Overview

overview

10

Static

static

payment details.exe

windows7-x64

8

payment details.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    109s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2023 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payment details.exe

  • Size

    300KB

  • MD5

    ea4e6c334095a1774cd26ee55a12938a

  • SHA1

    a67620de5c43221158360ca5c62f255f4399ce71

  • SHA256

    a425471f300e2f0695bce0e65277302063e3550322d01e60c4bcf3f67543b576

  • SHA512

    51911750cd14decef07bd6cde48c575917eacd0231c13df76078239152448cdc6c7f42030aff62daaba6987d60afeba0c6e62021602bd10097e1513d7e176608

  • SSDEEP

    6144:RYa6iERGzhhTP317oEXgulciiJY1cfWOKLOQqkv7:RYI4AhhTNrXgulctbWpOQqK7

Score
10/10
collectionpersistencespywarestealer

Malware Config

Extracted

Credentials

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\payment details.exe
    "C:\Users\Admin\AppData\Local\Temp\payment details.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Users\Admin\AppData\Local\Temp\tclxh.exe
      "C:\Users\Admin\AppData\Local\Temp\tclxh.exe" C:\Users\Admin\AppData\Local\Temp\oauwqtjowgg.zxk
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Users\Admin\AppData\Local\Temp\tclxh.exe
        "C:\Users\Admin\AppData\Local\Temp\tclxh.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:2356

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kajbvwhmqp.r
    Filesize

    264KB

    MD5

    65ced2189a75445d83513fd973ff8ec6

    SHA1

    733e5317c007134ed5c091e74b63f924fa87a5b2

    SHA256

    32380eb63eb7efc528d3ec5aee9234a68b16d67528ed0d495a9d53441095c32c

    SHA512

    11328d1e3312d1102c4ea493d380b651477be109be3d163444e3c22a02ffd22d4e2f80bb6aca72491aae7ce23829fc83cd44095c3f6a5f52d325146dd1ba679e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\oauwqtjowgg.zxk
    Filesize

    7KB

    MD5

    6f2b83c546226187b091368b959eaecc

    SHA1

    5ca30b1bc16c5b77240524549c397e80f15ff35d

    SHA256

    fab74eb15aad60343f5938e976f24ef8d3b873e8473994b73146f6e275354df8

    SHA512

    57aecac858a28d3a6dd229ebbc4dd367e690f6fbadf40b3fdfda9e503e6d27fa33fa775e2ba3c7b3016919aa3516e114508cfcc348f912b2f7e95ed2954551f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tclxh.exe
    Filesize

    57KB

    MD5

    49094370953727ea1b0dca78929c36cc

    SHA1

    dba0c48314650d80035c740a83b5c36141527fc5

    SHA256

    8c6e513d1ea9421574d73fe1bcaec222e737eb11372bbe55e7d000108e99666a

    SHA512

    1cbe016f86f446c10496b6aa840df749b5f688c72f64c876cf5229ed311002d03ce61ee593d37fe31e53876d8c7e3b401f995f6aa2f0f0c3479b79f99f36eb82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tclxh.exe
    Filesize

    57KB

    MD5

    49094370953727ea1b0dca78929c36cc

    SHA1

    dba0c48314650d80035c740a83b5c36141527fc5

    SHA256

    8c6e513d1ea9421574d73fe1bcaec222e737eb11372bbe55e7d000108e99666a

    SHA512

    1cbe016f86f446c10496b6aa840df749b5f688c72f64c876cf5229ed311002d03ce61ee593d37fe31e53876d8c7e3b401f995f6aa2f0f0c3479b79f99f36eb82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tclxh.exe
    Filesize

    57KB

    MD5

    49094370953727ea1b0dca78929c36cc

    SHA1

    dba0c48314650d80035c740a83b5c36141527fc5

    SHA256

    8c6e513d1ea9421574d73fe1bcaec222e737eb11372bbe55e7d000108e99666a

    SHA512

    1cbe016f86f446c10496b6aa840df749b5f688c72f64c876cf5229ed311002d03ce61ee593d37fe31e53876d8c7e3b401f995f6aa2f0f0c3479b79f99f36eb82

    Download Submit

  • memory/2120-132-0x0000000000000000-mapping.dmp

    Download

  • memory/2356-137-0x0000000000000000-mapping.dmp

    Download

  • memory/2356-139-0x0000000004AB0000-0x0000000005054000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2356-140-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2356-141-0x00000000049D0000-0x0000000004A36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2356-142-0x0000000006160000-0x00000000061F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2356-143-0x0000000006260000-0x000000000626A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2356-144-0x0000000006450000-0x00000000064A0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2356-145-0x0000000006540000-0x0000000006702000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2356-146-0x0000000006710000-0x00000000067AC000-memory.dmp

    Filesize

    624KB

    Download