Analysis
-
max time kernel
171s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 18:53
Static task
static1
Behavioral task
behavioral1
Sample
eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
Resource
win7-20221111-en
General
-
Target
eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe
-
Size
1021KB
-
MD5
6c12cc7ca5d34515853fbdcab38c4952
-
SHA1
42ee498ba3224c39bd5201b674ead9551c50b866
-
SHA256
eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05
-
SHA512
f71b1241c92c571e1d1b92e83ba5b16706c1110125caec95ea06e8a925f1ef6bee5b89653224b94b5376c638a66db3117525829abcf242eee778c345feb16d98
-
SSDEEP
24576:FzCFGMRixipxAm30YLv/NaEqIahdOQkwH1pUPX:WGMYxWaG0Yr/MndZfU
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.com - Port:
587 - Username:
tina-sockichina@mail.com - Password:
collins123
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/3968-135-0x0000000000400000-0x00000000004F0000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/3968-135-0x0000000000400000-0x00000000004F0000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3968-135-0x0000000000400000-0x00000000004F0000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
BrokerInfrastructure.exeAudioEndpointBuilder.exepid process 4636 BrokerInfrastructure.exe 3884 AudioEndpointBuilder.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exeBrokerInfrastructure.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation BrokerInfrastructure.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 85 whatismyipaddress.com 87 whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exedescription pid process target process PID 2820 set thread context of 3968 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exeBrokerInfrastructure.exepid process 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 4636 BrokerInfrastructure.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exeBrokerInfrastructure.exeeb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exedescription pid process Token: SeDebugPrivilege 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe Token: SeDebugPrivilege 4636 BrokerInfrastructure.exe Token: SeDebugPrivilege 3968 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exepid process 3968 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exeBrokerInfrastructure.exedescription pid process target process PID 2820 wrote to memory of 3968 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe PID 2820 wrote to memory of 3968 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe PID 2820 wrote to memory of 3968 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe PID 2820 wrote to memory of 3968 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe PID 2820 wrote to memory of 3968 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe PID 2820 wrote to memory of 3968 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe PID 2820 wrote to memory of 3968 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe PID 2820 wrote to memory of 3968 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe PID 2820 wrote to memory of 4636 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe BrokerInfrastructure.exe PID 2820 wrote to memory of 4636 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe BrokerInfrastructure.exe PID 2820 wrote to memory of 4636 2820 eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe BrokerInfrastructure.exe PID 4636 wrote to memory of 3884 4636 BrokerInfrastructure.exe AudioEndpointBuilder.exe PID 4636 wrote to memory of 3884 4636 BrokerInfrastructure.exe AudioEndpointBuilder.exe PID 4636 wrote to memory of 3884 4636 BrokerInfrastructure.exe AudioEndpointBuilder.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe"C:\Users\Admin\AppData\Local\Temp\eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe"C:\Users\Admin\AppData\Local\Temp\eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05.exe"2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exeFilesize
1021KB
MD56c12cc7ca5d34515853fbdcab38c4952
SHA142ee498ba3224c39bd5201b674ead9551c50b866
SHA256eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05
SHA512f71b1241c92c571e1d1b92e83ba5b16706c1110125caec95ea06e8a925f1ef6bee5b89653224b94b5376c638a66db3117525829abcf242eee778c345feb16d98
-
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exeFilesize
1021KB
MD56c12cc7ca5d34515853fbdcab38c4952
SHA142ee498ba3224c39bd5201b674ead9551c50b866
SHA256eb548a2660b0842bfea0f95719ffd231fb10665fbdc11d24ed4c27dfcbfeef05
SHA512f71b1241c92c571e1d1b92e83ba5b16706c1110125caec95ea06e8a925f1ef6bee5b89653224b94b5376c638a66db3117525829abcf242eee778c345feb16d98
-
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exeFilesize
12KB
MD559882082f35cfab34acb407b7e95241c
SHA1caa21d2c0d24e317b48cc6d998e70e863f5a509d
SHA256c92ab4aa356c559b7701747f53b4a09bc0643d96e2a269493eab7b101e31950d
SHA512727f4e41b3c742720e4efc3d734a1fe4fc2d11711cb2874151a4087727db00e437997fec8a54bf46d8e6a5af4e6ea9b12e29f763f8ae30e8d209a4bd64a4cb98
-
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exeFilesize
12KB
MD559882082f35cfab34acb407b7e95241c
SHA1caa21d2c0d24e317b48cc6d998e70e863f5a509d
SHA256c92ab4aa356c559b7701747f53b4a09bc0643d96e2a269493eab7b101e31950d
SHA512727f4e41b3c742720e4efc3d734a1fe4fc2d11711cb2874151a4087727db00e437997fec8a54bf46d8e6a5af4e6ea9b12e29f763f8ae30e8d209a4bd64a4cb98
-
memory/2820-133-0x00000000753F0000-0x00000000759A1000-memory.dmpFilesize
5.7MB
-
memory/2820-132-0x00000000753F0000-0x00000000759A1000-memory.dmpFilesize
5.7MB
-
memory/3884-146-0x00000000753F0000-0x00000000759A1000-memory.dmpFilesize
5.7MB
-
memory/3884-144-0x0000000000000000-mapping.dmp
-
memory/3884-147-0x00000000753F0000-0x00000000759A1000-memory.dmpFilesize
5.7MB
-
memory/3968-135-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/3968-141-0x00000000753F0000-0x00000000759A1000-memory.dmpFilesize
5.7MB
-
memory/3968-139-0x00000000753F0000-0x00000000759A1000-memory.dmpFilesize
5.7MB
-
memory/3968-134-0x0000000000000000-mapping.dmp
-
memory/4636-136-0x0000000000000000-mapping.dmp
-
memory/4636-142-0x00000000753F0000-0x00000000759A1000-memory.dmpFilesize
5.7MB
-
memory/4636-140-0x00000000753F0000-0x00000000759A1000-memory.dmpFilesize
5.7MB