Analysis

  • max time kernel
    42s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 18:13

General

  • Target

    1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7.exe

  • Size

    156KB

  • MD5

    66a502dc76e48ece9d93b9b5818b4f10

  • SHA1

    2e18c18e025b73870bed3bd5cbaa0981bf65cf7d

  • SHA256

    1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7

  • SHA512

    f7e0847a10c008d87fe715eb551ee1f0957021e549d8a3b9104270d8ad25a9164fb46d14c05298bcb213bc49fa62738bae3b3f67a053716a49a5e1f02680891b

  • SSDEEP

    3072:ilikxQUzHLV/sidu5k9AvVt7G9K7b+EdK5upvq9nV5P5ghIvX6gKEzeGAHVNVNbE:ilikxQU6w3BpiOh

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7.exe
    "C:\Users\Admin\AppData\Local\Temp\1c3ff34a927847f718c004f19be84a23882b549ffaf1aa77f87c69b0f3c0a7e7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Users\Admin\AppData\Local\Temp\Friendster Bruteforce.exe
      "C:\Users\Admin\AppData\Local\Temp\Friendster Bruteforce.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1628

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Friendster Bruteforce.exe

    Filesize

    114KB

    MD5

    6e86cc4f7eab19bd067fac6b3c955b40

    SHA1

    a72b9d3b853e899e7e62c0f38f4234655f967d1e

    SHA256

    0a661ffcfd3daeea0fcce984716db040d41d51d7539f87f9dd65056d0562568a

    SHA512

    008efcf74fd7eb1a22491452d77a8172b95cdfd6006dc25706fe42ae906529ecce2b24bf3e0cce80ba9ba5a418c49d0144160b0d0fec1a62eaac1e08a648b3b8

  • C:\Users\Admin\AppData\Local\Temp\Friendster Bruteforce.exe

    Filesize

    114KB

    MD5

    6e86cc4f7eab19bd067fac6b3c955b40

    SHA1

    a72b9d3b853e899e7e62c0f38f4234655f967d1e

    SHA256

    0a661ffcfd3daeea0fcce984716db040d41d51d7539f87f9dd65056d0562568a

    SHA512

    008efcf74fd7eb1a22491452d77a8172b95cdfd6006dc25706fe42ae906529ecce2b24bf3e0cce80ba9ba5a418c49d0144160b0d0fec1a62eaac1e08a648b3b8

  • \Users\Admin\AppData\Local\Temp\Friendster Bruteforce.exe

    Filesize

    114KB

    MD5

    6e86cc4f7eab19bd067fac6b3c955b40

    SHA1

    a72b9d3b853e899e7e62c0f38f4234655f967d1e

    SHA256

    0a661ffcfd3daeea0fcce984716db040d41d51d7539f87f9dd65056d0562568a

    SHA512

    008efcf74fd7eb1a22491452d77a8172b95cdfd6006dc25706fe42ae906529ecce2b24bf3e0cce80ba9ba5a418c49d0144160b0d0fec1a62eaac1e08a648b3b8

  • \Users\Admin\AppData\Local\Temp\Friendster Bruteforce.exe

    Filesize

    114KB

    MD5

    6e86cc4f7eab19bd067fac6b3c955b40

    SHA1

    a72b9d3b853e899e7e62c0f38f4234655f967d1e

    SHA256

    0a661ffcfd3daeea0fcce984716db040d41d51d7539f87f9dd65056d0562568a

    SHA512

    008efcf74fd7eb1a22491452d77a8172b95cdfd6006dc25706fe42ae906529ecce2b24bf3e0cce80ba9ba5a418c49d0144160b0d0fec1a62eaac1e08a648b3b8

  • memory/1624-54-0x0000000076041000-0x0000000076043000-memory.dmp

    Filesize

    8KB

  • memory/1628-60-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

    Filesize

    10.1MB

  • memory/1628-61-0x000007FEF2A80000-0x000007FEF3B16000-memory.dmp

    Filesize

    16.6MB

  • memory/1628-62-0x0000000000896000-0x00000000008B5000-memory.dmp

    Filesize

    124KB