Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2023 13:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    4.1MB

  • MD5

    e1668320cc4cade25d81b798190725c1

  • SHA1

    2e260a1b3f1bcd26f00d8d6e850812c740b11d3b

  • SHA256

    0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c

  • SHA512

    18060d1e3be8b139863e46b3e77dc5d7e8b7629f0768fbaa1e4090acef065d04f6108036369b7c4b8fff7d1fcd7b74093f787c5d05f15bab38e5a1c4ea7f2242

  • SSDEEP

    98304:yAgqXSO7ZI0UxEcxtGya6JfjUV+2E3Szfj4bCBj4:yVqXTWxV7Jf6DbzrpB

Score
7/10
collectionspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:4152
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3396
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3292
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4280
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
            PID:2716
          • C:\Windows\system32\findstr.exe
            findstr All
            3⤵
              PID:4052
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2960
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:4820
              • C:\Windows\system32\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:4928
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3284

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/3292-137-0x00007FFBDC0C0000-0x00007FFBDCB81000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3292-138-0x00007FFBDC0C0000-0x00007FFBDCB81000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4152-140-0x000000001C16A000-0x000000001C16F000-memory.dmp

              Filesize

              20KB

              Download

            • memory/4152-141-0x00007FFBDC0C0000-0x00007FFBDCB81000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4152-139-0x000000001D770000-0x000000001D930000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/4152-134-0x00007FFBDC0C0000-0x00007FFBDCB81000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4152-132-0x0000000000230000-0x0000000000648000-memory.dmp

              Filesize

              4.1MB

              Download

            • memory/4152-133-0x0000000000EC0000-0x0000000000EE2000-memory.dmp

              Filesize

              136KB

              Download