b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58

Analysis

max time kernel
184s
max time network
257s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
15/11/2023, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58.exe
Size

208KB
MD5

7918013ae55de62f5e108342a464864c
SHA1

8708c49b44c2807ef24687ebd4dc68a1a69b4100
SHA256

b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58
SHA512

7c68fe54350bfa412af86383901d8e71a1cca7cc0b803c3a9fc980b66594dd862b0ae6a8909f71a287e40e8b96feb1a86b101bcc9f548b7ddaa8224450d1c9d8
SSDEEP

3072:+W24/2cixIYIXT4f9Nv9+vDgnd3MVdGUmPtV/8zDKlpN4c:+hxIlXTGvY8nd3MVdGUctlmKF

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1508	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3920	b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58.exe
3920	b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5084	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 5084	3920	b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58.exe	72
PID 3920 wrote to memory of 5084	3920	b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58.exe	72
PID 3920 wrote to memory of 5084	3920	b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58.exe	72
PID 3920 wrote to memory of 3512	3920	b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58.exe	73
PID 3920 wrote to memory of 3512	3920	b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58.exe	73
PID 3920 wrote to memory of 3512	3920	b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58.exe	73
PID 3512 wrote to memory of 1508	3512	cmd.exe	76
PID 3512 wrote to memory of 1508	3512	cmd.exe	76
PID 3512 wrote to memory of 1508	3512	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58.exe
"C:\Users\Admin\AppData\Local\Temp\b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\GCGDGHCBGD.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3920-1-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/3920-2-0x00000000023A0000-0x00000000023C6000-memory.dmp

Filesize
152KB

Download
memory/3920-3-0x0000000000400000-0x00000000007BD000-memory.dmp

Filesize
3.7MB

Download
memory/3920-19-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3920-37-0x0000000000400000-0x00000000007BD000-memory.dmp

Filesize
3.7MB

Download
memory/3920-38-0x00000000023A0000-0x00000000023C6000-memory.dmp

Filesize
152KB

Download