Analysis
-
max time kernel
85s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 05:59
Static task
static1
Behavioral task
behavioral1
Sample
MidNight - CRACKED.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
MidNight - CRACKED.exe
Resource
win10v2004-20220812-en
General
-
Target
MidNight - CRACKED.exe
-
Size
1.0MB
-
MD5
58ca1e23ef8de741043ccb41431b091a
-
SHA1
aca6ff224cc2d42dc14d66123bc018a10cd27445
-
SHA256
e52afa16e426ed5b530dc3fc1bcac33dc99ca772ff841b7c0bbbf93e4e7c7fed
-
SHA512
ba90b03bb76b45f79824d8ff415872f3a230b2dd0d50cf644938b2179d16d7dc09ffe5aa048cad089229ba84f7dd8167af747c98d0b6c70eb24208cd8e867c56
-
SSDEEP
24576:rTbBv5rUWXm04zMPIPhA53hJTB4tniG+tNd7:1B3m7/50NWt+/t
Malware Config
Signatures
-
Panda Stealer payload 2 IoCs
resource yara_rule behavioral2/files/0x0009000000022e29-133.dat family_pandastealer behavioral2/files/0x0009000000022e29-134.dat family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation MidNight - CRACKED.exe -
Executes dropped EXE 1 IoCs
pid Process 5072 10yPnSco9W4zfRozfL41HdUHsAscfkda.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3912 wrote to memory of 5072 3912 MidNight - CRACKED.exe 83 PID 3912 wrote to memory of 5072 3912 MidNight - CRACKED.exe 83 PID 3912 wrote to memory of 5072 3912 MidNight - CRACKED.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe"C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe"C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe"2⤵
- Executes dropped EXE
PID:5072
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
632KB
MD5e249bcd1e893795c71351bf62480c6b6
SHA1e92158f135788d0916f2e293011b3568d498c092
SHA256b15a74b64a63a348919203a024f8c8aa715c2ff21685e26da14f1be4a00520c5
SHA5128bfc855dc917a098f3795ef11815593ab29f02db7d219bfcc25a4ddc957f0e0ee0dc44c18fb3f50c9c11f89f3cc71f8aafb7ee1208429f7ee3bc492cc51d5a91
-
Filesize
632KB
MD5e249bcd1e893795c71351bf62480c6b6
SHA1e92158f135788d0916f2e293011b3568d498c092
SHA256b15a74b64a63a348919203a024f8c8aa715c2ff21685e26da14f1be4a00520c5
SHA5128bfc855dc917a098f3795ef11815593ab29f02db7d219bfcc25a4ddc957f0e0ee0dc44c18fb3f50c9c11f89f3cc71f8aafb7ee1208429f7ee3bc492cc51d5a91