Overview

overview

8

Static

static

26212b78b5...af.exe

windows7_x64

8

26212b78b5...af.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    113s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-06-2022 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe

  • Size

    615KB

  • MD5

    d9eea652e097a3f9f950fc6998682ad0

  • SHA1

    773a2461085609843b85a605a80cc2fc9a79d5de

  • SHA256

    26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af

  • SHA512

    19dae35b5136ead7009957b678db5e2659b3ae6ef353471ff1379791add8f8a39797ab4b361efecb4d0537bf8eb11a3da7595c1ed10bd54868c62b89698ea000

Score
8/10
collectionpersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe
    "C:\Users\Admin\AppData\Local\Temp\26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe
    Filesize

    615KB

    MD5

    d9eea652e097a3f9f950fc6998682ad0

    SHA1

    773a2461085609843b85a605a80cc2fc9a79d5de

    SHA256

    26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af

    SHA512

    19dae35b5136ead7009957b678db5e2659b3ae6ef353471ff1379791add8f8a39797ab4b361efecb4d0537bf8eb11a3da7595c1ed10bd54868c62b89698ea000

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe
    Filesize

    615KB

    MD5

    d9eea652e097a3f9f950fc6998682ad0

    SHA1

    773a2461085609843b85a605a80cc2fc9a79d5de

    SHA256

    26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af

    SHA512

    19dae35b5136ead7009957b678db5e2659b3ae6ef353471ff1379791add8f8a39797ab4b361efecb4d0537bf8eb11a3da7595c1ed10bd54868c62b89698ea000

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe
    Filesize

    615KB

    MD5

    d9eea652e097a3f9f950fc6998682ad0

    SHA1

    773a2461085609843b85a605a80cc2fc9a79d5de

    SHA256

    26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af

    SHA512

    19dae35b5136ead7009957b678db5e2659b3ae6ef353471ff1379791add8f8a39797ab4b361efecb4d0537bf8eb11a3da7595c1ed10bd54868c62b89698ea000

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe
    Filesize

    615KB

    MD5

    d9eea652e097a3f9f950fc6998682ad0

    SHA1

    773a2461085609843b85a605a80cc2fc9a79d5de

    SHA256

    26212b78b526d1c8226341f66dae4dc88e0f3bb9f7d57f7cc2404a2d799a21af

    SHA512

    19dae35b5136ead7009957b678db5e2659b3ae6ef353471ff1379791add8f8a39797ab4b361efecb4d0537bf8eb11a3da7595c1ed10bd54868c62b89698ea000

    Download Submit
  • memory/1060-70-0x0000000000080000-0x00000000000B8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1060-65-0x0000000000080000-0x00000000000B8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1060-66-0x0000000000080000-0x00000000000B8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1060-73-0x0000000000080000-0x00000000000B8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1060-75-0x0000000073EC0000-0x000000007446B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1060-77-0x0000000073EC0000-0x000000007446B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1464-61-0x0000000073EC0000-0x000000007446B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1464-55-0x0000000073EC0000-0x000000007446B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1464-54-0x0000000074B51000-0x0000000074B53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1484-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1484-62-0x0000000073EC0000-0x000000007446B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1484-63-0x0000000073EC0000-0x000000007446B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1484-76-0x0000000073EC0000-0x000000007446B000-memory.dmp
    Filesize

    5.7MB

    Download