Overview

overview

8

Static

static

1

DETAILS AN...ES.exe

windows7-x64

8

DETAILS AN...ES.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    267s
  • max time network
    271s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2023, 10:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    DETAILS AND INVOICES.exe

  • Size

    283KB

  • MD5

    75f8bcbff6372c3739ed233f471b3cdf

  • SHA1

    dfa971bfd12532c5f002052fcef8a42c8b30d3b6

  • SHA256

    91c117de51834f688f45503a9f301a9529e747ec4b33f1668191a911f2bc5ba2

  • SHA512

    5fae5194c0da76f0b1f230ae6f5a8b6eaef4d82b912c53d8402c4dc5e616338fadd663d348782a9e84c719cf7f1600ae5b1d52e004d872132ab9becd136e8781

  • SSDEEP

    6144:/Ya6P8GBAbnYDf3AxtUY+L8l428XKTB4HPWL3HyzV0+JxmcG:/Yt8GrfAbQG42TB4OLXye+nmcG

Score
8/10
spywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\DETAILS AND INVOICES.exe
      "C:\Users\Admin\AppData\Local\Temp\DETAILS AND INVOICES.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Users\Admin\AppData\Local\Temp\zrrqrcnl.exe
        "C:\Users\Admin\AppData\Local\Temp\zrrqrcnl.exe" C:\Users\Admin\AppData\Local\Temp\xlblpqmtg.x
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1296
        • C:\Users\Admin\AppData\Local\Temp\zrrqrcnl.exe
          "C:\Users\Admin\AppData\Local\Temp\zrrqrcnl.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1476
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:432

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\vwcqnrtpqrq.o
            Filesize

            205KB

            MD5

            1acd9ecae6676c3fe165ede05b5af54f

            SHA1

            2956985998fea05def63a643ce69858cdeefeee0

            SHA256

            1d7878bc3d0e21888f809f0b4a86903cfe79d6bf5fa094c38599534bf8655267

            SHA512

            11fc6a8faa4b175664f1a60bfe79a4b78ca53970112720cc537f1a2a7dbb589c797295e0127b4e7632e2338dddd983576c69709ab3d6cd537f9ee32de2f3847c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\xlblpqmtg.x
            Filesize

            5KB

            MD5

            9c2e461a6c10bff7d24128c060a20a6a

            SHA1

            c115957a324b0d47c730fdd667fc03355de6e295

            SHA256

            4880a323303b0ce446959c2c50e9da48521a3c92834edc8c5978ff6ea1483450

            SHA512

            0d93f4c6a3ddf88fe6c606daddd8ec3f13d67fedbbab5a707a470fc7a6bfe38ba52acfa2257f778d1da6e2b359e269479dca365b974aa0715b9387f50065b787

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\zrrqrcnl.exe
            Filesize

            74KB

            MD5

            6b064408e827a6e9dfd11ad77d6e4f76

            SHA1

            10547128e564b52bf27f1c3c6832b00aee4c73ca

            SHA256

            40ba1c4e9c6c6a0d851a7a2f1e966a680a060c865083eac08cac5f22414b4505

            SHA512

            dfd76c3c9973f801ad0adcd2cc3bdb932ece45c9125def203b5d5f48746ec4d65c24e79823e419caaf46f3f6c4c1c57776b2948e989219012a6dc33c10064c3e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\zrrqrcnl.exe
            Filesize

            74KB

            MD5

            6b064408e827a6e9dfd11ad77d6e4f76

            SHA1

            10547128e564b52bf27f1c3c6832b00aee4c73ca

            SHA256

            40ba1c4e9c6c6a0d851a7a2f1e966a680a060c865083eac08cac5f22414b4505

            SHA512

            dfd76c3c9973f801ad0adcd2cc3bdb932ece45c9125def203b5d5f48746ec4d65c24e79823e419caaf46f3f6c4c1c57776b2948e989219012a6dc33c10064c3e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\zrrqrcnl.exe
            Filesize

            74KB

            MD5

            6b064408e827a6e9dfd11ad77d6e4f76

            SHA1

            10547128e564b52bf27f1c3c6832b00aee4c73ca

            SHA256

            40ba1c4e9c6c6a0d851a7a2f1e966a680a060c865083eac08cac5f22414b4505

            SHA512

            dfd76c3c9973f801ad0adcd2cc3bdb932ece45c9125def203b5d5f48746ec4d65c24e79823e419caaf46f3f6c4c1c57776b2948e989219012a6dc33c10064c3e

            Download Submit

          • \Users\Admin\AppData\Local\Temp\sqlite3.dll
            Filesize

            837KB

            MD5

            e1b58e0aa1b377a1d0e940660ad1ace1

            SHA1

            5afc7291b26855b1252b26381ebc85ed3cca218f

            SHA256

            1b98c006231d38524e2278a474c49274fe42e0bb1a31bcfda02e6e32f559b777

            SHA512

            9ce778bcb586638662b090910c4ceab3b64e16dfaf905a7581c1d349fecdf186995b3cc0dc8c6fc6e9761ea2831d7b14ac1619c2bd5ebc6d18015842e5d94aa2

            Download Submit

          • \Users\Admin\AppData\Local\Temp\zrrqrcnl.exe
            Filesize

            74KB

            MD5

            6b064408e827a6e9dfd11ad77d6e4f76

            SHA1

            10547128e564b52bf27f1c3c6832b00aee4c73ca

            SHA256

            40ba1c4e9c6c6a0d851a7a2f1e966a680a060c865083eac08cac5f22414b4505

            SHA512

            dfd76c3c9973f801ad0adcd2cc3bdb932ece45c9125def203b5d5f48746ec4d65c24e79823e419caaf46f3f6c4c1c57776b2948e989219012a6dc33c10064c3e

            Download Submit

          • \Users\Admin\AppData\Local\Temp\zrrqrcnl.exe
            Filesize

            74KB

            MD5

            6b064408e827a6e9dfd11ad77d6e4f76

            SHA1

            10547128e564b52bf27f1c3c6832b00aee4c73ca

            SHA256

            40ba1c4e9c6c6a0d851a7a2f1e966a680a060c865083eac08cac5f22414b4505

            SHA512

            dfd76c3c9973f801ad0adcd2cc3bdb932ece45c9125def203b5d5f48746ec4d65c24e79823e419caaf46f3f6c4c1c57776b2948e989219012a6dc33c10064c3e

            Download Submit

          • \Users\Admin\AppData\Local\Temp\zrrqrcnl.exe
            Filesize

            74KB

            MD5

            6b064408e827a6e9dfd11ad77d6e4f76

            SHA1

            10547128e564b52bf27f1c3c6832b00aee4c73ca

            SHA256

            40ba1c4e9c6c6a0d851a7a2f1e966a680a060c865083eac08cac5f22414b4505

            SHA512

            dfd76c3c9973f801ad0adcd2cc3bdb932ece45c9125def203b5d5f48746ec4d65c24e79823e419caaf46f3f6c4c1c57776b2948e989219012a6dc33c10064c3e

            Download Submit

          • memory/520-73-0x0000000001F90000-0x0000000002293000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/520-74-0x0000000000490000-0x000000000051F000-memory.dmp

            Filesize

            572KB

            Download

          • memory/520-76-0x0000000000070000-0x000000000009D000-memory.dmp

            Filesize

            180KB

            Download

          • memory/520-72-0x0000000000070000-0x000000000009D000-memory.dmp

            Filesize

            180KB

            Download

          • memory/520-71-0x00000000000D0000-0x00000000000F6000-memory.dmp

            Filesize

            152KB

            Download

          • memory/1252-69-0x0000000003CA0000-0x0000000003D50000-memory.dmp

            Filesize

            704KB

            Download

          • memory/1252-75-0x0000000004C10000-0x0000000004D13000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1252-78-0x0000000004C10000-0x0000000004D13000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1464-54-0x0000000076581000-0x0000000076583000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1476-68-0x0000000000220000-0x0000000000230000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1476-67-0x0000000000740000-0x0000000000A43000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/1476-66-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download