Overview

overview

9

Static

static

abe8d333f5...65.exe

windows7-x64

9

abe8d333f5...65.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    111s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 17:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe

  • Size

    443KB

  • MD5

    5433b8670bab92b5054e45d610a9398c

  • SHA1

    4e6f141f43c8615dca31573abeaedab1291bde4a

  • SHA256

    abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65

  • SHA512

    7c8e46d22f15aa0e2180a2c150e8bb5b86ce97f074492c0db2dd4f1926b8524ce10d237c28d74c66d72cff3a8f21069a2b2bdfcbb144a960be40a127da77e14b

  • SSDEEP

    6144:PNqfRDSc5H1cxVApGhf165aWktv1C2ibXkR6GAS5o4BPtEYuCKdakVO:PNv+SnAaf165atG2ibw1vqOPbuCKdac

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • Nirsoft 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe
    "C:\Users\Admin\AppData\Local\Temp\abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Local\Temp\abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe"
      2⤵
      • Drops startup file
      PID:3508
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Example" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Example.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4456
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Example" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Example.exe
        3⤵
        • Adds Run key to start application
        PID:4052
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 2552
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:4144
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
      2⤵
        PID:3660

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1724-132-0x0000000074F10000-0x00000000754C1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1724-142-0x0000000074F10000-0x00000000754C1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3508-133-0x0000000000000000-mapping.dmp
      Download
    • memory/3660-137-0x0000000000000000-mapping.dmp
      Download
    • memory/3660-138-0x0000000000400000-0x0000000000418000-memory.dmp
      Filesize

      96KB

      Download
    • memory/3660-140-0x0000000000400000-0x0000000000418000-memory.dmp
      Filesize

      96KB

      Download
    • memory/3660-141-0x0000000000400000-0x0000000000418000-memory.dmp
      Filesize

      96KB

      Download
    • memory/4052-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4144-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4456-134-0x0000000000000000-mapping.dmp
      Download