Overview

overview

10

Static

static

10

5e38bce5b1...c8.exe

windows7-x64

10

5e38bce5b1...c8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2023 02:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e38bce5b175e470433f314ed3873cc8.exe

  • Size

    1.6MB

  • MD5

    5e38bce5b175e470433f314ed3873cc8

  • SHA1

    567325adefc324f0fefd07a6c021d94a246d7d05

  • SHA256

    32a152f5e46b11a74987365bc083824b43f283620c0d813cb1f1e37520a1f36c

  • SHA512

    2e98f347222f0f969868ad0fa34c306ea6a7ffb8a4757fdd85652418cf7430ca1fbffa22d0bce9c71baf820088fbce1a7ab948c77023063381af633c1df289b5

  • SSDEEP

    49152:qWg8wUmZOzqiavjDUJO/WH89ctcO0ljbbQnIQGotBKqy8TJCHEGU42sn6:ZiUmZOzqiavjDUM/WH89y8bboGO

Score
7/10
collectiondiscoverypersistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e38bce5b175e470433f314ed3873cc8.exe
    "C:\Users\Admin\AppData\Local\Temp\5e38bce5b175e470433f314ed3873cc8.exe"
    1⤵
    • Drops startup file
    • Accesses Microsoft Outlook profiles
    • Adds Run key to start application
    • Drops file in System32 directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2660
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:4444
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:4084
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1784
      2⤵
      • Program crash
      PID:2240
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:3244
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:1396
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2660 -ip 2660
        1⤵
          PID:1236

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
          Filesize

          1.6MB

          MD5

          5e38bce5b175e470433f314ed3873cc8

          SHA1

          567325adefc324f0fefd07a6c021d94a246d7d05

          SHA256

          32a152f5e46b11a74987365bc083824b43f283620c0d813cb1f1e37520a1f36c

          SHA512

          2e98f347222f0f969868ad0fa34c306ea6a7ffb8a4757fdd85652418cf7430ca1fbffa22d0bce9c71baf820088fbce1a7ab948c77023063381af633c1df289b5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\grandUIAARUUGOIRCk55k\information.txt
          Filesize

          3KB

          MD5

          ea3c9fe0da8eaa1f2fe94eb579025b81

          SHA1

          3e1b13ec6f3a0b8b52c36940c6b0bb71a98db488

          SHA256

          c85e601f3586804b1133b9a36f4495b718b47bbc4c5109cc57accdcb1488c1ce

          SHA512

          96b4942b8119bcf0630b7e18f56fd123e9c79bcaab2b19783a0c93ee4414fcf4446e90fbd584ef97c66bb1fa4a47ee9bad622c07df7f2416042172bc84fe7851

          Download Submit