Overview

overview

8

Static

static

main_setup...in.exe

windows7_x64

8

main_setup...in.exe

windows10_x64

8

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    21-04-2021 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main_setup_x86x64.bin.exe

  • Size

    1.8MB

  • MD5

    51da3eb43302642233928bd69ca6e219

  • SHA1

    7d7d696126bde5e8dbab7382d278e40d22cf47da

  • SHA256

    138a3dd2730be8b076caf28f85d3fbd5a987f9587c8b629ca565ac8de1cc9637

  • SHA512

    6956d4a9331ad8b6cf563427c36ddf4981f1cdebd30ec8cdbc6ec2845e0f4762ed2c4d8d3285b0bcd18d698569d2067f58e9fa1e22d77d4be97efd97d1898561

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\main_setup_x86x64.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\main_setup_x86x64.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Windows\SysWOW64\makecab.exe
      "C:\Windows\System32\makecab.exe"
      2⤵
        PID:1372
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c mtGCHFXHhSVuwQmJLT & EmCeqebftHqwLnhIhSxEfgLn & cmd < Cui.jar
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2332
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^PGjCsNUUOkulVUDgTCsLgwbtgnrtaMjQyMxswDFobKDrInIVqUHEnjBNoihSKQBwYdtpmkjfXohDnxcQQitnyHsSkGpTfMbHpBtszncOHsHdZXfOMbeCLrWsZkXTezZlKGxWfrv$" Sete.jar
            4⤵
              PID:3792
            • C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Fresche.exe.com
              Fresche.exe.com d
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3032
              • C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Fresche.exe.com
                C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Fresche.exe.com d
                5⤵
                • Executes dropped EXE
                • Checks processor information in registry
                • Suspicious use of FindShellTrayWindow
                PID:1120
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 30
              4⤵
              • Runs ping.exe
              PID:3404

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1120-128-0x00000000009C0000-0x00000000009E3000-memory.dmp

        Filesize

        140KB

        Download