Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 03:52

General

  • Target

    03ff8e73ab121b64b121aec7ea65995f.exe

  • Size

    250KB

  • MD5

    03ff8e73ab121b64b121aec7ea65995f

  • SHA1

    a72ecdfaf8cca67c56bf7e0d25d6646dcbbf0135

  • SHA256

    5a8a35d2d8c156d5fb1eaea401d2ba69cf201eb6a55fa7effeecc011e84a9083

  • SHA512

    d1982c3d0349a3b6c01a63362d6a1951d19df302f55c90a364117b9b6b723200280ad62215c6c545e3d0812fa7fbc231186fe609e6f91012bc8ace337c584237

  • SSDEEP

    6144:h1OgDPdkBAFZWjadD4s5Xb7UNlV/dGDhO:h1OgLdaOX6jJ

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Modifies registry class 45 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03ff8e73ab121b64b121aec7ea65995f.exe
    "C:\Users\Admin\AppData\Local\Temp\03ff8e73ab121b64b121aec7ea65995f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Users\Admin\AppData\Local\Temp\7zS4AE4.tmp\50f7bba2e8374.exe
      .\50f7bba2e8374.exe /s
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops Chrome extension
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      • System policy modification
      PID:3192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zS4AE4.tmp\50f7bba2e8374.exe

    Filesize

    71KB

    MD5

    b78633fae8aaf5f7e99e9c736f44f9c5

    SHA1

    26fc60e29c459891ac0909470ac6c61a1eca1544

    SHA256

    d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22

    SHA512

    3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

  • C:\Users\Admin\AppData\Local\Temp\7zS4AE4.tmp\settings.ini

    Filesize

    6KB

    MD5

    8a41e7eea5255b764bb5a6ee2c3271f7

    SHA1

    c0a05c4c709adbcfc0db1e3a64ef59f69412ba95

    SHA256

    e118125e14efe1774dca6de9b1f170037959cf3679efd46a9f49389f471ebe49

    SHA512

    f610b95b5e307b976eb3b07ac1124bfc625dc05c1a63bbfa16023d49f273c3717efb46750fc96e33b95f5e880ecefc92d66f4533136a362021004cf66609a1aa

  • C:\Users\Admin\AppData\Local\Temp\nsm4B81.tmp\UserInfo.dll

    Filesize

    4KB

    MD5

    7579ade7ae1747a31960a228ce02e666

    SHA1

    8ec8571a296737e819dcf86353a43fcf8ec63351

    SHA256

    564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

    SHA512

    a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

  • memory/3192-78-0x00000000747F0000-0x00000000747FA000-memory.dmp

    Filesize

    40KB