Analysis
-
max time kernel
132s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 08:19
Static task
static1
Behavioral task
behavioral1
Sample
bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe
Resource
win7-20220901-en
General
-
Target
bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe
-
Size
532KB
-
MD5
4aa2148b49e9956201b00ab8c5914e09
-
SHA1
3f430ee7d1742b76ea6676b8d1480bf0456635f3
-
SHA256
bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
-
SHA512
97da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
SSDEEP
12288:vHbypKkBLIvL6omZrRgRlKnninnnnfNobnnnnuLeqLt:vbyowLIvL65ZriR4ninnfNknuLeqLt
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
k4ivitu@gmail.com - Password:
Vajalik312
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
explorer.exeexplorer.exemWSCvAP.exeSiaPort.exeSiaPort.exepid process 1684 explorer.exe 4812 explorer.exe 4776 mWSCvAP.exe 4552 SiaPort.exe 4484 SiaPort.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
explorer.exemWSCvAP.exebfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation mWSCvAP.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mWSCvAP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mWSCvAP.exe" mWSCvAP.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
explorer.exeSiaPort.exedescription pid process target process PID 1684 set thread context of 4812 1684 explorer.exe explorer.exe PID 4552 set thread context of 4484 4552 SiaPort.exe SiaPort.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exemWSCvAP.exeSiaPort.exeexplorer.exepid process 1684 explorer.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 4812 explorer.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 1684 explorer.exe 4776 mWSCvAP.exe 4552 SiaPort.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 1684 explorer.exe 4776 mWSCvAP.exe 4552 SiaPort.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 1684 explorer.exe 4776 mWSCvAP.exe 4552 SiaPort.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 1684 explorer.exe 4776 mWSCvAP.exe 4552 SiaPort.exe 4776 mWSCvAP.exe 1684 explorer.exe 4552 SiaPort.exe 1684 explorer.exe 4776 mWSCvAP.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exeexplorer.exemWSCvAP.exeSiaPort.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2564 bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe Token: SeDebugPrivilege 1684 explorer.exe Token: SeDebugPrivilege 4776 mWSCvAP.exe Token: SeDebugPrivilege 4552 SiaPort.exe Token: SeDebugPrivilege 4812 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 4812 explorer.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exeexplorer.exemWSCvAP.exeSiaPort.exedescription pid process target process PID 2564 wrote to memory of 1684 2564 bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe explorer.exe PID 2564 wrote to memory of 1684 2564 bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe explorer.exe PID 2564 wrote to memory of 1684 2564 bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe explorer.exe PID 1684 wrote to memory of 4812 1684 explorer.exe explorer.exe PID 1684 wrote to memory of 4812 1684 explorer.exe explorer.exe PID 1684 wrote to memory of 4812 1684 explorer.exe explorer.exe PID 1684 wrote to memory of 4812 1684 explorer.exe explorer.exe PID 1684 wrote to memory of 4812 1684 explorer.exe explorer.exe PID 1684 wrote to memory of 4812 1684 explorer.exe explorer.exe PID 1684 wrote to memory of 4812 1684 explorer.exe explorer.exe PID 1684 wrote to memory of 4812 1684 explorer.exe explorer.exe PID 1684 wrote to memory of 4776 1684 explorer.exe mWSCvAP.exe PID 1684 wrote to memory of 4776 1684 explorer.exe mWSCvAP.exe PID 1684 wrote to memory of 4776 1684 explorer.exe mWSCvAP.exe PID 4776 wrote to memory of 4552 4776 mWSCvAP.exe SiaPort.exe PID 4776 wrote to memory of 4552 4776 mWSCvAP.exe SiaPort.exe PID 4776 wrote to memory of 4552 4776 mWSCvAP.exe SiaPort.exe PID 4552 wrote to memory of 4484 4552 SiaPort.exe SiaPort.exe PID 4552 wrote to memory of 4484 4552 SiaPort.exe SiaPort.exe PID 4552 wrote to memory of 4484 4552 SiaPort.exe SiaPort.exe PID 4552 wrote to memory of 4484 4552 SiaPort.exe SiaPort.exe PID 4552 wrote to memory of 4484 4552 SiaPort.exe SiaPort.exe PID 4552 wrote to memory of 4484 4552 SiaPort.exe SiaPort.exe PID 4552 wrote to memory of 4484 4552 SiaPort.exe SiaPort.exe PID 4552 wrote to memory of 4484 4552 SiaPort.exe SiaPort.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe"C:\Users\Admin\AppData\Local\Temp\bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\System\mWSCvAP.exe"C:\Users\Admin\AppData\Local\Temp\System\mWSCvAP.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exeC:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD575c5db663757de474bddb50147d14005
SHA1a71885b03fae199df0a2ba4571f777c85934f770
SHA2569c0b9d7a6eae30649ddb31dbebd9f19c41719e063e703a36ce7effd3cf53dca5
SHA512fefce4e1be3b03fc2aafea12880d576dbf8bcab9387f4725775c68e23943da10c657733c42ac4558b96d88b9c312d45bf431f7d310971a0bcbf5c01f8aaf18a3
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
C:\Users\Admin\AppData\Local\Temp\System\mWSCvAP.exeFilesize
27KB
MD570be8dafd65f76f556cce04fef472315
SHA1a25ce5adf613ee911b1281ff6db66898ef6335fb
SHA256dee77364ec9f74b040d418bbbc772a07cccfb4ab8dbab62d59ec3b7dd745cbc7
SHA5123a5b3d6fc85eaaf0bcb1ba61577ac1038da23cbc7d6aebe24bfa6a79f81d3653a8a1a8345643dbad3c17ea80ca56e0fb4189ebef3cffcb59b4cfc32babc498f2
-
C:\Users\Admin\AppData\Local\Temp\System\mWSCvAP.exeFilesize
27KB
MD570be8dafd65f76f556cce04fef472315
SHA1a25ce5adf613ee911b1281ff6db66898ef6335fb
SHA256dee77364ec9f74b040d418bbbc772a07cccfb4ab8dbab62d59ec3b7dd745cbc7
SHA5123a5b3d6fc85eaaf0bcb1ba61577ac1038da23cbc7d6aebe24bfa6a79f81d3653a8a1a8345643dbad3c17ea80ca56e0fb4189ebef3cffcb59b4cfc32babc498f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
532KB
MD54aa2148b49e9956201b00ab8c5914e09
SHA13f430ee7d1742b76ea6676b8d1480bf0456635f3
SHA256bfb3ba943d5333f18237ad7ae04a9601bbf677f0fcdebd45d788d86703ab8f70
SHA51297da894d91f8216eb742cee8b46c2f4ab62d676ab6aff7d6bab22f6104e6b8cb5b6ce350f774ad688a5c951c103effc2f71a78998aebd3fca01037224d38ac0f
-
memory/1684-156-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/1684-142-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/1684-133-0x0000000000000000-mapping.dmp
-
memory/2564-132-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/2564-136-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/4484-150-0x0000000000000000-mapping.dmp
-
memory/4484-153-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/4552-148-0x0000000000000000-mapping.dmp
-
memory/4552-154-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/4552-158-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/4776-146-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/4776-143-0x0000000000000000-mapping.dmp
-
memory/4776-157-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/4812-141-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/4812-139-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4812-155-0x00000000748E0000-0x0000000074E91000-memory.dmpFilesize
5.7MB
-
memory/4812-138-0x0000000000000000-mapping.dmp