Overview

overview

8

Static

static

27f47faa08...0a.exe

windows7-x64

8

27f47faa08...0a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 14:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a.exe

  • Size

    884KB

  • MD5

    9129275edf49cff83327c10120a17d7d

  • SHA1

    341d26a56440f86ab4151b7e8f64abab6abb9e0f

  • SHA256

    27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a

  • SHA512

    a07edbde06a0389b68b96fda94244ed6e911efaca98f8e7f1425e0a5538d2124a361dfd4e2d245edd837759665e7c2e1420b97aba1c9858a12c40e16fb518f18

  • SSDEEP

    24576:bQUQNSnYKZvrfEkOS5bLvotxWFuHmGNvu12qT:cUQNoYozLvvotxguXm

Score
8/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a.exe
    "C:\Users\Admin\AppData\Local\Temp\27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Users\Admin\AppData\Local\Temp\stealerunc.exe
      "C:\Users\Admin\AppData\Local\Temp\stealerunc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4868
      • C:\Users\Admin\AppData\Roaming\csrss.exe
        C:\Users\Admin\AppData\Roaming\csrss.exe
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\STEALE~1.EXE
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4004
          • C:\Windows\SysWOW64\timeout.exe
            timeout 5
            5⤵
            • Delays execution with timeout.exe
            PID:4496

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\stealerunc.exe
    Filesize

    552KB

    MD5

    9f8f31df7b0b9b8645566f4ac1ca01e3

    SHA1

    2105930b6c90e84cfa42650f3b3dd08f9091195f

    SHA256

    b42e8b3e33db6373dfd95d473b98ac5de50b1e0103cb0b4c6e30c2746fdc563c

    SHA512

    734947b24dfbb4d5782cafd48d064ae39f6fb57e930704868afbe64cf511ba08409de6c36c58fafef2e4a0637730b5bbd2d09af9a6dcaaabcef7afa61c5af71d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\stealerunc.exe
    Filesize

    552KB

    MD5

    9f8f31df7b0b9b8645566f4ac1ca01e3

    SHA1

    2105930b6c90e84cfa42650f3b3dd08f9091195f

    SHA256

    b42e8b3e33db6373dfd95d473b98ac5de50b1e0103cb0b4c6e30c2746fdc563c

    SHA512

    734947b24dfbb4d5782cafd48d064ae39f6fb57e930704868afbe64cf511ba08409de6c36c58fafef2e4a0637730b5bbd2d09af9a6dcaaabcef7afa61c5af71d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\csrss.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\csrss.exe
    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\csrss.exe
    Filesize

    34KB

    MD5

    e118330b4629b12368d91b9df6488be0

    SHA1

    ce90218c7e3b90df2a3409ec253048bb6472c2fd

    SHA256

    3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

    SHA512

    ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

    Download Submit

  • memory/1552-145-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/1552-139-0x0000000000000000-mapping.dmp

    Download

  • memory/1552-140-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/1552-144-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/1552-148-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/3144-136-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3144-132-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4004-147-0x0000000000000000-mapping.dmp

    Download

  • memory/4496-149-0x0000000000000000-mapping.dmp

    Download

  • memory/4868-137-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4868-133-0x0000000000000000-mapping.dmp

    Download

  • memory/4868-146-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download