Overview

overview

8

Static

static

1

39ce4d326c...14.exe

windows7_x64

8

39ce4d326c...14.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    90s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 23:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe

  • Size

    403KB

  • MD5

    7b14a66b08d68be48ee440e519a6e823

  • SHA1

    74a5709d1704574b8a8aff95e5ca1a7fe55b9259

  • SHA256

    39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614

  • SHA512

    c4b2bfb426adf7ec56043300d5fe87ca3b6f2203f9bcc9dc4346e0b44a87bf9a1b702e5d851dcb22ede5b36b990f8bfad97b7410500800ffc93bc7f4758dd54f

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 4 IoCs
    installer
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe
    "C:\Users\Admin\AppData\Local\Temp\39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4492
    • C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
      "C:\Users\Admin\AppData\Local\Temp\XXMBK.exe" -s -pfsdgsdfvsdzcxfsDC
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Users\Admin\AppData\Roaming\SSJK.exe
        "C:\Users\Admin\AppData\Roaming\SSJK.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:2788
    • C:\Users\Admin\AppData\Local\Temp\CDGH.exe
      "C:\Users\Admin\AppData\Local\Temp\CDGH.exe"
      2⤵
      • Executes dropped EXE
      PID:4480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CDGH.exe
    Filesize

    35KB

    MD5

    b5510faf54af520660525417de2c8b06

    SHA1

    78351c3549d5bb4883a3072d2fc5ac78cf6a5a6e

    SHA256

    a7b031025f3ce486240f885081cd93a282bf00738fb1d1a9f031c59614624c00

    SHA512

    7ca920945773e08e16e297a56c01bb0fb7eea9c8461553c7545f3d485ea12c4367ba02967ab1d5e3cba36d52ed2906cadeef68543529dddef0bd5c539ec8238e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\CDGH.exe
    Filesize

    35KB

    MD5

    b5510faf54af520660525417de2c8b06

    SHA1

    78351c3549d5bb4883a3072d2fc5ac78cf6a5a6e

    SHA256

    a7b031025f3ce486240f885081cd93a282bf00738fb1d1a9f031c59614624c00

    SHA512

    7ca920945773e08e16e297a56c01bb0fb7eea9c8461553c7545f3d485ea12c4367ba02967ab1d5e3cba36d52ed2906cadeef68543529dddef0bd5c539ec8238e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
    Filesize

    444KB

    MD5

    e793c4bd1cece8d27b7aaf4050d58e79

    SHA1

    85c374c976623c265f0609445de296662427029a

    SHA256

    d9a6f2d2ed74136c67f9a640bb12ea18d0f057fb0c40ba59f99a7a8be3606ac0

    SHA512

    7327b3dc1ab4d493cde1cfeeb1d2680ff823ab6e8feb53213565798b6ba195b1b60e9e374af6c6fbfae3d54ecfb83ae68fac5381c9bc71a437ce43188b5ef6ce

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
    Filesize

    444KB

    MD5

    e793c4bd1cece8d27b7aaf4050d58e79

    SHA1

    85c374c976623c265f0609445de296662427029a

    SHA256

    d9a6f2d2ed74136c67f9a640bb12ea18d0f057fb0c40ba59f99a7a8be3606ac0

    SHA512

    7327b3dc1ab4d493cde1cfeeb1d2680ff823ab6e8feb53213565798b6ba195b1b60e9e374af6c6fbfae3d54ecfb83ae68fac5381c9bc71a437ce43188b5ef6ce

    Download Submit
  • C:\Users\Admin\AppData\Roaming\SSJK.exe
    Filesize

    339KB

    MD5

    74d54a45f28379b31334ff97dcf2bae7

    SHA1

    5d9de494e7f04e576b03fc25d295349129e601d1

    SHA256

    342efce61c6c6666b35e1a46cc962ec48a128462702ccf9217f0de2c077925de

    SHA512

    38c63133f4c8a6305d6006e2144c65fa8c42dc18d662350716d197ab621b5942b632e241fc00eb0a963f8ab2b83e638de6630140b4d67f3ac8d42195c064a70f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\SSJK.exe
    Filesize

    339KB

    MD5

    74d54a45f28379b31334ff97dcf2bae7

    SHA1

    5d9de494e7f04e576b03fc25d295349129e601d1

    SHA256

    342efce61c6c6666b35e1a46cc962ec48a128462702ccf9217f0de2c077925de

    SHA512

    38c63133f4c8a6305d6006e2144c65fa8c42dc18d662350716d197ab621b5942b632e241fc00eb0a963f8ab2b83e638de6630140b4d67f3ac8d42195c064a70f

    Download Submit
  • memory/1484-130-0x0000000000000000-mapping.dmp
    Download
  • memory/2788-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4480-136-0x0000000000000000-mapping.dmp
    Download