0cfe83d4758e9c2cb881258191b2628be42b563fdb4ce22e8d94f0a3f7ef7726

Analysis

max time kernel
152s
max time network
190s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bank Details.exe
Size

877KB
MD5

d327d1f2e4c2192cb0d8c91045a4fb78
SHA1

2a70a23b9657e57aab2e1f364450d61d609d82eb
SHA256

0cfe83d4758e9c2cb881258191b2628be42b563fdb4ce22e8d94f0a3f7ef7726
SHA512

273812e39f3a7102863fdbe71d8c2e60d83147ce7087d1b80f13bb878ee413668ea09300905afe6493120bf5d6f4989d28ca3d09ee5b43f61e54faae8017dfcd
SSDEEP

24576:ZqKoweKqdPc8GCxuB8UiT+QVhRL6QRkUGhb36s:E/weKqdP2B8UiT+amHtp

Score

7^/10

Malware Config

Signatures

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Bank Details.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Bank Details.exe

Loads dropped DLL 1 IoCs

pid	Process
1324	Bank Details.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1324	Bank Details.exe
2660	Bank Details.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1324 set thread context of 2660	1324	Bank Details.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1324	Bank Details.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 2660	1324	Bank Details.exe	30
PID 1324 wrote to memory of 2660	1324	Bank Details.exe	30
PID 1324 wrote to memory of 2660	1324	Bank Details.exe	30
PID 1324 wrote to memory of 2660	1324	Bank Details.exe	30
PID 1324 wrote to memory of 2660	1324	Bank Details.exe	30
PID 1324 wrote to memory of 2660	1324	Bank Details.exe	30

C:\Users\Admin\AppData\Local\Temp\Bank Details.exe
"C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\Bank Details.exe
  "C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsoD7E9.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
memory/1324-10-0x00000000776B0000-0x0000000077859000-memory.dmp

Filesize
1.7MB

Download
memory/1324-11-0x00000000778A0000-0x0000000077976000-memory.dmp

Filesize
856KB

Download
memory/1324-12-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2660-13-0x00000000776B0000-0x0000000077859000-memory.dmp

Filesize
1.7MB

Download
memory/2660-14-0x0000000072C30000-0x0000000073C92000-memory.dmp

Filesize
16.4MB

Download