6f65ac62ee30aab88a4f9fc1a299d756f9dec0a98298b10bb85e8f77b6b8c168

Analysis

max time kernel
177s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f65ac62ee30aab88a4f9fc1a299d756f9dec0a98298b10bb85e8f77b6b8c168.exe
Size

1.1MB
MD5

652b6b44a946514af06806813de312e6
SHA1

964ee291d03d594b03ad8834a4e0cf080c5c5326
SHA256

6f65ac62ee30aab88a4f9fc1a299d756f9dec0a98298b10bb85e8f77b6b8c168
SHA512

26c71e5e70fa0f0147786c969fbe92e33cf9e4b3ef8c8ab84ce3e3f46f2ab452bba1cd55479575f384b44538680cdea87edecfca31094a9e9b6aeb94d5b8c63a
SSDEEP

24576:Bny/f9uKGFRlMPT/L/KaACPiqSRpbfAEfOaPy1UY2BF:4FsFR4Kanq5ToEfI1K

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
1200	stubex.exe
116	Se1lqdObAjp0MmWw.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	6f65ac62ee30aab88a4f9fc1a299d756f9dec0a98298b10bb85e8f77b6b8c168.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	stubex.exe

Loads dropped DLL 4 IoCs

pid	Process
116	Se1lqdObAjp0MmWw.exe
116	Se1lqdObAjp0MmWw.exe
116	Se1lqdObAjp0MmWw.exe
116	Se1lqdObAjp0MmWw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Se1lqdObAjp0MmWw.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Se1lqdObAjp0MmWw.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	Se1lqdObAjp0MmWw.exe
File opened for modification	C:\Windows\assembly	Se1lqdObAjp0MmWw.exe
File created	C:\Windows\assembly\Desktop.ini	Se1lqdObAjp0MmWw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 1200	2580	6f65ac62ee30aab88a4f9fc1a299d756f9dec0a98298b10bb85e8f77b6b8c168.exe	84
PID 2580 wrote to memory of 1200	2580	6f65ac62ee30aab88a4f9fc1a299d756f9dec0a98298b10bb85e8f77b6b8c168.exe	84
PID 2580 wrote to memory of 1200	2580	6f65ac62ee30aab88a4f9fc1a299d756f9dec0a98298b10bb85e8f77b6b8c168.exe	84
PID 1200 wrote to memory of 116	1200	stubex.exe	86
PID 1200 wrote to memory of 116	1200	stubex.exe	86
PID 1200 wrote to memory of 116	1200	stubex.exe	86

C:\Users\Admin\AppData\Local\Temp\6f65ac62ee30aab88a4f9fc1a299d756f9dec0a98298b10bb85e8f77b6b8c168.exe
"C:\Users\Admin\AppData\Local\Temp\6f65ac62ee30aab88a4f9fc1a299d756f9dec0a98298b10bb85e8f77b6b8c168.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\stubex.exe
  "C:\Users\Admin\AppData\Local\Temp\stubex.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\Se1lqdObAjp0MmWw.exe
    "C:\Users\Admin\AppData\Local\Temp\Se1lqdObAjp0MmWw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    PID:116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll

Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll

Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll

Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll

Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Se1lqdObAjp0MmWw.exe

Filesize
1.8MB

MD5
0b0565a56a42c8b975a1b8c404f92d5a

SHA1
560d089e34c9e82cad65a03e542595719dee41dc

SHA256
b9a70cd6e90ef563bb98736ee0cf8ce571c6e08147baceae67c2efbddc8fb2bf

SHA512
088bc4163c155dcd20c9c7af339c35ce2c0887647c991b1c35a3125547a7d8efce84219ffc2695fc8246ed440c585ca09b969e362903f5dee1632127a4229c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Se1lqdObAjp0MmWw.exe

Filesize
1.8MB

MD5
0b0565a56a42c8b975a1b8c404f92d5a

SHA1
560d089e34c9e82cad65a03e542595719dee41dc

SHA256
b9a70cd6e90ef563bb98736ee0cf8ce571c6e08147baceae67c2efbddc8fb2bf

SHA512
088bc4163c155dcd20c9c7af339c35ce2c0887647c991b1c35a3125547a7d8efce84219ffc2695fc8246ed440c585ca09b969e362903f5dee1632127a4229c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\data

Filesize
2.4MB

MD5
f8569ec0a715af00fe5356bdd6efed67

SHA1
f10eb8ec3a646a03db9310311114b5113b95f6eb

SHA256
3db46dbecff09b28acda0078ee32980111abbb7d6c7f79f852d7a68ce583028d

SHA512
cb28e94725e1fa466b8ed3e9e208835b416b86e218d999208554d5255f9e159bbadaf71630b51f9a64dafcb24f6837485ed97d138b43084933976f33cd3ee68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\stubex.exe

Filesize
46KB

MD5
b6fb48cf9f3124871086a25bbd8fb797

SHA1
f4834a8c290dceeff5a9ba9ea79e05eda3723a73

SHA256
0e1bcb5e49d9f9b8dc40e8bec84aee48f4de811027f7fcaf8a6d09e015a2c319

SHA512
a750d73e5529d7e055a280e853d4c9626278e69eeb6f590395c1feee4a136db188809102cf8923d436edffd9080ca0f61e5a9495fdcc033753e0cc4cd89277c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\stubex.exe

Filesize
46KB

MD5
b6fb48cf9f3124871086a25bbd8fb797

SHA1
f4834a8c290dceeff5a9ba9ea79e05eda3723a73

SHA256
0e1bcb5e49d9f9b8dc40e8bec84aee48f4de811027f7fcaf8a6d09e015a2c319

SHA512
a750d73e5529d7e055a280e853d4c9626278e69eeb6f590395c1feee4a136db188809102cf8923d436edffd9080ca0f61e5a9495fdcc033753e0cc4cd89277c3

Download Submit
memory/116-142-0x0000000074460000-0x0000000074A11000-memory.dmp

Filesize
5.7MB

Download
memory/116-143-0x0000000074460000-0x0000000074A11000-memory.dmp

Filesize
5.7MB

Download
memory/1200-137-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/1200-136-0x0000000005630000-0x0000000005BD4000-memory.dmp

Filesize
5.6MB

Download
memory/1200-135-0x00000000006E0000-0x00000000006F4000-memory.dmp

Filesize
80KB

Download