Analysis
-
max time kernel
153s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 18:14
Static task
static1
Behavioral task
behavioral1
Sample
caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d.exe
Resource
win10v2004-20221111-en
General
-
Target
caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d.exe
-
Size
1.6MB
-
MD5
2b7823f86268bfb968865907ce46750a
-
SHA1
e5fdbeed91bc034728ddd79807fd0c5cce10df6b
-
SHA256
caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d
-
SHA512
bcfedf113c2008a1de006043c6dd4d9fd63be71a18bbb5709e73607693083a668e9b9c81c7a93064f054eafa9b4b6add28ff4c35203500feb2afb94c6280a0c5
-
SSDEEP
24576:72O/GlKfj2BeJbXJAdVutylJJmAdCDD0/ARLPCs8KrM3bD4d7g6zwm4m53Sb23:X9JautylSAdK0/ARLq7bDQ5kFm53Sy3
Malware Config
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4408-138-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/4408-139-0x0000000000400000-0x00000000004F0000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4408-138-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/4408-139-0x0000000000400000-0x00000000004F0000-memory.dmp WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4408-138-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4408-139-0x0000000000400000-0x00000000004F0000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
acrob32.exepid process 2044 acrob32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
acrob32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce acrob32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\d2vkfr8 = "C:\\Users\\Admin\\d2vkfr8\\liwqphgosxd.vbs" acrob32.exe -
Processes:
acrob32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA acrob32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
acrob32.exedescription pid process target process PID 2044 set thread context of 4408 2044 acrob32.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
acrob32.exepid process 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe 2044 acrob32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d.exeacrob32.exedescription pid process target process PID 4040 wrote to memory of 2044 4040 caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d.exe acrob32.exe PID 4040 wrote to memory of 2044 4040 caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d.exe acrob32.exe PID 4040 wrote to memory of 2044 4040 caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d.exe acrob32.exe PID 2044 wrote to memory of 4408 2044 acrob32.exe RegSvcs.exe PID 2044 wrote to memory of 4408 2044 acrob32.exe RegSvcs.exe PID 2044 wrote to memory of 4408 2044 acrob32.exe RegSvcs.exe PID 2044 wrote to memory of 4408 2044 acrob32.exe RegSvcs.exe PID 2044 wrote to memory of 4408 2044 acrob32.exe RegSvcs.exe PID 2044 wrote to memory of 4408 2044 acrob32.exe RegSvcs.exe PID 2044 wrote to memory of 4408 2044 acrob32.exe RegSvcs.exe PID 2044 wrote to memory of 4408 2044 acrob32.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d.exe"C:\Users\Admin\AppData\Local\Temp\caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\d2vkfr8\acrob32.exe"C:\Users\Admin\d2vkfr8\acrob32.exe" tolmkgbamw2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\d2vkfr8\acrob32.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\d2vkfr8\acrob32.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\d2vkfr8\arrgfr.PTTFilesize
84B
MD505b3d58b2ea16dd9083e3a10787c6563
SHA11535f36c16d8346cdae641600167272167250db9
SHA256d608f03ca15c996a4dc6ca0c5706acb5b61986ee8c8a7e108967ee6c619dc3ec
SHA51245cf8258804c09e1fceed1546e2a13409aee3bd20f7498278e60080d5048cb9e592c03589306e24e35497ecc21f77c249451b70878e8b260ed8a411737928280
-
C:\Users\Admin\d2vkfr8\sqxp.WCTFilesize
936KB
MD595562f764e16e1d2445b6449428a1839
SHA19ce1664ce6206e0c8a78e7de5a759643358cc505
SHA2566b26fedf0364f8fd558f8c60279886529ba298b4f8e6c6a473772900a52e887e
SHA5128fef2425f21bdd5c45b4470336284c53b5a5d0161be6c87906d0b684551c5edf5f7f88eb63e2aa167e5b47dce6c17ecd7354f948222243ca341a515b9bf30a19
-
C:\Users\Admin\d2vkfr8\tolmkgbamwFilesize
306.2MB
MD507ae1fae147a2737c9c61f4c61efe8be
SHA1626d33ed3de4f3e3d8cee6a93caccdf47e869e1c
SHA25650cd946449317eb4a86d561450dd590247f3508c520391380ea3d4218d88e945
SHA512fce031e74412a341f9c29bd4125e9c8d3460ad57dcd72183294f01c6ea3cf445914f53e6adb62d7a30431855f7228a1f0b0e1ce85c62560c85f131d2284ef479
-
memory/2044-132-0x0000000000000000-mapping.dmp
-
memory/4408-138-0x0000000000000000-mapping.dmp
-
memory/4408-139-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/4408-140-0x0000000073F90000-0x0000000074541000-memory.dmpFilesize
5.7MB