Overview

overview

7

Static

static

39af554732...6a.exe

windows7-x64

7

39af554732...6a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    206s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 03:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39af5547327a0f1686f014c2240857899b046550126f20853b9978d53534896a.exe

  • Size

    400KB

  • MD5

    f18ea084ad23603ba8374cb17b57a56a

  • SHA1

    8b48001d59b64bd4ab884357952cb61de06b2e96

  • SHA256

    39af5547327a0f1686f014c2240857899b046550126f20853b9978d53534896a

  • SHA512

    c8a65ace28dfcfecdc6ad922ae18bb647ed7315f93a103b9d6e5f04d15a6625873b67766383e923d53f7918916af2e08999e135ba8e1c3c608b8da724e8500ff

  • SSDEEP

    768:Wl/YMBg3ehsdD3A8c0MOeaUV45Ww3j/V3NAJbG+VqUBanRDp+PrEOn:LLdD+0MON593j/obvvLIOn

Score
7/10
spywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39af5547327a0f1686f014c2240857899b046550126f20853b9978d53534896a.exe
    "C:\Users\Admin\AppData\Local\Temp\39af5547327a0f1686f014c2240857899b046550126f20853b9978d53534896a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4C5B.tmp\setstartpage – Norge.bat""
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im firefox.exe* /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:344
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • Runs ping.exe
        PID:3596
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4808
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          4⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3376
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.0.1642906824\1254967756" -parentBuildID 20200403170909 -prefsHandle 1688 -prefMapHandle 1620 -prefsLen 1 -prefMapSize 219971 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 1780 gpu
            5⤵
              PID:3128
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.3.730647687\1226044317" -childID 1 -isForBrowser -prefsHandle 1536 -prefMapHandle 1556 -prefsLen 78 -prefMapSize 219971 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 2500 tab
              5⤵
                PID:3284
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.13.746503151\482081124" -childID 2 -isForBrowser -prefsHandle 3472 -prefMapHandle 3352 -prefsLen 6860 -prefMapSize 219971 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 3484 tab
                5⤵
                  PID:976
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN" /V "START PAGE" /D "http://anystart.no/" /F
              3⤵
              • Modifies Internet Explorer settings
              • Modifies Internet Explorer start page
              PID:1784
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "& {wget http://anystart.no?sethomeno}"
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1924

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\4C5B.tmp\setstartpage – Norge.bat
          Filesize

          926B

          MD5

          62250b01849c041a9408080b22062583

          SHA1

          ddc0d9b858a49348ce8745a7c8ec78f5149d4bc8

          SHA256

          4a132725c7119e23473389bc406cd0532ee1e3f6553bdf0b5c8334940acf67ae

          SHA512

          aacf6703cc0c6178c2b06e96bf4d9173258f4d6eb588934d5fd44ebace16236dad5caf3a30d7f60d0c3fe0c2d62ca5433764b4450ff892a7d2cc888cb15e1d66

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tkblmjt0.default-release\prefs.js
          Filesize

          6KB

          MD5

          a7d12c9ec4315a5b7748fd6caccbd6bc

          SHA1

          83f4ee0e6175d8f30b8c331046d38139c38ef704

          SHA256

          fc5edaa2050798867d718d0fa2b3dcdf22b5f5f3b68e881b652838600e9f6f70

          SHA512

          6f5df0551ef54898b8c880c124308cc3ddbf3dc5029c4f905b8d57788f7d3020d5e6894c61ce52610d42e1c54d8ef7b07a072a009b175c558ff956036ce3ab64

          Download Submit
        • memory/344-134-0x0000000000000000-mapping.dmp
          Download
        • memory/1784-136-0x0000000000000000-mapping.dmp
          Download
        • memory/1924-141-0x0000000004D00000-0x0000000004D66000-memory.dmp
          Filesize

          408KB

          Download
        • memory/1924-137-0x0000000000000000-mapping.dmp
          Download
        • memory/1924-138-0x0000000000AA0000-0x0000000000AD6000-memory.dmp
          Filesize

          216KB

          Download
        • memory/1924-139-0x0000000004F60000-0x0000000005588000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/1924-140-0x0000000004A60000-0x0000000004A82000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1924-142-0x0000000004DA0000-0x0000000004E06000-memory.dmp
          Filesize

          408KB

          Download
        • memory/1924-144-0x0000000005A90000-0x0000000005AAE000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1924-145-0x00000000072D0000-0x000000000794A000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/1924-146-0x0000000005F90000-0x0000000005FAA000-memory.dmp
          Filesize

          104KB

          Download
        • memory/2044-132-0x0000000000000000-mapping.dmp
          Download
        • memory/3596-135-0x0000000000000000-mapping.dmp
          Download