Overview

overview

7

Static

static

3

21f811f986...b8.exe

windows7-x64

7

21f811f986...b8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 00:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21f811f9863e63d2e1a7e9942eea40b8.exe

  • Size

    2.3MB

  • MD5

    21f811f9863e63d2e1a7e9942eea40b8

  • SHA1

    983ba2140521e049615e72c3e7d9d8702f214d83

  • SHA256

    0c1ddda0f5819ac85497de5400bcfb34474e3d7cd028d043525171cefef256b3

  • SHA512

    1ee9789aad428998d2e8c49b69ddf4e94eb6705a555947077fab1cfd56653af47cc726ff920a84b3dfebf6c1641191438b79e1829b156f95e7993acdd48f335c

  • SSDEEP

    49152:UM7DPU7Ku2ocLnbdq6alDLcWLDg3/UnCcxQO8NUQWWxwct1yTnlQT:UVN2DLilMheL5QWWxwct1I2

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21f811f9863e63d2e1a7e9942eea40b8.exe
    "C:\Users\Admin\AppData\Local\Temp\21f811f9863e63d2e1a7e9942eea40b8.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ping 127.0.0.1 /n 300 & "C:\Users\Admin\AppData\Local\Temp\21f811f9863e63d2e1a7e9942eea40b8.exe" 6
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 /n 300
        3⤵
        • Runs ping.exe
        PID:2568
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ping 127.0.0.1 -n 100 & "C:\Users\Admin\AppData\Local\Temp\21f811f9863e63d2e1a7e9942eea40b8.exe" 5
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 100
        3⤵
        • Runs ping.exe
        PID:2624
      • C:\Users\Admin\AppData\Local\Temp\21f811f9863e63d2e1a7e9942eea40b8.exe
        "C:\Users\Admin\AppData\Local\Temp\21f811f9863e63d2e1a7e9942eea40b8.exe" 5
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:792
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 656
      2⤵
      • Program crash
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/792-20-0x0000000000400000-0x0000000001466000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/792-21-0x0000000000400000-0x0000000001466000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2008-0-0x0000000000400000-0x0000000001466000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2008-1-0x0000000000400000-0x0000000001466000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2008-4-0x0000000000400000-0x0000000001466000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2008-8-0x0000000000400000-0x0000000001466000-memory.dmp

    Filesize

    16.4MB

    Download