Analysis
-
max time kernel
61s -
max time network
107s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
14-01-2023 13:32
Static task
static1
Behavioral task
behavioral1
Sample
0336f85236b4add19780e082d59a8f1585575781.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0336f85236b4add19780e082d59a8f1585575781.exe
Resource
win10v2004-20220812-en
General
-
Target
0336f85236b4add19780e082d59a8f1585575781.exe
-
Size
450KB
-
MD5
d95f453a9ebfa9e852611103ecd36f2f
-
SHA1
0336f85236b4add19780e082d59a8f1585575781
-
SHA256
cb4c05bf0a3cc9a2157b5b7799e3bdad472a0b677743ebb59803fa8934def97f
-
SHA512
3f0ecfd05da6c5750ce12fe2f35f1989f0f0530fc08280fc3c8d75a5450ecd172d636aeae0703ff44d11459a9ef36d4ccaf09faf6ac9d401b03e90e1219da042
-
SSDEEP
6144:qYa6f5//2aKCh/3NDrCpCdIJaFvQIKtWBIY0Vv7B5qh8+A9j+A:qYD//R/jXtv9KNke+A
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1708 sdaqrnab.exe 300 sdaqrnab.exe -
Loads dropped DLL 3 IoCs
pid Process 1040 0336f85236b4add19780e082d59a8f1585575781.exe 1040 0336f85236b4add19780e082d59a8f1585575781.exe 1708 sdaqrnab.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sdaqrnab.exe Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sdaqrnab.exe Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sdaqrnab.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dlbuson = "C:\\Users\\Admin\\AppData\\Roaming\\jjsmhnxylliukw\\uljkxxqkgqibi.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\sdaqrnab.exe\" C:\\Users\\Admin\\Ap" sdaqrnab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\APP = "C:\\Users\\Admin\\AppData\\Roaming\\APP\\APP.exe" sdaqrnab.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1708 set thread context of 300 1708 sdaqrnab.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1708 sdaqrnab.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 300 sdaqrnab.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1040 wrote to memory of 1708 1040 0336f85236b4add19780e082d59a8f1585575781.exe 28 PID 1040 wrote to memory of 1708 1040 0336f85236b4add19780e082d59a8f1585575781.exe 28 PID 1040 wrote to memory of 1708 1040 0336f85236b4add19780e082d59a8f1585575781.exe 28 PID 1040 wrote to memory of 1708 1040 0336f85236b4add19780e082d59a8f1585575781.exe 28 PID 1708 wrote to memory of 300 1708 sdaqrnab.exe 29 PID 1708 wrote to memory of 300 1708 sdaqrnab.exe 29 PID 1708 wrote to memory of 300 1708 sdaqrnab.exe 29 PID 1708 wrote to memory of 300 1708 sdaqrnab.exe 29 PID 1708 wrote to memory of 300 1708 sdaqrnab.exe 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sdaqrnab.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sdaqrnab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0336f85236b4add19780e082d59a8f1585575781.exe"C:\Users\Admin\AppData\Local\Temp\0336f85236b4add19780e082d59a8f1585575781.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\sdaqrnab.exe"C:\Users\Admin\AppData\Local\Temp\sdaqrnab.exe" C:\Users\Admin\AppData\Local\Temp\hwtcnkhxod.jz2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\sdaqrnab.exe"C:\Users\Admin\AppData\Local\Temp\sdaqrnab.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:300
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5350c1c8553947f395890c7b90f8340c1
SHA1d93cee703f77aca8363a89d72a19412f8c0ecbfa
SHA2567c84a8a3e1ee3d9f437bb28e196ef29cf23dacaa8e42ff24bb3de32eb4c989fc
SHA5126df1aad0916e1ce15fe86aaae3b8da71ac6250fd5a650e7f00c791e7280a6ad956b74370dd30de169fbfc7494b8bd1c5a59cf213238dfbb1507b32b9b605dbc9
-
Filesize
263KB
MD5c986bbaef989a5537130553e553d334e
SHA186944826f4f32e69c533335b88349528c9898c02
SHA256211250053910cb85f037863f02cd2046e042ea5cb74d35d075f519e3916f4506
SHA512d958618f92bf9055b30d97bf7cb3c94b946981f8e1c161739a4360b41592568b54702d21be56fb5a0c6817dcca0cc2553317c78bcef62f74b5af4fe867513a2c
-
Filesize
48KB
MD584c0f3b39fa63e099aa816491e72ac45
SHA1c73fc6ec7087daa501dc02a0c8c8a94bdcd21440
SHA256ab85d2fb3e040e3b6ca60dd2b65fb5971fd7a7822e07e0187f2018ad1ecce32f
SHA512c0687c660706419a13fab627f222f451921ccea107f65f5daec12fb9118803f81dde012f1fb580250fe3f59147c5da08e30042bd5cbe75b74da5045c9c011c27
-
Filesize
48KB
MD584c0f3b39fa63e099aa816491e72ac45
SHA1c73fc6ec7087daa501dc02a0c8c8a94bdcd21440
SHA256ab85d2fb3e040e3b6ca60dd2b65fb5971fd7a7822e07e0187f2018ad1ecce32f
SHA512c0687c660706419a13fab627f222f451921ccea107f65f5daec12fb9118803f81dde012f1fb580250fe3f59147c5da08e30042bd5cbe75b74da5045c9c011c27
-
Filesize
48KB
MD584c0f3b39fa63e099aa816491e72ac45
SHA1c73fc6ec7087daa501dc02a0c8c8a94bdcd21440
SHA256ab85d2fb3e040e3b6ca60dd2b65fb5971fd7a7822e07e0187f2018ad1ecce32f
SHA512c0687c660706419a13fab627f222f451921ccea107f65f5daec12fb9118803f81dde012f1fb580250fe3f59147c5da08e30042bd5cbe75b74da5045c9c011c27
-
Filesize
48KB
MD584c0f3b39fa63e099aa816491e72ac45
SHA1c73fc6ec7087daa501dc02a0c8c8a94bdcd21440
SHA256ab85d2fb3e040e3b6ca60dd2b65fb5971fd7a7822e07e0187f2018ad1ecce32f
SHA512c0687c660706419a13fab627f222f451921ccea107f65f5daec12fb9118803f81dde012f1fb580250fe3f59147c5da08e30042bd5cbe75b74da5045c9c011c27
-
Filesize
48KB
MD584c0f3b39fa63e099aa816491e72ac45
SHA1c73fc6ec7087daa501dc02a0c8c8a94bdcd21440
SHA256ab85d2fb3e040e3b6ca60dd2b65fb5971fd7a7822e07e0187f2018ad1ecce32f
SHA512c0687c660706419a13fab627f222f451921ccea107f65f5daec12fb9118803f81dde012f1fb580250fe3f59147c5da08e30042bd5cbe75b74da5045c9c011c27
-
Filesize
48KB
MD584c0f3b39fa63e099aa816491e72ac45
SHA1c73fc6ec7087daa501dc02a0c8c8a94bdcd21440
SHA256ab85d2fb3e040e3b6ca60dd2b65fb5971fd7a7822e07e0187f2018ad1ecce32f
SHA512c0687c660706419a13fab627f222f451921ccea107f65f5daec12fb9118803f81dde012f1fb580250fe3f59147c5da08e30042bd5cbe75b74da5045c9c011c27