9a8dac8d56137fde3518444d5d2fc1a2047ca8818292cbd9f4d1474a049d626c

General

Target

version_v317.exe
Size

1.1MB
MD5

a3379dd436b5eaf0aa9b347298491ceb
SHA1

90c8b1db730f5d17a7bc04523564499c1b0e330f
SHA256

e41280f90eb285ec8e429cf6e9a74df539ae78bcf6c210308f33857cc764042b
SHA512

bb6b85c8ef5f572a301157328a3c14a2d4ccbf8e6d3e55a73406aca4c770da47559035dba36f2a1efb6a7b91ba5f6f9a5ceb3b73ad63730d3ffd7638729f5f6f
SSDEEP

24576:C9ZoIWr9cVcQWbWqH2KwpJuMKgaFqAvg:HXqpJ4g

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

version_v317.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	version_v317.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

version_v317.exe

description pid process target process

PID 3984 set thread context of 4080 3984 version_v317.exe version_v317.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

536 4080 WerFault.exe version_v317.exe

flow	ioc
46	ip-api.com

description	pid	process	target process
PID 3984 set thread context of 4080	3984	version_v317.exe	version_v317.exe

pid	pid_target	process	target process
536	4080	WerFault.exe	version_v317.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

version_v317.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	version_v317.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	version_v317.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

powershell.exeversion_v317.exe

pid	process
2688	powershell.exe
2688	powershell.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe
4080	version_v317.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

version_v317.exepowershell.exeversion_v317.exe

description pid process

Token: SeDebugPrivilege 3984 version_v317.exe
Token: SeDebugPrivilege 2688 powershell.exe
Token: SeDebugPrivilege 4080 version_v317.exe

description	pid	process
Token: SeDebugPrivilege	3984	version_v317.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	4080	version_v317.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

version_v317.exe

description	pid	process	target process
PID 3984 wrote to memory of 2688	3984	version_v317.exe	powershell.exe
PID 3984 wrote to memory of 2688	3984	version_v317.exe	powershell.exe
PID 3984 wrote to memory of 2688	3984	version_v317.exe	powershell.exe
PID 3984 wrote to memory of 4080	3984	version_v317.exe	version_v317.exe
PID 3984 wrote to memory of 4080	3984	version_v317.exe	version_v317.exe
PID 3984 wrote to memory of 4080	3984	version_v317.exe	version_v317.exe
PID 3984 wrote to memory of 4080	3984	version_v317.exe	version_v317.exe
PID 3984 wrote to memory of 4080	3984	version_v317.exe	version_v317.exe
PID 3984 wrote to memory of 4080	3984	version_v317.exe	version_v317.exe
PID 3984 wrote to memory of 4080	3984	version_v317.exe	version_v317.exe
PID 3984 wrote to memory of 4080	3984	version_v317.exe	version_v317.exe

C:\Users\Admin\AppData\Local\Temp\version_v317.exe
"C:\Users\Admin\AppData\Local\Temp\version_v317.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\version_v317.exe
  C:\Users\Admin\AppData\Local\Temp\version_v317.exe
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 2488
    3⤵
    - Program crash
    PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4080 -ip 4080
1⤵
PID:4384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\version_v317.exe.log

Filesize
1KB

MD5
c91b80dbce8968f7dc3c1ef7b786cc9c

SHA1
417c70ed9cfe41552157345eefddf0591c0d00c6

SHA256
c9ee0c53d34fbc49b8ece204937021280920eee20b8e166441625b96fc000dc0

SHA512
e211ae5ee1b0008614b61315ec18ced113ac3b9fb7fc757ee9b704102f26107ae51421d19501c1ceacaa26fc270dd5090dce3748867791e62a3177b107a26849

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jjjvz0wr.fxo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\f91706e5d2df12902f18c18c14ded501\Admin@[email protected]\Processes.txt

Filesize
4KB

MD5
24a76803dce33f04635bfcd2f9f41677

SHA1
c44f9bd751fa67e9f2f796e49316f171333024a1

SHA256
4d6c970b2228b6bc257b45c7d64d14dfeda233490813b2c7039a02eaab9bd787

SHA512
65117b4a7d65886c6e750aa09b496c1854c8659f6aa6aac99c7c9baa65895ff12a7b46898efa4d01d4174b847fce45f3eeb47feae7100405a01d96691c1709ba

Download Submit
C:\Users\Admin\AppData\Local\f91706e5d2df12902f18c18c14ded501\Admin@[email protected]\Software.txt

Filesize
4KB

MD5
ba677776671f5a143438935d549bccc2

SHA1
cb4efbb91ae2dfc3ddc24a5e242619168ac57587

SHA256
df5b6d7f6f0fbcc13b3bb8f168cb5cc0c9e80f6c5845f844c8ea675221e7e2c1

SHA512
7099cacb87ca621e8eb9c60253d307efb614afe1de5f0c3966eecf0da64d8b54acc7847069ba2d9bf44bd39ad270e6fe79ae1b9c6b296cdb137a1b1a9aedc721

Download Submit
C:\Users\Admin\AppData\Local\f91706e5d2df12902f18c18c14ded501\msgid.dat

Filesize
13B

MD5
4329e5b56539c0720ff45f2eeb870fe9

SHA1
4b488bdf5dc5283b9c2a2e0f574bd35f293dde90

SHA256
23f8fc0258fd2aa4c7034e1fa56618e14d3ebba4418c8c5ad733378c3c90c8de

SHA512
f0bff228f665ec2ec49e22b3b29bcf87518a74e7adad9e0e4fb264ad49b9fe40dcfe6d1a6fdb1f290f29d494df56a6728a61136a7ff83b5c5a55a543f3a2b1b5

Download Submit
memory/2688-150-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/2688-137-0x0000000004E70000-0x0000000005498000-memory.dmp

Filesize
6.2MB

Download
memory/2688-156-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/2688-145-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/2688-139-0x0000000004E00000-0x0000000004E66000-memory.dmp

Filesize
408KB

Download
memory/2688-151-0x0000000005B90000-0x0000000005BAE000-memory.dmp

Filesize
120KB

Download
memory/2688-152-0x00000000073D0000-0x0000000007A4A000-memory.dmp

Filesize
6.5MB

Download
memory/2688-158-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/2688-154-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/2688-157-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/2688-136-0x00000000025B0000-0x00000000025E6000-memory.dmp

Filesize
216KB

Download
memory/2688-138-0x0000000004C60000-0x0000000004CC6000-memory.dmp

Filesize
408KB

Download
memory/2688-153-0x00000000060A0000-0x00000000060BA000-memory.dmp

Filesize
104KB

Download
memory/3984-162-0x0000000007A80000-0x0000000008024000-memory.dmp

Filesize
5.6MB

Download
memory/3984-163-0x0000000005F60000-0x0000000005FF2000-memory.dmp

Filesize
584KB

Download
memory/3984-134-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/3984-155-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/3984-135-0x0000000006BC0000-0x0000000006BE2000-memory.dmp

Filesize
136KB

Download
memory/3984-133-0x0000000000B10000-0x0000000000C2C000-memory.dmp

Filesize
1.1MB

Download
memory/4080-164-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4080-167-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4080-296-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4080-314-0x0000000006020000-0x000000000602A000-memory.dmp

Filesize
40KB

Download
memory/4080-315-0x0000000006060000-0x0000000006072000-memory.dmp

Filesize
72KB

Download
memory/4080-321-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads