Overview

overview

10

Static

static

ben.exe

windows7-x64

10

ben.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/01/2023, 13:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ben.exe

  • Size

    4.1MB

  • MD5

    e1668320cc4cade25d81b798190725c1

  • SHA1

    2e260a1b3f1bcd26f00d8d6e850812c740b11d3b

  • SHA256

    0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c

  • SHA512

    18060d1e3be8b139863e46b3e77dc5d7e8b7629f0768fbaa1e4090acef065d04f6108036369b7c4b8fff7d1fcd7b74093f787c5d05f15bab38e5a1c4ea7f2242

  • SSDEEP

    98304:yAgqXSO7ZI0UxEcxtGya6JfjUV+2E3Szfj4bCBj4:yVqXTWxV7Jf6DbzrpB

Score
7/10
collectionspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ben.exe
    "C:\Users\Admin\AppData\Local\Temp\ben.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2308
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4204
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4896
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3632
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
            PID:3052
          • C:\Windows\system32\findstr.exe
            findstr All
            3⤵
              PID:3100
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:5072
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:4364
              • C:\Windows\system32\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:1116
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:668

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2308-140-0x000000000313A000-0x000000000313F000-memory.dmp

              Filesize

              20KB

              Download

            • memory/2308-133-0x0000000000C90000-0x0000000000CB2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2308-134-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2308-132-0x0000000000010000-0x0000000000428000-memory.dmp

              Filesize

              4.1MB

              Download

            • memory/2308-138-0x000000001D500000-0x000000001D6C0000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/2308-141-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4896-139-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4896-137-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

              Filesize

              10.8MB

              Download