Overview

overview

10

Static

static

8

1b986f7f12...19.exe

windows7_x64

10

1b986f7f12...19.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-04-2022 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe

  • Size

    2.5MB

  • MD5

    0f38f507ec3a4955583ad8c5befcd2f7

  • SHA1

    645f134676e53ad8eedc1e6a839125b0575bbc2a

  • SHA256

    1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419

  • SHA512

    38c64bd1f9112e4851bcf7aa173bf154b344625731a0a6efb160346fc689f4a3032d490caa2eac2eed56c82a2df69b972e0b98efc608f5a6f6391943c2bd1b21

Score
10/10
pandastealerspywarestealervmprotect

Malware Config

Signatures

  • Panda Stealer Payload 2 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer
  • Executes dropped EXE 2 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe
    "C:\Users\Admin\AppData\Local\Temp\1b986f7f1214a3cf821f807915e50e092b1c8b69ec182b47298b5e3308a34419.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\1511528223_MT.exe
      "C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\1511528223_MT.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4204
    • C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\Cheat_SanyaTop.exe
      "C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\Cheat_SanyaTop.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4812

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\1511528223_MT.exe
    Filesize

    671KB

    MD5

    d74c75161d26018e4d5084078ec0ead7

    SHA1

    c00711de9656c381f42ce38f5b9c125b0aab3429

    SHA256

    c8522600ca1d49c2687bdea95a4d7a661cbbb250789a2bb0434c8917bf2c61c9

    SHA512

    53a2f147356c564b244647a741ecaf8de08afa089ea9106cd5c2d264c8f39609fe2826f1fbf41a6d2bcb32f92034830ae3b731b694b175ccfbdc5a6453978956

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\1511528223_MT.exe
    Filesize

    671KB

    MD5

    d74c75161d26018e4d5084078ec0ead7

    SHA1

    c00711de9656c381f42ce38f5b9c125b0aab3429

    SHA256

    c8522600ca1d49c2687bdea95a4d7a661cbbb250789a2bb0434c8917bf2c61c9

    SHA512

    53a2f147356c564b244647a741ecaf8de08afa089ea9106cd5c2d264c8f39609fe2826f1fbf41a6d2bcb32f92034830ae3b731b694b175ccfbdc5a6453978956

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\Cheat_SanyaTop.exe
    Filesize

    761KB

    MD5

    c98771c7a517e4a9cb1e603a115e6c80

    SHA1

    0154f03560051015cdf49c075961c8144bd65359

    SHA256

    56924494751713a5c22ada3f11c812a2ecf4957e442fc0bf52194aae4f24c09e

    SHA512

    c48747fe27708a0b14da7c7007910b5464682947367477378e94d2edcd105eae510bc27eb9ddf9c0820e164b71da297e230d680d9ec6b94948f97d9869a94095

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6iTigXTUXWg7Q73HAYZ4R\Cheat_SanyaTop.exe
    Filesize

    761KB

    MD5

    c98771c7a517e4a9cb1e603a115e6c80

    SHA1

    0154f03560051015cdf49c075961c8144bd65359

    SHA256

    56924494751713a5c22ada3f11c812a2ecf4957e442fc0bf52194aae4f24c09e

    SHA512

    c48747fe27708a0b14da7c7007910b5464682947367477378e94d2edcd105eae510bc27eb9ddf9c0820e164b71da297e230d680d9ec6b94948f97d9869a94095

    Download Submit

  • memory/2168-130-0x0000000000DB0000-0x00000000012E1000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4812-138-0x0000000000650000-0x0000000000714000-memory.dmp

    Filesize

    784KB

    Download

  • memory/4812-139-0x0000000005020000-0x0000000005042000-memory.dmp

    Filesize

    136KB

    Download