Overview

overview

10

Static

static

test.exe

windows7-x64

10

test.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    91s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 01:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.exe

  • Size

    454KB

  • MD5

    21244087a7dcba699f7ad63c4c0346f6

  • SHA1

    98ec31fb127c164bcc0f222fc6981c76cea6cb48

  • SHA256

    e0eb3b8f19ab1ce1c0ead9b342a31b6c1289311fcd23adbe02234f98949af360

  • SHA512

    23b8624dd0c25ef544a2275acebd7ca36c906a3289b5b51ad610e5a0e2550b5aa18a7384b019acf6ce22c3de9a4a73e9128492e1b66758b99948a70134689a5b

  • SSDEEP

    12288:D3h1nHLnHesNJhMfb9BWnqq/z4QCBNHTsbq43Y:D3h1bHpJh4bmVzKBNHTs+l

Score
7/10
collectionspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2932
    • C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:1236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\test.exe.log
    Filesize

    1KB

    MD5

    dc464d62de128521567362201cf8d7b1

    SHA1

    e57a8c8aad4ed18d0138b0dd99f395e97662bff8

    SHA256

    d35faa203ecb0c712dc9bf60e75a18b80423cd3054f28ea9e556339ef30de652

    SHA512

    f6728bbbedde65776479b705e5af49485a1886355e4bfc867531bf7d59f8e7188eff5b193845e3ad6a77aa59518f529fd6e4ace4504a2a153a8cbdb20dfc8005

    Download Submit
  • memory/1236-145-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1236-149-0x0000000007100000-0x00000000072C2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1236-148-0x0000000006EE0000-0x0000000006F30000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1236-147-0x0000000006C50000-0x0000000006C5A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1236-144-0x0000000000000000-mapping.dmp
    Download
  • memory/2932-136-0x0000000000000000-mapping.dmp
    Download
  • memory/2932-139-0x00000000053E0000-0x0000000005446000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2932-140-0x0000000005500000-0x0000000005566000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2932-141-0x0000000005B20000-0x0000000005B3E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2932-142-0x00000000073A0000-0x0000000007A1A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/2932-143-0x0000000006020000-0x000000000603A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2932-138-0x0000000004C60000-0x0000000005288000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2932-137-0x0000000002550000-0x0000000002586000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4280-132-0x0000000000410000-0x0000000000488000-memory.dmp
    Filesize

    480KB

    Download
  • memory/4280-135-0x0000000004F40000-0x0000000004F62000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4280-134-0x0000000004D80000-0x0000000004E12000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4280-133-0x0000000005250000-0x00000000057F4000-memory.dmp
    Filesize

    5.6MB

    Download