Overview

overview

10

Static

static

3

Doc.exe

windows7-x64

7

Doc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    05/10/2023, 08:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Doc.exe

  • Size

    720KB

  • MD5

    6fac1d175f51ebf8890cc785e2eefdaf

  • SHA1

    aa50651bfc4f3c2be45f42dda737ac8f5a42b6f5

  • SHA256

    a94bcff5683c5d1b1a3cead3d8236c98590ba2ea9b9018d4cc5ff9b67f08dc4e

  • SHA512

    ffdedb550a54a943c35a75308d0d6282141d540b3aefd564258a69a84bb20e076564afb89f674648f7723110bf781da80b9a6ab7dc08227ab129870d3ad83971

  • SSDEEP

    12288:XMYnQ3j67SESV1eXl8OhA90G/zoEVEKM3vmVFw3Bzfm8nH9X4OvJq4BTaeec7KEC:XBGpOP9f5nH9IO8IeN9EPOQ+zYe

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Doc.exe
    "C:\Users\Admin\AppData\Local\Temp\Doc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Doc.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe'
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2140
    • C:\Users\Admin\AppData\Local\Temp\Doc.exe
      "C:\Users\Admin\AppData\Local\Temp\Doc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1768-38-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-12-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-2-0x0000000000EB0000-0x0000000000F3A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1768-3-0x0000000000C60000-0x0000000000CA0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1768-71-0x0000000074090000-0x000000007477E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1768-61-0x0000000000360000-0x0000000000361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-58-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-9-0x00000000003C0000-0x00000000003EA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1768-60-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-0-0x0000000000F70000-0x0000000001028000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1768-40-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-14-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-16-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-18-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-22-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-20-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-24-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-28-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-26-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-32-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-30-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-36-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-1-0x0000000074090000-0x000000007477E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1768-34-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-10-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-44-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-42-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-46-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-48-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-50-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-52-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-54-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1768-56-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2140-11-0x00000000026E0000-0x0000000002720000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2140-8-0x00000000026E0000-0x0000000002720000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2140-7-0x000000006E5C0000-0x000000006EB6B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2140-76-0x000000006E5C0000-0x000000006EB6B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2140-6-0x000000006E5C0000-0x000000006EB6B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2992-63-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2992-64-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2992-68-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2992-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2992-70-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2992-73-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2992-74-0x0000000073F80000-0x000000007466E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2992-65-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2992-77-0x0000000073F80000-0x000000007466E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2992-78-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

    Filesize

    256KB

    Download