Analysis

  • max time kernel
    368s
  • max time network
    375s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2023 10:39

General

  • Target

    Doc-102PO-207841001jpg.exe

  • Size

    2MB

  • MD5

    0596aefc251ba32dcb538593b0616568

  • SHA1

    9ceb68e35b93711e8247512c21ad2ccd6b8da938

  • SHA256

    f085f0ece42084f2ce26c28a27ebc9457ae32b2ecd632b3073500b7e17805659

  • SHA512

    da0d4d63ce9ecfc3d892b20f55be6769a5d28a77d9c3b7f4cb22abc51e3be604c102c1e6b7c4d7464dc8dc3f4730b204654c82292ad8899004e90cd7b4a66a5d

  • SSDEEP

    49152:gbB0FQB5MLPlG5/8uMLq0u5hRD5pbjX7i4l8B/oy6kRMF4mK/LPS/yYCxL:g90sW0dRfj7O/oyBqi/TS/yYCxL

Malware Config

Signatures

  • Checks computer location settings ⋅ 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles ⋅ 1 TTPs 42 IoCs
  • Adds Run key to start application ⋅ 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information ⋅ 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses ⋅ 7 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 16 IoCs
  • outlook_office_path ⋅ 1 IoCs
  • outlook_win_path ⋅ 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Doc-102PO-207841001jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\Doc-102PO-207841001jpg.exe"
    Checks computer location settings
    Adds Run key to start application
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig/release
      Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\system32\ipconfig.exe
        ipconfig /release
        Gathers network information
        PID:2100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2144
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig/renew
      Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\system32\ipconfig.exe
        ipconfig /renew
        Gathers network information
        PID:1564
    • C:\Users\Admin\AppData\Local\Temp\Doc-102PO-207841001jpg.exe
      C:\Users\Admin\AppData\Local\Temp\Doc-102PO-207841001jpg.exe
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1504

Network

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Exfiltration

      Impact

        Initial Access

          Lateral Movement

            Privilege Escalation

              Replay Monitor

              00:00 00:00

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Doc-102PO-207841001jpg.exe.log
                MD5

                819dc687f4da92e5850508c10429fc9f

                SHA1

                d3441a3c46ddc99d03583be6b2ab02615baa60be

                SHA256

                357a8ea90e614160a9179ac7eb5e3ff159855a037b1bd0deecbd7d3e3a243119

                SHA512

                671735133e2643d2ec84511cb0a89dad9082e6255020fef4cd4e37b7a7207a06a36f4f22c646ce6854d6e244b2b9e090dc87aa3309a349d5b20a1a014bf1f7ee

              • memory/1100-139-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp
              • memory/1100-133-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp
              • memory/1100-134-0x000001D4F2130000-0x000001D4F2152000-memory.dmp
              • memory/1100-132-0x000001D4F1B00000-0x000001D4F1D1A000-memory.dmp
              • memory/1100-147-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp
              • memory/1504-149-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp
              • memory/1504-145-0x0000000140000000-mapping.dmp
              • memory/1504-148-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp
              • memory/1504-150-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp
              • memory/1504-144-0x0000000140000000-0x0000000140098000-memory.dmp
              • memory/1564-143-0x0000000000000000-mapping.dmp
              • memory/1636-135-0x0000000000000000-mapping.dmp
              • memory/2100-136-0x0000000000000000-mapping.dmp
              • memory/2144-141-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp
              • memory/2144-140-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp
              • memory/2144-138-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp
              • memory/2144-137-0x0000000000000000-mapping.dmp
              • memory/2372-142-0x0000000000000000-mapping.dmp