Overview

overview

9

Static

static

b08e198a1e...01.exe

windows7-x64

9

b08e198a1e...01.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 15:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b08e198a1e5528ab3250a3024e75d6546e79695768fd78d94a20450247d19f01.exe

  • Size

    136KB

  • MD5

    80e4d8b7737999bd927d87282cdb2455

  • SHA1

    0cd2f503ff244fd4d957d21eba8eded0b28fcee8

  • SHA256

    b08e198a1e5528ab3250a3024e75d6546e79695768fd78d94a20450247d19f01

  • SHA512

    e96493179911184931a8892f08edd21889b016b54b8871105faa8adc1f759c08ee19e72c10ac290f273125da1cff65eab3a2b292d9e33e5f56f73c0a8b9f1ce7

  • SSDEEP

    1536:jDB+DkDjl8fO1Qkzx3ToFuJL0tC0NH7no47MYTK4iKEFXvxKqHs:fB+DkDZs5kZToTtCiH7nN70/Xey

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b08e198a1e5528ab3250a3024e75d6546e79695768fd78d94a20450247d19f01.exe
    "C:\Users\Admin\AppData\Local\Temp\b08e198a1e5528ab3250a3024e75d6546e79695768fd78d94a20450247d19f01.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\SysWOW64\xcopy.exe
      C:\Windows\system32\xcopy.exe C:\Windows\system32\xcopy.exe C:\Users\Admin\AppData\Local\Temp\ /y
      2⤵
      • Enumerates system info in registry
      PID:5032
    • C:\ProgramData\Application Data\inetinfo.exe
      "C:\ProgramData\Application Data\inetinfo.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\SysWOW64\xcopy.exe
        C:\Windows\system32\xcopy.exe C:\Windows\system32\xcopy.exe C:\Users\Admin\AppData\Local\Temp\ /y
        3⤵
        • Enumerates system info in registry
        PID:3076
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\info.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3940
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          4⤵
          • Gathers system information
          PID:2876
        • C:\Windows\SysWOW64\net.exe
          net user
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1884
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 user
            5⤵
              PID:3752
          • C:\Windows\SysWOW64\net.exe
            net localgroup administrators
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4816
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 localgroup administrators
              5⤵
                PID:4380
            • C:\Windows\SysWOW64\net.exe
              net start
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1360
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start
                5⤵
                  PID:1008
              • C:\Windows\SysWOW64\net.exe
                net view
                4⤵
                • Discovers systems in the same network
                PID:4700
              • C:\Windows\SysWOW64\net.exe
                net view /domain
                4⤵
                • Discovers systems in the same network
                PID:1096
              • C:\Windows\SysWOW64\net.exe
                net user /domain
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3156
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 user /domain
                  5⤵
                    PID:4860
                • C:\Windows\SysWOW64\NETSTAT.EXE
                  netstat -ano
                  4⤵
                  • Gathers network information
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5056
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  4⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4976
                • C:\Windows\SysWOW64\ipconfig.exe
                  ipconfig /all
                  4⤵
                  • Gathers network information
                  PID:4640
                • C:\Windows\SysWOW64\ARP.EXE
                  arp -a
                  4⤵
                    PID:4776

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\Application Data\inetinfo.exe
                    Filesize

                    136KB

                    MD5

                    80e4d8b7737999bd927d87282cdb2455

                    SHA1

                    0cd2f503ff244fd4d957d21eba8eded0b28fcee8

                    SHA256

                    b08e198a1e5528ab3250a3024e75d6546e79695768fd78d94a20450247d19f01

                    SHA512

                    e96493179911184931a8892f08edd21889b016b54b8871105faa8adc1f759c08ee19e72c10ac290f273125da1cff65eab3a2b292d9e33e5f56f73c0a8b9f1ce7

                    Download Submit

                  • C:\ProgramData\inetinfo.exe
                    Filesize

                    136KB

                    MD5

                    80e4d8b7737999bd927d87282cdb2455

                    SHA1

                    0cd2f503ff244fd4d957d21eba8eded0b28fcee8

                    SHA256

                    b08e198a1e5528ab3250a3024e75d6546e79695768fd78d94a20450247d19f01

                    SHA512

                    e96493179911184931a8892f08edd21889b016b54b8871105faa8adc1f759c08ee19e72c10ac290f273125da1cff65eab3a2b292d9e33e5f56f73c0a8b9f1ce7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\info.bat
                    Filesize

                    581B

                    MD5

                    52b5878fbe8ecfafe96177c8001328b7

                    SHA1

                    3bc5f0fe87c76ed056e940dfcfaa176397527d94

                    SHA256

                    2ce2bccf6b09a3b49aafe4306b378fe0f4dea8f1104c1a0dfc060af5945f37db

                    SHA512

                    d6284b5b081887a2773cd4d459c225d9952b4f28551ea98f2463ef70009443bc75138fb6e5a871a14ab7935102e57b3cbc8310cafc1d97f530ed9a8ac6c4dd5c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\xcopy.exe
                    Filesize

                    42KB

                    MD5

                    7e9b7ce496d09f70c072930940f9f02c

                    SHA1

                    2f1a2a5156623a41f6c385f83b53f0c5a1dc6924

                    SHA256

                    b45997bb7c5fc6024685ee8752cf8ab871290a46b33e04fc4850a10077acba5a

                    SHA512

                    4eaf8f1fd4718b034bdc067f8514b74c4a95ab6895c2cb26b7e0e4489c237d659883a9fd6ce9fa1c4121a68574885233fa15f8ff61443687e7fa19f98341d7b6

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\xcopy.exe
                    Filesize

                    42KB

                    MD5

                    7e9b7ce496d09f70c072930940f9f02c

                    SHA1

                    2f1a2a5156623a41f6c385f83b53f0c5a1dc6924

                    SHA256

                    b45997bb7c5fc6024685ee8752cf8ab871290a46b33e04fc4850a10077acba5a

                    SHA512

                    4eaf8f1fd4718b034bdc067f8514b74c4a95ab6895c2cb26b7e0e4489c237d659883a9fd6ce9fa1c4121a68574885233fa15f8ff61443687e7fa19f98341d7b6

                    Download Submit

                  • memory/1964-145-0x0000000000400000-0x0000000000432000-memory.dmp

                    Filesize

                    200KB

                    Download

                  • memory/1964-139-0x0000000000400000-0x0000000000432000-memory.dmp

                    Filesize

                    200KB

                    Download

                  • memory/2468-133-0x0000000000400000-0x0000000000432000-memory.dmp

                    Filesize

                    200KB

                    Download

                  • memory/2468-140-0x0000000000400000-0x0000000000432000-memory.dmp

                    Filesize

                    200KB

                    Download