Overview

overview

10

Static

static

3

3b9617f561...b1.exe

windows7-x64

10

3b9617f561...b1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 20:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b9617f561c549d43ee612b00c635ab1.exe

  • Size

    229KB

  • MD5

    3b9617f561c549d43ee612b00c635ab1

  • SHA1

    1b2cc5c3a3694e1600a0c358df605d0c24047b3e

  • SHA256

    bddf24d7ae594e5398077966c512aa4b68722063cc0735d0d3a4900eabe010ab

  • SHA512

    4e819a3b66ea94b2ba3464a2f32d9394c45f35c416bce8e6f60d290d4b35c85489a8782d06409635648c8d650fcb16139f93c8918431ac457122f284c1ac8bd3

  • SSDEEP

    6144:FcNkgTq4uXFFcz1c6afbkXV1tnN8MZZ2LuryV:FcNkgTq42cBPafbGV1xKV

Score
10/10
collectiondiscoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b9617f561c549d43ee612b00c635ab1.exe
    "C:\Users\Admin\AppData\Local\Temp\3b9617f561c549d43ee612b00c635ab1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Admin\AppData\Local\Temp\EDITOR.EXE
      "C:\Users\Admin\AppData\Local\Temp\EDITOR.EXE"
      2⤵
      • Executes dropped EXE
      PID:2732
    • C:\Users\Admin\AppData\Local\Temp\Pinch.exe
      "C:\Users\Admin\AppData\Local\Temp\Pinch.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2408
  • C:\Windows\svchost.exe
    "C:\Windows\svchost.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Executes dropped EXE
    • Accesses Microsoft Outlook profiles
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_win_path
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\EDITOR.EXE
    Filesize

    92KB

    MD5

    e2a9e5488e69ecf0669347add2e4336f

    SHA1

    91090791712ee30bf4e3542eaef36a76997c8b36

    SHA256

    30fa5c5f66765b1d8bde1b8f477d4fed6559a9160e929bacc74fe1422dd380ab

    SHA512

    bb8edc971706d79064bd6021ea31fc09a77e92e710905589888347db8947ecddf0b6f9fe3ddc825f1a02c88e77e133c3e32b5c931233ab6f0c996172084f9b56

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Pinch.exe
    Filesize

    11KB

    MD5

    92359313b497c7c2497d2b41d6b6adcc

    SHA1

    b545d624a38661a81fa478382be5c6f092809839

    SHA256

    08a19e53f21bbc4a3a81e12a57670775f23cf22766d6df830e8ea6ecc00e1efd

    SHA512

    51f61a3219aab02b3224dbe52fb9e91b26ebfbc702454d1b62b5f256e373f950d5f073f35cc8c116644e3f2044600c84a9434b5e6218e7c52bb6335b52c227eb

    Download Submit

  • memory/2176-0-0x0000000000400000-0x000000000043AFE4-memory.dmp

    Filesize

    235KB

    Download

  • memory/2176-35-0x00000000027B0000-0x000000000284A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2176-33-0x0000000000400000-0x000000000043AFE4-memory.dmp

    Filesize

    235KB

    Download

  • memory/2176-32-0x00000000027A0000-0x000000000283A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2408-46-0x0000000013140000-0x0000000013176000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2516-52-0x0000000013140000-0x0000000013176000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2732-40-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2732-38-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2732-51-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2732-55-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download