Overview

overview

10

Static

static

4fb80be69d...e6.exe

windows7-x64

10

4fb80be69d...e6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220718-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2022 21:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe

  • Size

    829KB

  • MD5

    2cfe62a4b6477f49bcb39489ac799406

  • SHA1

    ad1ea2f9cc41d380508bf9d7a53ad69096133a32

  • SHA256

    4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6

  • SHA512

    0d186ab978618c0ac5ef4e561d3b4964e23b6fd3868cf67380e866a100a6fb948f6e40975d192cb9cac542ca830fc2defa72b10168230967bf1adae46d9afea1

Score
10/10
collectionpersistencespywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.spytector.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    751g902S

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe
    "C:\Users\Admin\AppData\Local\Temp\4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:3448
    • C:\Users\Admin\AppData\Local\Temp\wintask.scr
      "C:\Users\Admin\AppData\Local\Temp\wintask.scr"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      PID:1636
    • C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE" Microsoft Excel
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DXWRK.html
    Filesize

    885B

    MD5

    03e2b533f23caf6c973e1b03dd7a22eb

    SHA1

    d84c87b19b0e716a0b59eeda47f967e706d64f57

    SHA256

    5d4c4a23cfa76c2e9c985a098985c411e31ca6facd7805f3b885038c1e78500f

    SHA512

    807e7f7327b634863f5e9aa9eec19f2bf449fcf23adce758c028fa76bf62ccb298a03c1d0b1980604efb777d55c4e9c332a0f1c92ddaeb41575b8d111d2cd372

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Logs.html
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wintask.scr
    Filesize

    829KB

    MD5

    2cfe62a4b6477f49bcb39489ac799406

    SHA1

    ad1ea2f9cc41d380508bf9d7a53ad69096133a32

    SHA256

    4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6

    SHA512

    0d186ab978618c0ac5ef4e561d3b4964e23b6fd3868cf67380e866a100a6fb948f6e40975d192cb9cac542ca830fc2defa72b10168230967bf1adae46d9afea1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wintask.scr
    Filesize

    829KB

    MD5

    2cfe62a4b6477f49bcb39489ac799406

    SHA1

    ad1ea2f9cc41d380508bf9d7a53ad69096133a32

    SHA256

    4fb80be69d6e2792c363a2e9a0083b786a90b90995aa14c091c6658edb188de6

    SHA512

    0d186ab978618c0ac5ef4e561d3b4964e23b6fd3868cf67380e866a100a6fb948f6e40975d192cb9cac542ca830fc2defa72b10168230967bf1adae46d9afea1

    Download Submit
  • memory/1636-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4448-137-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4448-136-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4448-138-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4448-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4448-139-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4448-140-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4448-141-0x00007FFED6A60000-0x00007FFED6A70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4448-142-0x00007FFED6A60000-0x00007FFED6A70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4448-144-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4448-145-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4448-146-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4448-147-0x00007FFED8BD0000-0x00007FFED8BE0000-memory.dmp
    Filesize

    64KB

    Download