Analysis
-
max time kernel
188s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 18:45
Static task
static1
Behavioral task
behavioral1
Sample
5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
Resource
win10v2004-20221111-en
General
-
Target
5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe
-
Size
1020KB
-
MD5
993bd6d2e46b2da20495aa0cfcf57d15
-
SHA1
165ed6f64873c3e505bf0210269234079aa42ffc
-
SHA256
5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d
-
SHA512
a33751041b518743a206ddee1f3225410db59230288808ba3698f01ba72281925ee798c48a88d644ea7bf597ce3dcaa41d9716b3313d33c777dd60822e98b7de
-
SSDEEP
24576:EgLTUe8B1dWKnCHFra8bYxXjzOcvmzSmWvO/5l:EgXUBzMNqzlvmzR/5
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2400-135-0x0000000000400000-0x00000000004F0000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2400-135-0x0000000000400000-0x00000000004F0000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2400-135-0x0000000000400000-0x00000000004F0000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
BrokerInfrastructure.exeAudioEndpointBuilder.exepid process 4996 BrokerInfrastructure.exe 5020 AudioEndpointBuilder.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exeBrokerInfrastructure.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation BrokerInfrastructure.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 75 whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exedescription pid process target process PID 3420 set thread context of 2400 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exeBrokerInfrastructure.exepid process 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 4996 BrokerInfrastructure.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 4996 BrokerInfrastructure.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 4996 BrokerInfrastructure.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 4996 BrokerInfrastructure.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 4996 BrokerInfrastructure.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 4996 BrokerInfrastructure.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exeBrokerInfrastructure.exe5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exeAudioEndpointBuilder.exedescription pid process Token: SeDebugPrivilege 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe Token: SeDebugPrivilege 4996 BrokerInfrastructure.exe Token: SeDebugPrivilege 2400 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe Token: SeDebugPrivilege 5020 AudioEndpointBuilder.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exeBrokerInfrastructure.exedescription pid process target process PID 3420 wrote to memory of 2400 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe PID 3420 wrote to memory of 2400 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe PID 3420 wrote to memory of 2400 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe PID 3420 wrote to memory of 2400 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe PID 3420 wrote to memory of 2400 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe PID 3420 wrote to memory of 2400 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe PID 3420 wrote to memory of 2400 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe PID 3420 wrote to memory of 2400 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe PID 3420 wrote to memory of 4996 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe BrokerInfrastructure.exe PID 3420 wrote to memory of 4996 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe BrokerInfrastructure.exe PID 3420 wrote to memory of 4996 3420 5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe BrokerInfrastructure.exe PID 4996 wrote to memory of 5020 4996 BrokerInfrastructure.exe AudioEndpointBuilder.exe PID 4996 wrote to memory of 5020 4996 BrokerInfrastructure.exe AudioEndpointBuilder.exe PID 4996 wrote to memory of 5020 4996 BrokerInfrastructure.exe AudioEndpointBuilder.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe"C:\Users\Admin\AppData\Local\Temp\5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe"C:\Users\Admin\AppData\Local\Temp\5041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exeFilesize
1020KB
MD5993bd6d2e46b2da20495aa0cfcf57d15
SHA1165ed6f64873c3e505bf0210269234079aa42ffc
SHA2565041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d
SHA512a33751041b518743a206ddee1f3225410db59230288808ba3698f01ba72281925ee798c48a88d644ea7bf597ce3dcaa41d9716b3313d33c777dd60822e98b7de
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exeFilesize
1020KB
MD5993bd6d2e46b2da20495aa0cfcf57d15
SHA1165ed6f64873c3e505bf0210269234079aa42ffc
SHA2565041fb834d7cc499213e8900304fd26d3014b41a32ea05fbb07076f43c0b492d
SHA512a33751041b518743a206ddee1f3225410db59230288808ba3698f01ba72281925ee798c48a88d644ea7bf597ce3dcaa41d9716b3313d33c777dd60822e98b7de
-
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exeFilesize
12KB
MD559882082f35cfab34acb407b7e95241c
SHA1caa21d2c0d24e317b48cc6d998e70e863f5a509d
SHA256c92ab4aa356c559b7701747f53b4a09bc0643d96e2a269493eab7b101e31950d
SHA512727f4e41b3c742720e4efc3d734a1fe4fc2d11711cb2874151a4087727db00e437997fec8a54bf46d8e6a5af4e6ea9b12e29f763f8ae30e8d209a4bd64a4cb98
-
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exeFilesize
12KB
MD559882082f35cfab34acb407b7e95241c
SHA1caa21d2c0d24e317b48cc6d998e70e863f5a509d
SHA256c92ab4aa356c559b7701747f53b4a09bc0643d96e2a269493eab7b101e31950d
SHA512727f4e41b3c742720e4efc3d734a1fe4fc2d11711cb2874151a4087727db00e437997fec8a54bf46d8e6a5af4e6ea9b12e29f763f8ae30e8d209a4bd64a4cb98
-
memory/2400-134-0x0000000000000000-mapping.dmp
-
memory/2400-135-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/2400-136-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/2400-145-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/3420-133-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/3420-132-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/4996-140-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/4996-137-0x0000000000000000-mapping.dmp
-
memory/4996-146-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/5020-142-0x0000000000000000-mapping.dmp
-
memory/5020-144-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB
-
memory/5020-147-0x0000000074870000-0x0000000074E21000-memory.dmpFilesize
5.7MB