Overview

overview

7

Static

static

3

5e44fc17e5...3a.exe

windows7-x64

7

5e44fc17e5...3a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    101s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 08:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5e44fc17e5dd3b8b85e71d8a8585993a.exe

  • Size

    26KB

  • MD5

    5e44fc17e5dd3b8b85e71d8a8585993a

  • SHA1

    9c16b7ddf013931f8ed78dac1dfd033b35f7148b

  • SHA256

    856407dba7376249881a2d1f1cc6a22a22f6ce52ceddc2954f1cb94ee91c9ff1

  • SHA512

    581d557d453d25c347974459eafcd8b86c0fff9314859af1332b72b992cae4fda932cb595683862d70ac9e7fee7cd2c3311ffac4852c31dd98a0ac6dc385fe23

  • SSDEEP

    768:4GsMx4TrdwVcxQnZJEhjY/z+73Vhqll+3uXnp:VsMx43dw6QZJOjYLCqlgQn

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e44fc17e5dd3b8b85e71d8a8585993a.exe
    "C:\Users\Admin\AppData\Local\Temp\5e44fc17e5dd3b8b85e71d8a8585993a.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\5e44fc17e5dd3b8b85e71d8a8585993a.exe
      "C:\Windows\5e44fc17e5dd3b8b85e71d8a8585993a.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\5e44fc17e5dd3b8b85e71d8a8585993a.exe" >> NUL
        3⤵
          PID:5080

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\NO_PWDS_report_27-12-2023_13-04-20-FGNK.bin
            Filesize

            1KB

            MD5

            1f36641c8b1925fb4f6419ea5f2bc9ed

            SHA1

            eb7e4d405e1bcddfa5a171622c32766a77ed6793

            SHA256

            26aa7004d9f2bdfd203e561486dd44f43a492ff125461d8df5e70bf92a0e385d

            SHA512

            315def7c55e699be4933539cca4b2fd8dfad50d25bddb84ec19165ca64064f7836a3d72a73dedef495634d5ed042e6b1cb069f129c93eb47b919bfa3b296bc31

            Download Submit

          • C:\Windows\5e44fc17e5dd3b8b85e71d8a8585993a.exe
            Filesize

            26KB

            MD5

            5e44fc17e5dd3b8b85e71d8a8585993a

            SHA1

            9c16b7ddf013931f8ed78dac1dfd033b35f7148b

            SHA256

            856407dba7376249881a2d1f1cc6a22a22f6ce52ceddc2954f1cb94ee91c9ff1

            SHA512

            581d557d453d25c347974459eafcd8b86c0fff9314859af1332b72b992cae4fda932cb595683862d70ac9e7fee7cd2c3311ffac4852c31dd98a0ac6dc385fe23

            Download Submit

          • memory/1408-0-0x0000000000400000-0x0000000000452000-memory.dmp

            Filesize

            328KB

            Download

          • memory/1408-6-0x0000000000400000-0x0000000000452000-memory.dmp

            Filesize

            328KB

            Download

          • memory/2896-14-0x0000000000400000-0x0000000000452000-memory.dmp

            Filesize

            328KB

            Download