23bd242bc705fbed16fd6421e993cb059e620122a7b36b2228ad735909b0c9b3

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23bd242bc705fbed16fd6421e993cb059e620122a7b36b2228ad735909b0c9b3.exe
Size

176KB
MD5

28182580f22c8ebd15c1fe0bb23dea60
SHA1

ff76a2192000039e3b57e776dd6f572dda117960
SHA256

23bd242bc705fbed16fd6421e993cb059e620122a7b36b2228ad735909b0c9b3
SHA512

8b12f57117e90d1d73cb85a7a7996d1eb157c90ba39eccc462de2487c903f3c3b7326faef693eb04f73125cad71a0289b9fecdc8d17e744fadc92b75f65ddad2
SSDEEP

3072:L4lRkAehGfzmuqTPryFd8RQJVyhjwdIotiIOmklnTVp8+fh/Knh6/fUzG:L4lRkAehaKuqT+FdAQJilotiIOmIntf1

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1600	starter.exe
1096	SkypeStealer.exe

Loads dropped DLL 4 IoCs

pid	Process
1392	23bd242bc705fbed16fd6421e993cb059e620122a7b36b2228ad735909b0c9b3.exe
1392	23bd242bc705fbed16fd6421e993cb059e620122a7b36b2228ad735909b0c9b3.exe
1272	cmd.exe
1272	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
912	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	taskkill.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1600	1392	23bd242bc705fbed16fd6421e993cb059e620122a7b36b2228ad735909b0c9b3.exe	27
PID 1392 wrote to memory of 1600	1392	23bd242bc705fbed16fd6421e993cb059e620122a7b36b2228ad735909b0c9b3.exe	27
PID 1392 wrote to memory of 1600	1392	23bd242bc705fbed16fd6421e993cb059e620122a7b36b2228ad735909b0c9b3.exe	27
PID 1392 wrote to memory of 1600	1392	23bd242bc705fbed16fd6421e993cb059e620122a7b36b2228ad735909b0c9b3.exe	27
PID 1392 wrote to memory of 1600	1392	23bd242bc705fbed16fd6421e993cb059e620122a7b36b2228ad735909b0c9b3.exe	27
PID 1392 wrote to memory of 1600	1392	23bd242bc705fbed16fd6421e993cb059e620122a7b36b2228ad735909b0c9b3.exe	27
PID 1392 wrote to memory of 1600	1392	23bd242bc705fbed16fd6421e993cb059e620122a7b36b2228ad735909b0c9b3.exe	27
PID 1600 wrote to memory of 1272	1600	starter.exe	28
PID 1600 wrote to memory of 1272	1600	starter.exe	28
PID 1600 wrote to memory of 1272	1600	starter.exe	28
PID 1600 wrote to memory of 1272	1600	starter.exe	28
PID 1600 wrote to memory of 1272	1600	starter.exe	28
PID 1600 wrote to memory of 1272	1600	starter.exe	28
PID 1600 wrote to memory of 1272	1600	starter.exe	28
PID 1272 wrote to memory of 1096	1272	cmd.exe	30
PID 1272 wrote to memory of 1096	1272	cmd.exe	30
PID 1272 wrote to memory of 1096	1272	cmd.exe	30
PID 1272 wrote to memory of 1096	1272	cmd.exe	30
PID 1272 wrote to memory of 1096	1272	cmd.exe	30
PID 1272 wrote to memory of 1096	1272	cmd.exe	30
PID 1272 wrote to memory of 1096	1272	cmd.exe	30
PID 1096 wrote to memory of 956	1096	SkypeStealer.exe	31
PID 1096 wrote to memory of 956	1096	SkypeStealer.exe	31
PID 1096 wrote to memory of 956	1096	SkypeStealer.exe	31
PID 1096 wrote to memory of 956	1096	SkypeStealer.exe	31
PID 1096 wrote to memory of 956	1096	SkypeStealer.exe	31
PID 1096 wrote to memory of 956	1096	SkypeStealer.exe	31
PID 1096 wrote to memory of 956	1096	SkypeStealer.exe	31
PID 956 wrote to memory of 912	956	cmd.exe	33
PID 956 wrote to memory of 912	956	cmd.exe	33
PID 956 wrote to memory of 912	956	cmd.exe	33
PID 956 wrote to memory of 912	956	cmd.exe	33
PID 956 wrote to memory of 912	956	cmd.exe	33
PID 956 wrote to memory of 912	956	cmd.exe	33
PID 956 wrote to memory of 912	956	cmd.exe	33
PID 956 wrote to memory of 364	956	cmd.exe	35
PID 956 wrote to memory of 364	956	cmd.exe	35
PID 956 wrote to memory of 364	956	cmd.exe	35
PID 956 wrote to memory of 364	956	cmd.exe	35
PID 956 wrote to memory of 364	956	cmd.exe	35
PID 956 wrote to memory of 364	956	cmd.exe	35
PID 956 wrote to memory of 364	956	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\23bd242bc705fbed16fd6421e993cb059e620122a7b36b2228ad735909b0c9b3.exe
"C:\Users\Admin\AppData\Local\Temp\23bd242bc705fbed16fd6421e993cb059e620122a7b36b2228ad735909b0c9b3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Local\Temp\starter.exe
  "C:\Users\Admin\AppData\Local\Temp\starter.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\160FBCD.bat" "C:\Users\Admin\AppData\Local\Temp\starter.exe" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\SkypeStealer.exe
      SkypeStealer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1096
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\109FC98.bat" SkypeStealer.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:956
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Skype.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
      - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Roaming\Skype" "C:\Users\Admin\AppData\Local\Temp\skype\" /c /s /e /y /-y
        6⤵
        Enumerates system info in registry
        
        PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\109FC98.bat

Filesize
90B

MD5
91a842aa7b98842bc5bd518ddfe64a00

SHA1
ac801323d2776dd6bbdb7ffb58fe9c082f1e9d26

SHA256
b50fc5c7fc065ab8772fd93e01a924ab58e161c9e943431c191157b7f554ddd5

SHA512
48ab475aa297febf746b954bd6451581d71280bf816a75a59b7fc89e65494a846bc1be6c302cfcf19b1b6d0e199cae80448b18ae510c749a53479a39a2b319c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\160FBCD.bat

Filesize
139B

MD5
f7946f7766ef7baaf1c995aa75ed573b

SHA1
352d3edcc135b0a6bdd922aa372fcf1fc8d944ef

SHA256
2d159e837be5a4e1a6217b952b870ac4b8ead51e4e92c33ac3cd6c403338482a

SHA512
7243af431d9287c3117d7cd9a9d771be818fc15c3b3da18098bb5e14666ed701b839b565f8de7bd2837735550819823ae6e5e15411925c0ec45b8d97b2fcca4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkypeStealer.exe

Filesize
86KB

MD5
c532ca335d9fd8219dfe03f74e91a72b

SHA1
54857e9513da2e1bb32ffb665628f94c0ea65c95

SHA256
426d1576738f9470b79e262161797ad04f2a0a855b8c3debcbdd4d67b320352a

SHA512
203adda288076559c1f6df4e4fd385515b9fd09db08be4beb93b219f2f85f0304aaedd4cebff8532365d7a057645e2d0db869bfe28c4bb2f05b13b0b296b06eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkypeStealer.exe

Filesize
86KB

MD5
c532ca335d9fd8219dfe03f74e91a72b

SHA1
54857e9513da2e1bb32ffb665628f94c0ea65c95

SHA256
426d1576738f9470b79e262161797ad04f2a0a855b8c3debcbdd4d67b320352a

SHA512
203adda288076559c1f6df4e4fd385515b9fd09db08be4beb93b219f2f85f0304aaedd4cebff8532365d7a057645e2d0db869bfe28c4bb2f05b13b0b296b06eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\starter.exe

Filesize
86KB

MD5
3e3d63a165744c2e9ac79d75a3956272

SHA1
308167734296e99cfce9f132238f5ddc6571d9e1

SHA256
b56ffee3474ad8342af05eda9d08b000f4446b7334ab61ed4a024694ba4373c4

SHA512
a73807d837f9749c02bc58050bd474e00668dc6d2d91d0c1edad03f049fd239d0cedcee6b6c300e7da382b08fa4e3c5fea6460ab7ef72ecd3e34c2cd75d932f0

Download Submit
\Users\Admin\AppData\Local\Temp\SkypeStealer.exe

Filesize
86KB

MD5
c532ca335d9fd8219dfe03f74e91a72b

SHA1
54857e9513da2e1bb32ffb665628f94c0ea65c95

SHA256
426d1576738f9470b79e262161797ad04f2a0a855b8c3debcbdd4d67b320352a

SHA512
203adda288076559c1f6df4e4fd385515b9fd09db08be4beb93b219f2f85f0304aaedd4cebff8532365d7a057645e2d0db869bfe28c4bb2f05b13b0b296b06eb

Download Submit
\Users\Admin\AppData\Local\Temp\SkypeStealer.exe

Filesize
86KB

MD5
c532ca335d9fd8219dfe03f74e91a72b

SHA1
54857e9513da2e1bb32ffb665628f94c0ea65c95

SHA256
426d1576738f9470b79e262161797ad04f2a0a855b8c3debcbdd4d67b320352a

SHA512
203adda288076559c1f6df4e4fd385515b9fd09db08be4beb93b219f2f85f0304aaedd4cebff8532365d7a057645e2d0db869bfe28c4bb2f05b13b0b296b06eb

Download Submit
\Users\Admin\AppData\Local\Temp\starter.exe

Filesize
86KB

MD5
3e3d63a165744c2e9ac79d75a3956272

SHA1
308167734296e99cfce9f132238f5ddc6571d9e1

SHA256
b56ffee3474ad8342af05eda9d08b000f4446b7334ab61ed4a024694ba4373c4

SHA512
a73807d837f9749c02bc58050bd474e00668dc6d2d91d0c1edad03f049fd239d0cedcee6b6c300e7da382b08fa4e3c5fea6460ab7ef72ecd3e34c2cd75d932f0

Download Submit
\Users\Admin\AppData\Local\Temp\starter.exe

Filesize
86KB

MD5
3e3d63a165744c2e9ac79d75a3956272

SHA1
308167734296e99cfce9f132238f5ddc6571d9e1

SHA256
b56ffee3474ad8342af05eda9d08b000f4446b7334ab61ed4a024694ba4373c4

SHA512
a73807d837f9749c02bc58050bd474e00668dc6d2d91d0c1edad03f049fd239d0cedcee6b6c300e7da382b08fa4e3c5fea6460ab7ef72ecd3e34c2cd75d932f0

Download Submit
memory/364-74-0x0000000000000000-mapping.dmp

Download
memory/912-72-0x0000000000000000-mapping.dmp

Download
memory/956-69-0x0000000000000000-mapping.dmp

Download
memory/1096-66-0x0000000000000000-mapping.dmp

Download
memory/1272-60-0x0000000000000000-mapping.dmp

Download
memory/1392-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1600-57-0x0000000000000000-mapping.dmp

Download