Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 11:02
Behavioral task
behavioral1
Sample
impvqfag - Copy.exe
Resource
win7-20230220-en
General
-
Target
impvqfag - Copy.exe
-
Size
168KB
-
MD5
967461d7eaa06cceada0df6b90dc2248
-
SHA1
9b0f168f38e990dade84905f8b294e0c83a1a93f
-
SHA256
d6d03b39851da54f93d35a89fa243ebc01b45b6f7ed5590605d64bda89fd293d
-
SHA512
117873b1ca7cf78f4579611f16bc5479b12a63acfec99bd3021b67de5336254337f7c9e5f8fc202dc26109ca2dd3f1e689d15e989662a5cf1dac45d1322aafff
-
SSDEEP
3072:KDBXmfDngnSzsevIJqg5IOQI0HQFdWjhf7ybH0WRgg/:EXmfDgbGg5IOQIAhTybDgg
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
impvqfag - Copy.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation impvqfag - Copy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
impvqfag - Copy.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 impvqfag - Copy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString impvqfag - Copy.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2272 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
impvqfag - Copy.exepid process 4992 impvqfag - Copy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
impvqfag - Copy.exedescription pid process Token: SeDebugPrivilege 4992 impvqfag - Copy.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
impvqfag - Copy.execmd.exedescription pid process target process PID 4992 wrote to memory of 2704 4992 impvqfag - Copy.exe cmd.exe PID 4992 wrote to memory of 2704 4992 impvqfag - Copy.exe cmd.exe PID 4992 wrote to memory of 2704 4992 impvqfag - Copy.exe cmd.exe PID 2704 wrote to memory of 2272 2704 cmd.exe timeout.exe PID 2704 wrote to memory of 2272 2704 cmd.exe timeout.exe PID 2704 wrote to memory of 2272 2704 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\impvqfag - Copy.exe"C:\Users\Admin\AppData\Local\Temp\impvqfag - Copy.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C timeout 5 & del "C:\Users\Admin\AppData\Local\Temp\impvqfag - Copy.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 53⤵
- Delays execution with timeout.exe