Analysis
-
max time kernel
97s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2023, 08:00
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
2.2MB
-
MD5
ef691f617d75f45d10af9405de47e253
-
SHA1
9be134d2c7549adf7c6678bb4c43b9f65c83214f
-
SHA256
eaead00ba98021393e7920a2f2f20e70724f716eed0933d50577786ae0289182
-
SHA512
cfe942f09cc75f44aea2eaef80e4dc6a0ebbba020b0c1cefb7efe8e158a6399fb1f5e41d696b932fac542e39ea7b5872fb1adb7c0753670a57fc0f888ee16c61
-
SSDEEP
24576:qmErCsazef+APWb6+CILRbTcJiWevOIWr9Lrdl5p0WdaMCtGjC+UbuzoVGBI:qPF+CWb6+CILRncZe65rb5p0ehVCrvT
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation tmp.exe -
Executes dropped EXE 2 IoCs
pid Process 4352 XHVNC.exe 3288 discord.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2076 4352 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3288 discord.exe 3288 discord.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3288 discord.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1664 wrote to memory of 4352 1664 tmp.exe 86 PID 1664 wrote to memory of 4352 1664 tmp.exe 86 PID 1664 wrote to memory of 4352 1664 tmp.exe 86 PID 1664 wrote to memory of 3288 1664 tmp.exe 87 PID 1664 wrote to memory of 3288 1664 tmp.exe 87 PID 1664 wrote to memory of 3288 1664 tmp.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\XHVNC.exe"C:\Users\Admin\AppData\Local\Temp\XHVNC.exe"2⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 15203⤵
- Program crash
PID:2076
-
-
-
C:\Users\Admin\AppData\Local\Temp\discord.exe"C:\Users\Admin\AppData\Local\Temp\discord.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4352 -ip 43521⤵PID:3384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD54904329d091687c9deb08d9bd7282e77
SHA1bcf7fcebb52cad605cb4de65bdd077e600475cc7
SHA256e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd
SHA512b7ba131e9959f2f76aa3008711db9e6f2c4753a232140368be5c8388ab0e25154a31e579ef87fe01a3e4bc83402170bb9fbf242c6f01528455246b793e03fdfb
-
Filesize
1.9MB
MD54904329d091687c9deb08d9bd7282e77
SHA1bcf7fcebb52cad605cb4de65bdd077e600475cc7
SHA256e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd
SHA512b7ba131e9959f2f76aa3008711db9e6f2c4753a232140368be5c8388ab0e25154a31e579ef87fe01a3e4bc83402170bb9fbf242c6f01528455246b793e03fdfb
-
Filesize
1.9MB
MD54904329d091687c9deb08d9bd7282e77
SHA1bcf7fcebb52cad605cb4de65bdd077e600475cc7
SHA256e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd
SHA512b7ba131e9959f2f76aa3008711db9e6f2c4753a232140368be5c8388ab0e25154a31e579ef87fe01a3e4bc83402170bb9fbf242c6f01528455246b793e03fdfb
-
Filesize
159KB
MD546a2cc3ad2ade7a6b5551b53636e0abb
SHA1b8eb52479e933c3530ca826fbe59567af3c4f6ec
SHA256f8af311b3903b6ccd62cb62fed4903eb4351b4b886df23f815cbb61a8feb68d5
SHA5127649c0eab09b770fd2e3a068fc84fb8d40b56207b1809bc6ba0b93955177535b7c3453c24430dc32327603db3541a4c8eac568bf59b18f28eb8fe3071e70217f
-
Filesize
159KB
MD546a2cc3ad2ade7a6b5551b53636e0abb
SHA1b8eb52479e933c3530ca826fbe59567af3c4f6ec
SHA256f8af311b3903b6ccd62cb62fed4903eb4351b4b886df23f815cbb61a8feb68d5
SHA5127649c0eab09b770fd2e3a068fc84fb8d40b56207b1809bc6ba0b93955177535b7c3453c24430dc32327603db3541a4c8eac568bf59b18f28eb8fe3071e70217f
-
Filesize
159KB
MD546a2cc3ad2ade7a6b5551b53636e0abb
SHA1b8eb52479e933c3530ca826fbe59567af3c4f6ec
SHA256f8af311b3903b6ccd62cb62fed4903eb4351b4b886df23f815cbb61a8feb68d5
SHA5127649c0eab09b770fd2e3a068fc84fb8d40b56207b1809bc6ba0b93955177535b7c3453c24430dc32327603db3541a4c8eac568bf59b18f28eb8fe3071e70217f