Analysis
-
max time kernel
168s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 10:48
Behavioral task
behavioral1
Sample
PI.exe
Resource
win7-20220812-en
General
-
Target
PI.exe
-
Size
992KB
-
MD5
f915f94f551c0c5371d093dbe27bbfaa
-
SHA1
912941a11e2c924eceb37ac5928ba457a10d8512
-
SHA256
9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
-
SHA512
a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
-
SSDEEP
24576:NaPY8FueJVd/IfHydpi7m4Qt/XZhGPUKcpO+gpqeDySVR+PJ:GTN8Ui7mh/DGSpO+gp5nP
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4608-153-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4608-153-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4608-153-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
IpOverUsbSvrc.exepid process 32 IpOverUsbSvrc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PI.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation PI.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
IpOverUsbSvrc.exePI.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" PI.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 41 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PI.exePI.exePI.exedescription pid process target process PID 4864 set thread context of 4524 4864 PI.exe PI.exe PID 4524 set thread context of 1388 4524 PI.exe PI.exe PID 1388 set thread context of 4608 1388 PI.exe PI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PI.exepid process 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe 4864 PI.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
PI.exePI.exeIpOverUsbSvrc.exePI.exePI.exedescription pid process Token: SeDebugPrivilege 4864 PI.exe Token: SeDebugPrivilege 4524 PI.exe Token: SeDebugPrivilege 32 IpOverUsbSvrc.exe Token: SeDebugPrivilege 1388 PI.exe Token: SeDebugPrivilege 4608 PI.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PI.exepid process 4608 PI.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
PI.exePI.exePI.exedescription pid process target process PID 4864 wrote to memory of 4524 4864 PI.exe PI.exe PID 4864 wrote to memory of 4524 4864 PI.exe PI.exe PID 4864 wrote to memory of 4524 4864 PI.exe PI.exe PID 4864 wrote to memory of 4524 4864 PI.exe PI.exe PID 4864 wrote to memory of 4524 4864 PI.exe PI.exe PID 4864 wrote to memory of 4524 4864 PI.exe PI.exe PID 4864 wrote to memory of 4524 4864 PI.exe PI.exe PID 4864 wrote to memory of 4524 4864 PI.exe PI.exe PID 4864 wrote to memory of 32 4864 PI.exe IpOverUsbSvrc.exe PID 4864 wrote to memory of 32 4864 PI.exe IpOverUsbSvrc.exe PID 4864 wrote to memory of 32 4864 PI.exe IpOverUsbSvrc.exe PID 4524 wrote to memory of 1388 4524 PI.exe PI.exe PID 4524 wrote to memory of 1388 4524 PI.exe PI.exe PID 4524 wrote to memory of 1388 4524 PI.exe PI.exe PID 4524 wrote to memory of 1388 4524 PI.exe PI.exe PID 4524 wrote to memory of 1388 4524 PI.exe PI.exe PID 4524 wrote to memory of 1388 4524 PI.exe PI.exe PID 4524 wrote to memory of 1388 4524 PI.exe PI.exe PID 4524 wrote to memory of 1388 4524 PI.exe PI.exe PID 1388 wrote to memory of 4608 1388 PI.exe PI.exe PID 1388 wrote to memory of 4608 1388 PI.exe PI.exe PID 1388 wrote to memory of 4608 1388 PI.exe PI.exe PID 1388 wrote to memory of 4608 1388 PI.exe PI.exe PID 1388 wrote to memory of 4608 1388 PI.exe PI.exe PID 1388 wrote to memory of 4608 1388 PI.exe PI.exe PID 1388 wrote to memory of 4608 1388 PI.exe PI.exe PID 1388 wrote to memory of 4608 1388 PI.exe PI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"4⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PI.exe.logFilesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
11KB
MD503c4f3f5cdbc342eb1c0349e001fdd0c
SHA17d45ed19db4eaed16d1985240c98fab7623798e5
SHA256a395cb8bb6cdaa7f0dad2e012fb5107d0d307efea021be048bdd5b67479356bc
SHA512d59ccd1ffffa884c8a7a96979ed19f0f8a586474c23d5b5ab23c235799044042f639e1834ee2e54a205a71caf97898ac8898d0da963fb006e443f3fb8f3c1162
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
11KB
MD503c4f3f5cdbc342eb1c0349e001fdd0c
SHA17d45ed19db4eaed16d1985240c98fab7623798e5
SHA256a395cb8bb6cdaa7f0dad2e012fb5107d0d307efea021be048bdd5b67479356bc
SHA512d59ccd1ffffa884c8a7a96979ed19f0f8a586474c23d5b5ab23c235799044042f639e1834ee2e54a205a71caf97898ac8898d0da963fb006e443f3fb8f3c1162
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
992KB
MD5f915f94f551c0c5371d093dbe27bbfaa
SHA1912941a11e2c924eceb37ac5928ba457a10d8512
SHA2569cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
SHA512a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
992KB
MD5f915f94f551c0c5371d093dbe27bbfaa
SHA1912941a11e2c924eceb37ac5928ba457a10d8512
SHA2569cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
SHA512a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
-
memory/32-142-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/32-136-0x0000000000000000-mapping.dmp
-
memory/32-139-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/1388-146-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/1388-145-0x0000000000000000-mapping.dmp
-
memory/1388-149-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/1388-148-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/4524-150-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/4524-134-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/4524-133-0x0000000000000000-mapping.dmp
-
memory/4524-141-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/4524-135-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/4608-152-0x0000000000000000-mapping.dmp
-
memory/4608-153-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4608-154-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/4608-155-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/4864-132-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/4864-143-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB
-
memory/4864-140-0x00000000752B0000-0x0000000075861000-memory.dmpFilesize
5.7MB