Analysis
-
max time kernel
150s -
max time network
75s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 08:19
Static task
static1
Behavioral task
behavioral1
Sample
bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe
Resource
win7-20220901-en
General
-
Target
bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe
-
Size
532KB
-
MD5
4aa2148b49e9956201b00ab8c5914e09
-
SHA1
3f430ee7d1742b76ea6676b8d1480bf0456635f3
-
SHA256
bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
-
SHA512
97da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
SSDEEP
12288:vHbypKkBLIvL6omZrRgRlKnninnnnfNobnnnnuLeqLt:vbyowLIvL65ZriR4ninnfNknuLeqLt
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
k4ivitu@gmail.com - Password:
Vajalik312
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
explorer.exeexplorer.exemWSCvAP.exeSiaPort.exeSiaPort.exepid process 1872 explorer.exe 1760 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1452 SiaPort.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 1872 explorer.exe -
Loads dropped DLL 7 IoCs
Processes:
bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exeexplorer.exemWSCvAP.exeSiaPort.exepid process 1256 bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe 1256 bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe 1872 explorer.exe 1872 explorer.exe 1764 mWSCvAP.exe 1764 mWSCvAP.exe 1856 SiaPort.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mWSCvAP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mWSCvAP.exe" mWSCvAP.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
explorer.exeSiaPort.exedescription pid process target process PID 1872 set thread context of 1760 1872 explorer.exe explorer.exe PID 1856 set thread context of 1452 1856 SiaPort.exe SiaPort.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exemWSCvAP.exeSiaPort.exeexplorer.exepid process 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1760 explorer.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe 1872 explorer.exe 1764 mWSCvAP.exe 1856 SiaPort.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exeexplorer.exemWSCvAP.exeSiaPort.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1256 bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe Token: SeDebugPrivilege 1872 explorer.exe Token: SeDebugPrivilege 1764 mWSCvAP.exe Token: SeDebugPrivilege 1856 SiaPort.exe Token: SeDebugPrivilege 1760 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 1760 explorer.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exeexplorer.exemWSCvAP.exeSiaPort.exedescription pid process target process PID 1256 wrote to memory of 1872 1256 bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe explorer.exe PID 1256 wrote to memory of 1872 1256 bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe explorer.exe PID 1256 wrote to memory of 1872 1256 bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe explorer.exe PID 1256 wrote to memory of 1872 1256 bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe explorer.exe PID 1872 wrote to memory of 1760 1872 explorer.exe explorer.exe PID 1872 wrote to memory of 1760 1872 explorer.exe explorer.exe PID 1872 wrote to memory of 1760 1872 explorer.exe explorer.exe PID 1872 wrote to memory of 1760 1872 explorer.exe explorer.exe PID 1872 wrote to memory of 1760 1872 explorer.exe explorer.exe PID 1872 wrote to memory of 1760 1872 explorer.exe explorer.exe PID 1872 wrote to memory of 1760 1872 explorer.exe explorer.exe PID 1872 wrote to memory of 1760 1872 explorer.exe explorer.exe PID 1872 wrote to memory of 1760 1872 explorer.exe explorer.exe PID 1872 wrote to memory of 1764 1872 explorer.exe mWSCvAP.exe PID 1872 wrote to memory of 1764 1872 explorer.exe mWSCvAP.exe PID 1872 wrote to memory of 1764 1872 explorer.exe mWSCvAP.exe PID 1872 wrote to memory of 1764 1872 explorer.exe mWSCvAP.exe PID 1764 wrote to memory of 1856 1764 mWSCvAP.exe SiaPort.exe PID 1764 wrote to memory of 1856 1764 mWSCvAP.exe SiaPort.exe PID 1764 wrote to memory of 1856 1764 mWSCvAP.exe SiaPort.exe PID 1764 wrote to memory of 1856 1764 mWSCvAP.exe SiaPort.exe PID 1856 wrote to memory of 1452 1856 SiaPort.exe SiaPort.exe PID 1856 wrote to memory of 1452 1856 SiaPort.exe SiaPort.exe PID 1856 wrote to memory of 1452 1856 SiaPort.exe SiaPort.exe PID 1856 wrote to memory of 1452 1856 SiaPort.exe SiaPort.exe PID 1856 wrote to memory of 1452 1856 SiaPort.exe SiaPort.exe PID 1856 wrote to memory of 1452 1856 SiaPort.exe SiaPort.exe PID 1856 wrote to memory of 1452 1856 SiaPort.exe SiaPort.exe PID 1856 wrote to memory of 1452 1856 SiaPort.exe SiaPort.exe PID 1856 wrote to memory of 1452 1856 SiaPort.exe SiaPort.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe"C:\Users\Admin\AppData\Local\Temp\bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\System\mWSCvAP.exe"C:\Users\Admin\AppData\Local\Temp\System\mWSCvAP.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exeC:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD575c5db663757de474bddb50147d14005
SHA1a71885b03fae199df0a2ba4571f777c85934f770
SHA2569c0b9d7a6eae30649ddb31dbebd9f19c41719e063e703a36ce7effd3cf53dca5
SHA512fefce4e1be3b03fc2aafea12880d576dbf8bcab9387f4725775c68e23943da10c657733c42ac4558b96d88b9c312d45bf431f7d310971a0bcbf5c01f8aaf18a3
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
C:\Users\Admin\AppData\Local\Temp\System\mWSCvAP.exeFilesize
27KB
MD570be8dafd65f76f556cce04fef472315
SHA1a25ce5adf613ee911b1281ff6db66898ef6335fb
SHA256dee77364ec9f74b040d418bbbc772a07cccfb4ab8dbab62d59ec3b7dd745cbc7
SHA5123a5b3d6fc85eaaf0bcb1ba61577ac1038da23cbc7d6aebe24bfa6a79f81d3653a8a1a8345643dbad3c17ea80ca56e0fb4189ebef3cffcb59b4cfc32babc498f2
-
C:\Users\Admin\AppData\Local\Temp\System\mWSCvAP.exeFilesize
27KB
MD570be8dafd65f76f556cce04fef472315
SHA1a25ce5adf613ee911b1281ff6db66898ef6335fb
SHA256dee77364ec9f74b040d418bbbc772a07cccfb4ab8dbab62d59ec3b7dd745cbc7
SHA5123a5b3d6fc85eaaf0bcb1ba61577ac1038da23cbc7d6aebe24bfa6a79f81d3653a8a1a8345643dbad3c17ea80ca56e0fb4189ebef3cffcb59b4cfc32babc498f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
\Users\Admin\AppData\Local\Temp\System\SiaPort.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
\Users\Admin\AppData\Local\Temp\System\SiaPort.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
\Users\Admin\AppData\Local\Temp\System\SiaPort.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
\Users\Admin\AppData\Local\Temp\System\mWSCvAP.exeFilesize
27KB
MD570be8dafd65f76f556cce04fef472315
SHA1a25ce5adf613ee911b1281ff6db66898ef6335fb
SHA256dee77364ec9f74b040d418bbbc772a07cccfb4ab8dbab62d59ec3b7dd745cbc7
SHA5123a5b3d6fc85eaaf0bcb1ba61577ac1038da23cbc7d6aebe24bfa6a79f81d3653a8a1a8345643dbad3c17ea80ca56e0fb4189ebef3cffcb59b4cfc32babc498f2
-
\Users\Admin\AppData\Local\Temp\System\mWSCvAP.exeFilesize
27KB
MD570be8dafd65f76f556cce04fef472315
SHA1a25ce5adf613ee911b1281ff6db66898ef6335fb
SHA256dee77364ec9f74b040d418bbbc772a07cccfb4ab8dbab62d59ec3b7dd745cbc7
SHA5123a5b3d6fc85eaaf0bcb1ba61577ac1038da23cbc7d6aebe24bfa6a79f81d3653a8a1a8345643dbad3c17ea80ca56e0fb4189ebef3cffcb59b4cfc32babc498f2
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
memory/1256-54-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/1256-62-0x00000000745B0000-0x0000000074B5B000-memory.dmpFilesize
5.7MB
-
memory/1256-55-0x00000000745B0000-0x0000000074B5B000-memory.dmpFilesize
5.7MB
-
memory/1452-100-0x000000000042ECEE-mapping.dmp
-
memory/1452-107-0x00000000745B0000-0x0000000074B5B000-memory.dmpFilesize
5.7MB
-
memory/1760-65-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1760-66-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1760-76-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1760-74-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1760-113-0x00000000001C6000-0x00000000001D7000-memory.dmpFilesize
68KB
-
memory/1760-71-0x000000000042ECEE-mapping.dmp
-
memory/1760-70-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1760-68-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1760-69-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1760-93-0x00000000745B0000-0x0000000074B5B000-memory.dmpFilesize
5.7MB
-
memory/1760-110-0x00000000745B0000-0x0000000074B5B000-memory.dmpFilesize
5.7MB
-
memory/1760-108-0x00000000001C6000-0x00000000001D7000-memory.dmpFilesize
68KB
-
memory/1764-80-0x0000000000000000-mapping.dmp
-
memory/1764-96-0x00000000745B0000-0x0000000074B5B000-memory.dmpFilesize
5.7MB
-
memory/1764-111-0x00000000745B0000-0x0000000074B5B000-memory.dmpFilesize
5.7MB
-
memory/1856-99-0x00000000745B0000-0x0000000074B5B000-memory.dmpFilesize
5.7MB
-
memory/1856-112-0x00000000745B0000-0x0000000074B5B000-memory.dmpFilesize
5.7MB
-
memory/1856-87-0x0000000000000000-mapping.dmp
-
memory/1872-63-0x00000000745B0000-0x0000000074B5B000-memory.dmpFilesize
5.7MB
-
memory/1872-58-0x0000000000000000-mapping.dmp
-
memory/1872-109-0x00000000745B0000-0x0000000074B5B000-memory.dmpFilesize
5.7MB