Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
02/02/2023, 13:35
General
-
Target
Quote_specifications 09321_PDF.exe
-
Size
331KB
-
MD5
dcb80e6ddebe648cc889c3c4fdbc1140
-
SHA1
405b0cdb08732a2fa8c8b71ff2b962fe2bad4a1c
-
SHA256
afc282bc05bba0fc2376caf8a82a72c1e708620fae92b1df63575132f159802a
-
SHA512
7d5ed4666b0121cb41d5a71fd2144320730e9166581c2a57064ca49da9c6f6480b514ec29806f785ea37193b6abfd7570b0d17a9db294790d4006faceea1ce34
-
SSDEEP
6144:9Ya6tmSVQonSN1rUfxr6wggwhB/BNjee9e+bjCF1eVMhLkK2ge1h9Xhj6NodEaVN:9YPJVtSfIfAwgfhFH/eE4eVMhLj2gs7F
Malware Config
Extracted
Protocol: smtp- Host:
mail.ravv.sk - Port:
587 - Username:
[email protected] - Password:
bfE#vKaMi#
Signatures
-
Executes dropped EXE 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quote_specifications 09321_PDF.exe"C:\Users\Admin\AppData\Local\Temp\Quote_specifications 09321_PDF.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ttrruxbubs.exe"C:\Users\Admin\AppData\Local\Temp\ttrruxbubs.exe" C:\Users\Admin\AppData\Local\Temp\afeqjhsy.qa2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ttrruxbubs.exe"C:\Users\Admin\AppData\Local\Temp\ttrruxbubs.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5e958ce0932ddfb26d0e894611c845d60
SHA1d4f33e4896cf2ed63250f20e80a747ea5d504549
SHA256d68db254d17a75c155462b9cc8a7d3c734d043186ee7e9c59a3d35c34a48915b
SHA512c122bd2f2a02c68c623ea150db5c622bcabe061830bb432d381caa55f9b3ddefccf2ff82b0b397d96ea605decf718d554ffc3b3ce99b0692585bde5e05b639ee
-
Filesize
265KB
MD53adf78704f95a3515f79e5d3ade9d745
SHA10d0c686e107da49ae37913c174599ad06b58cd26
SHA2566a8814cd64158343a45cc7c2ebf51015d93c38a7d1958fe2e8cf2b8ab366f629
SHA51208cac0d041c6b13e7525e7f2c82cc932c4c40642c916dc26ee785d35fd6db6a509dcd63c5eb53f16807fe5ba7b0e81d45b02ae78675ba7b53203abc1c4ca0f2d
-
Filesize
164KB
MD5ad2bd6ca36440aa815d87df49b501224
SHA1bfded28b6f5e5a55d9559d3508f8525e1e92cc50
SHA2565ce328542651a00d461df2bd7a7f471059c0f073712e1a9e40d70cdcbae24ee0
SHA512f1c8f38e760d6dfca4eb6e0ddeb7a5550312efb0b4f409ca4d6f666922c0a8c71164192d8f72dd174420a2a51b789b8b9eca21883646d719f76693a9b0f80c8e
-
Filesize
164KB
MD5ad2bd6ca36440aa815d87df49b501224
SHA1bfded28b6f5e5a55d9559d3508f8525e1e92cc50
SHA2565ce328542651a00d461df2bd7a7f471059c0f073712e1a9e40d70cdcbae24ee0
SHA512f1c8f38e760d6dfca4eb6e0ddeb7a5550312efb0b4f409ca4d6f666922c0a8c71164192d8f72dd174420a2a51b789b8b9eca21883646d719f76693a9b0f80c8e
-
Filesize
164KB
MD5ad2bd6ca36440aa815d87df49b501224
SHA1bfded28b6f5e5a55d9559d3508f8525e1e92cc50
SHA2565ce328542651a00d461df2bd7a7f471059c0f073712e1a9e40d70cdcbae24ee0
SHA512f1c8f38e760d6dfca4eb6e0ddeb7a5550312efb0b4f409ca4d6f666922c0a8c71164192d8f72dd174420a2a51b789b8b9eca21883646d719f76693a9b0f80c8e
-
Filesize
260KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
624KB