bb05b1d633ac1e735eba4cae96594c00c1d5054b7e37408db9286c7ce1e396af

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb05b1d633ac1e735eba4cae96594c00c1d5054b7e37408db9286c7ce1e396af.exe
Size

56KB
MD5

6418f1a687d988c4c931e2a6336cd9d2
SHA1

0cfe153d379bebf61315b310fff9c6390aa03abb
SHA256

bb05b1d633ac1e735eba4cae96594c00c1d5054b7e37408db9286c7ce1e396af
SHA512

a35e4c77536485fbd67d26cb8122c5a75a731841808a275fbf50c4d3fe5719ccb2488dd01961bf1eb4814495b89ca666a385e1be16c1e374499f745ef654148e
SSDEEP

768:SvznLWXwCYmL6JPu9DSSyb/bmtjnvQ02QU/97vpi5vroC+g:8znLWom6JP7SI4/697B809g

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bb05b1d633ac1e735eba4cae96594c00c1d5054b7e37408db9286c7ce1e396af.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2076	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2484	bb05b1d633ac1e735eba4cae96594c00c1d5054b7e37408db9286c7ce1e396af.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	bb05b1d633ac1e735eba4cae96594c00c1d5054b7e37408db9286c7ce1e396af.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1140	2484	bb05b1d633ac1e735eba4cae96594c00c1d5054b7e37408db9286c7ce1e396af.exe	83
PID 2484 wrote to memory of 1140	2484	bb05b1d633ac1e735eba4cae96594c00c1d5054b7e37408db9286c7ce1e396af.exe	83
PID 2484 wrote to memory of 1140	2484	bb05b1d633ac1e735eba4cae96594c00c1d5054b7e37408db9286c7ce1e396af.exe	83
PID 1140 wrote to memory of 2076	1140	cmd.exe	85
PID 1140 wrote to memory of 2076	1140	cmd.exe	85
PID 1140 wrote to memory of 2076	1140	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\bb05b1d633ac1e735eba4cae96594c00c1d5054b7e37408db9286c7ce1e396af.exe
"C:\Users\Admin\AppData\Local\Temp\bb05b1d633ac1e735eba4cae96594c00c1d5054b7e37408db9286c7ce1e396af.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\bb05b1d633ac1e735eba4cae96594c00c1d5054b7e37408db9286c7ce1e396af.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2484-135-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/2484-136-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/2484-138-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download