Overview

overview

9

Static

static

55e0722ff8...2a.exe

windows7_x64

9

55e0722ff8...2a.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    134s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    10-03-2022 17:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe

  • Size

    3.0MB

  • MD5

    09fb8646753f7041cb0dc124b3c571cf

  • SHA1

    d41f962c8b308802635a446d1637a1316be54da1

  • SHA256

    55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a

  • SHA512

    7e0bc327c63acfc77c4276b6e7cffdd6514a4512fe76ebed360c629d94511f20dd0368c6220a21c40e1bb64b53e9a86ccb971a4c38c5cdf813a431716b15a536

Score
9/10
spywarestealerupx

Malware Config

Signatures

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Executes dropped EXE 6 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe
    "C:\Users\Admin\AppData\Local\Temp\55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
      "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4iWQts1PND+kGJ4xdmGirFtT5W3OXFMbjE8CmdHgtOm0xo8eWTYs60ZjZMZYNO9Oj+IEZX5hTZz71kfTdlEjihNmMmWELE++ykkeW58BqUkHKYnClrsLhUECbONhhqWho=
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4584
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c compile.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2236
          • C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
            C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4780
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3972
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c compile.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:764
          • C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
            C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
            5⤵
            • Executes dropped EXE
            PID:1272
          • C:\Users\Admin\AppData\Local\Temp\hh.exe
            C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4764
          • C:\Users\Admin\AppData\Local\Temp\splwow64.exe
            C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
            5⤵
            • Executes dropped EXE
            PID:1376
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c compile.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4000
          • C:\Users\Admin\AppData\Local\Temp\xwizard.exe
            C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:680
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5112
        • C:\Windows\system32\choice.exe
          choice /C Y /N /D Y /T 3
          4⤵
            PID:1692

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1656-135-0x0000000005710000-0x0000000005711000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-134-0x0000000000370000-0x000000000066C000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1656-130-0x0000000000370000-0x000000000066C000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1656-131-0x0000000074760000-0x0000000074F10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1656-132-0x0000000005DD0000-0x0000000006374000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1656-133-0x0000000005A10000-0x0000000005A76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4848-138-0x00000181EB1F0000-0x00000181EB4CA000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4848-141-0x00000181ED280000-0x00000181ED282000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4848-140-0x00000181EEFA0000-0x00000181EF016000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4848-146-0x00000181EF130000-0x00000181EF14E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4848-143-0x00000181ED240000-0x00000181ED262000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4848-144-0x00000181ED2B0000-0x00000181ED2CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4848-139-0x00007FFF38300000-0x00007FFF38DC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4848-145-0x00000181ED290000-0x00000181ED298000-memory.dmp

      Filesize

      32KB

      Download