22E7127P2T4TPELL\Vxbld.exelaunch3⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping -n 5 127.0.0.1&&del "C:\Users\Admin\AppData\Local\Temp\637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5dd7dfd8095a4df03a0516d19ded7247a
SHA1ea32a3c877aa18697aecb3b7565fd6421d24bb42
SHA25601ea215f45d07e65cbb28c216386d4161670fb625815c47ef8ec91c02dbb0cd0
SHA51243fcfba1b51f684ca0771d9f4e74f5dcb83c1172cc2c727aa6e202e3dbefd29f7e47ce73dc163a18793e2c38d68e056d3b7aa25645c2e316782f316349127966
-
Filesize
104KB
MD535ad9328104fc9784f4d6b08fc4bf0b3
SHA1f5169520dd16db20639869c79813e4a239a7dc1e
SHA256557d3efc17bd4429f7ae8dade1c5574fb3f9bc24f15642bc088a5f326c4314cb
SHA51262646b83367447ded9b0270d5bfac2b0d8b21c229eac50911caf6080b30a9a23a232f4c3ae34f8ffa120cdaac61f057895fac380b6ef02f4f1e40af3fe5c176d
-
Filesize
36KB
MD5dd7dfd8095a4df03a0516d19ded7247a
SHA1ea32a3c877aa18697aecb3b7565fd6421d24bb42
SHA25601ea215f45d07e65cbb28c216386d4161670fb625815c47ef8ec91c02dbb0cd0
SHA51243fcfba1b51f684ca0771d9f4e74f5dcb83c1172cc2c727aa6e202e3dbefd29f7e47ce73dc163a18793e2c38d68e056d3b7aa25645c2e316782f316349127966
-
Filesize
36KB
MD5dd7dfd8095a4df03a0516d19ded7247a
SHA1ea32a3c877aa18697aecb3b7565fd6421d24bb42
SHA25601ea215f45d07e65cbb28c216386d4161670fb625815c47ef8ec91c02dbb0cd0
SHA51243fcfba1b51f684ca0771d9f4e74f5dcb83c1172cc2c727aa6e202e3dbefd29f7e47ce73dc163a18793e2c38d68e056d3b7aa25645c2e316782f316349127966
-
Filesize
36KB
MD5dd7dfd8095a4df03a0516d19ded7247a
SHA1ea32a3c877aa18697aecb3b7565fd6421d24bb42
SHA25601ea215f45d07e65cbb28c216386d4161670fb625815c47ef8ec91c02dbb0cd0
SHA51243fcfba1b51f684ca0771d9f4e74f5dcb83c1172cc2c727aa6e202e3dbefd29f7e47ce73dc163a18793e2c38d68e056d3b7aa25645c2e316782f316349127966
-
Filesize
36KB
MD5dd7dfd8095a4df03a0516d19ded7247a
SHA1ea32a3c877aa18697aecb3b7565fd6421d24bb42
SHA25601ea215f45d07e65cbb28c216386d4161670fb625815c47ef8ec91c02dbb0cd0
SHA51243fcfba1b51f684ca0771d9f4e74f5dcb83c1172cc2c727aa6e202e3dbefd29f7e47ce73dc163a18793e2c38d68e056d3b7aa25645c2e316782f316349127966
-
Filesize
36KB
MD5dd7dfd8095a4df03a0516d19ded7247a
SHA1ea32a3c877aa18697aecb3b7565fd6421d24bb42
SHA25601ea215f45d07e65cbb28c216386d4161670fb625815c47ef8ec91c02dbb0cd0
SHA51243fcfba1b51f684ca0771d9f4e74f5dcb83c1172cc2c727aa6e202e3dbefd29f7e47ce73dc163a18793e2c38d68e056d3b7aa25645c2e316782f316349127966
-
Filesize
36KB
MD5dd7dfd8095a4df03a0516d19ded7247a
SHA1ea32a3c877aa18697aecb3b7565fd6421d24bb42
SHA25601ea215f45d07e65cbb28c216386d4161670fb625815c47ef8ec91c02dbb0cd0
SHA51243fcfba1b51f684ca0771d9f4e74f5dcb83c1172cc2c727aa6e202e3dbefd29f7e47ce73dc163a18793e2c38d68e056d3b7aa25645c2e316782f316349127966
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
232KB
-
Filesize
8KB