Overview

overview

10

Static

static

e8fc76296e...e4.exe

windows7-x64

10

e8fc76296e...e4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    81s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 23:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e8fc76296eccd649f0162320477f25d9b795055ec75102aa68c9702712df88e4.exe

  • Size

    116KB

  • MD5

    28c04f5ad3cf06d26bcae27683090657

  • SHA1

    ec4b8bf5e37b0bcba18c59e4395e40d424d2ea5e

  • SHA256

    e8fc76296eccd649f0162320477f25d9b795055ec75102aa68c9702712df88e4

  • SHA512

    e5c6b712eb3573e761e8e6a66734d5dc1acbbc9a5ec59c7f6aa16fd40edf9cb90d6c9ad444aafaacbf328ee1fdffda61b5cb3f85f56546751068d0abfaeb159b

  • SSDEEP

    3072:zFPqtcdH8Kl4gDBmJLzqjcCB678++Ja2ySKtX9hpj0V:zFytciKl4gDGfqwC+0JYxt/pj0V

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8fc76296eccd649f0162320477f25d9b795055ec75102aa68c9702712df88e4.exe
    "C:\Users\Admin\AppData\Local\Temp\e8fc76296eccd649f0162320477f25d9b795055ec75102aa68c9702712df88e4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\inst317ss.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\inst317ss.exe"
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Users\Admin\AppData\Local\Temp\rsysinit.exe
        C:\Users\Admin\AppData\Local\Temp\\rsysinit.exe
        3⤵
        • Executes dropped EXE
        PID:960
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp_240612281.bat "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\inst317ss.exe"
        3⤵
          PID:1164
      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\inst_ff.exe
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\inst_ff.exe"
        2⤵
        • Executes dropped EXE
        PID:1772
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 928
          3⤵
          • Program crash
          PID:4444
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        2⤵
          PID:412
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1772 -ip 1772
        1⤵
          PID:2416

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
                Filesize

                300B

                MD5

                9a3b1c50d00435231357a3ef4fc37f81

                SHA1

                050b5af36327a04e601f27e6de9f0f8ac7824ed4

                SHA256

                5cbc2a463b67d23c4d1b1904d77f8332b33494b9ce3846278c95d95410b81bfa

                SHA512

                fc0362c5ea4adec9a222ad9a615ad89cbf4ad47d4846399b69af24e9253da8061a723e9f852987131541346fe682f2a310103a469122e9c56865c77efdf0d6de

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\inst317ss.exe
                Filesize

                19KB

                MD5

                f0fdba38d90ba89ecb4a1c96bf4b42b7

                SHA1

                7b597633a5d03093f3edaa76d72df3f257256ad5

                SHA256

                4a4c5ac3f53136b668d1f1aa50ade5110e25e964a7e1880cf4dfcc2da051c200

                SHA512

                ada7fb9369805491b98cbae173d650efc0f744f891d7bf479f72d5122fcf64ecd87de56375d6248311d97bb1b711d5d0f12632b5e28fdc17e0edd8c8ae63bf47

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\inst317ss.exe
                Filesize

                19KB

                MD5

                f0fdba38d90ba89ecb4a1c96bf4b42b7

                SHA1

                7b597633a5d03093f3edaa76d72df3f257256ad5

                SHA256

                4a4c5ac3f53136b668d1f1aa50ade5110e25e964a7e1880cf4dfcc2da051c200

                SHA512

                ada7fb9369805491b98cbae173d650efc0f744f891d7bf479f72d5122fcf64ecd87de56375d6248311d97bb1b711d5d0f12632b5e28fdc17e0edd8c8ae63bf47

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\inst_ff.exe
                Filesize

                22KB

                MD5

                5157067e9ceea9beb10eb408a6cca779

                SHA1

                5810b9e147c98c7f9e4d3de9d423d58e6159342e

                SHA256

                d8eb26aa1c2775b64a8500e14ffaf5915c00fcc6c660a32eba2f269eaba8bfdb

                SHA512

                a9941f6a12b8bb3876c63f1e45951e91371603fd0dcdd555af96bea6c26798e19bfa9d909bdf8d03eadf6c9c9885dcaea5253b961e9705d79acf2cd5283f1f69

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\inst_ff.exe
                Filesize

                22KB

                MD5

                5157067e9ceea9beb10eb408a6cca779

                SHA1

                5810b9e147c98c7f9e4d3de9d423d58e6159342e

                SHA256

                d8eb26aa1c2775b64a8500e14ffaf5915c00fcc6c660a32eba2f269eaba8bfdb

                SHA512

                a9941f6a12b8bb3876c63f1e45951e91371603fd0dcdd555af96bea6c26798e19bfa9d909bdf8d03eadf6c9c9885dcaea5253b961e9705d79acf2cd5283f1f69

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\rsysinit.exe
                Filesize

                1KB

                MD5

                41d7bbec3b2bc56a523523397978da6e

                SHA1

                5fc74eca666e43133f96b9b0990e88a9e57250bf

                SHA256

                45da0b0b49ebf76bf83bef68449b603d8b8702160892a77014e06a1260fa7239

                SHA512

                5a047f6108d069a27177fdd3d0089c2d4f5bca0c542f2d180db96d740c2951bf8c7b4d156b51a9d5430ec24a939c7cd11e18875e5667a5881f8d303e27ebc64b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\rsysinit.exe
                Filesize

                1KB

                MD5

                41d7bbec3b2bc56a523523397978da6e

                SHA1

                5fc74eca666e43133f96b9b0990e88a9e57250bf

                SHA256

                45da0b0b49ebf76bf83bef68449b603d8b8702160892a77014e06a1260fa7239

                SHA512

                5a047f6108d069a27177fdd3d0089c2d4f5bca0c542f2d180db96d740c2951bf8c7b4d156b51a9d5430ec24a939c7cd11e18875e5667a5881f8d303e27ebc64b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\temp_240612281.bat
                Filesize

                51B

                MD5

                f04f494168326c65a3f1da7069a5dafc

                SHA1

                ecf8b7aeb4953bcdd9e0818cc30ffada99602035

                SHA256

                d594a84d1cec28d0e9e3833eef9e693873e9acfc0444749d791a66b2717aede1

                SHA512

                e5a54a341eb3029dc8d1393c2e8957881f95f4ba41998ef439dd3a67841ab083f275c3d670780cf69efa90b342321fddf8bb0addc93042f2fc0d66d9b9bbac94

                Download Submit

              • memory/1864-140-0x0000000000400000-0x000000000040C000-memory.dmp

                Filesize

                48KB

                Download

              • memory/1864-135-0x0000000000400000-0x000000000040C000-memory.dmp

                Filesize

                48KB

                Download