Analysis
-
max time kernel
140s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
03-04-2023 18:41
General
-
Target
73da98ea6f303b14d150e647de7ff772daf720315498d1e1e7ef5b9195b6ea79.exe
-
Size
639KB
-
MD5
5799a92f997c9b915e4982837e129895
-
SHA1
5cb67960e5446b6ca2f495d5ff7ca1cf39fc4775
-
SHA256
73da98ea6f303b14d150e647de7ff772daf720315498d1e1e7ef5b9195b6ea79
-
SHA512
6225a06f235eaa956e9759b819925953af5e372d7a06ab95e7016727ca04db60f5131d48c52d19583f077cbda8dd264e862f9f03ef4eefa3edcfd39c434c5885
-
SSDEEP
12288:M4vgb1vBDAwL1cpLCuP8PTw70JoJSdgTnDGOYylPRH+1BzDDz9xeZM11cedX:M4vMlBDpL1tziFSsFy1lDWZqldX
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\73da98ea6f303b14d150e647de7ff772daf720315498d1e1e7ef5b9195b6ea79.exe"C:\Users\Admin\AppData\Local\Temp\73da98ea6f303b14d150e647de7ff772daf720315498d1e1e7ef5b9195b6ea79.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ZB6MJMV3\www.msn[1].xmlFilesize
329B
MD5e15d76a073e86492457e203b071c8801
SHA10d28e7339e44d03df50205d52349d4b5bf529463
SHA25643f7a8f6b46d1ebe240f56480e6e226622259f31314cd0c5a0dd3e3ba9f8f5ed
SHA5128dc86d8e81d66fe286dccc4b3f65f23e0e2492bcdf692e027ac857dc6277bf90015911e00c04ee67061dac78dd2ecc06cb228891cf3234e07e8f8d3b17b30c29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\xuid[1].gifFilesize
37B
MD53eacd0132310ea44cad756b378a3bc07
SHA1e2216a7e9b73f5cb0279351c78ce61c33475cea7
SHA256bb229a48bee31f5d54ca12dc9bd960c63a671f0d4be86a054c1d324a44499d96
SHA512bd9ab35dde3a5242b04c159187732e13b0a6da50ddcff7015dfb78cdd68743e191eaf5cddedd49bef7d2d5a642c217272a40e5ba603fe24ca676a53f8c417c5d
-
memory/1700-133-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/1700-135-0x000000006FAB0000-0x000000006FAC0000-memory.dmpFilesize
64KB
-
memory/1700-329-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/1700-333-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
