Overview

overview

10

Static

static

3

030bad2f85...bb.exe

windows7-x64

10

030bad2f85...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01/01/2024, 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    030bad2f855ca0f00316ddd0bd266bbb.exe

  • Size

    96KB

  • MD5

    030bad2f855ca0f00316ddd0bd266bbb

  • SHA1

    0576bf7d72f1e1e2e8e1ab60c3aa6e62d8b6f6e8

  • SHA256

    b804b753be765e9449600bb7dd46f36cbaa2bc92e29fe62f4e4bde26a1a87ae3

  • SHA512

    3343118d0daec3defcd823748fe3872666d3b14ddb99770f35bceaa6de18fdb94bcac267ad82beef7b9459181539390d4cdf1b97a8bb1601dc79eba09d2d1eba

  • SSDEEP

    1536:ezDBda3hhnnFhrXzRGxfaBv7kqxgEEVa0:G9da3hhnFhrDu8vZue0

Score
10/10
evasionpersistencespywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    darkwarrior

Signatures

  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\030bad2f855ca0f00316ddd0bd266bbb.exe
    "C:\Users\Admin\AppData\Local\Temp\030bad2f855ca0f00316ddd0bd266bbb.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\SysWOW64\cmd.exe
      "cmd"
      2⤵
      • NTFS ADS
      PID:1804
    • C:\Users\Admin\AppData\Roaming\Svchost.exe
      "C:\Users\Admin\AppData\Roaming\Svchost.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\SysWOW64\REG.exe
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
        3⤵
        • Disables RegEdit via registry modification
        • Modifies registry key
        PID:2568
      • C:\Windows\SysWOW64\REG.exe
        REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:2096
      • C:\Windows\SysWOW64\REG.exe
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:2448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\HDOfgCDNkRuKqwQ.txt
    Filesize

    2B

    MD5

    bafd7322c6e97d25b6299b5d6fe8920b

    SHA1

    816c52fd2bdd94a63cd0944823a6c0aa9384c103

    SHA256

    1ea442a134b2a184bd5d40104401f2a37fbc09ccf3f4bc9da161c6099be3691d

    SHA512

    a145800e53a326d880f4b513436e54a0ab41efc8fdd4f038c0edae948e5ae08d2a7077d5bb648415078dda2571fe92c4d6fa2130a80f53d9dd329e7040729e81

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Svchost.exe
    Filesize

    35KB

    MD5

    a1095b63e5c339d37410809b271412e1

    SHA1

    b79e38991cb87a648a853496c50ce9fc4625a5ab

    SHA256

    fd1098004293ba6bba97ee732bfb0e98fff4065c7940a8bf1b7f4c90ed12ac99

    SHA512

    43fdd3aac678e404bd1155c3939d9ab176ccb6ca3c3edbc195d4b772b164dd5c31edd3090f9b0b2a3604798d4cd5cb4d6f6db6f529e9886ae14d184f162845c3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Svchost.exe
    Filesize

    7KB

    MD5

    8f02dc184e24f0c506606d86e9510aec

    SHA1

    6eebafa5fdad92780442ddedd9a969eb4a170783

    SHA256

    40dc0c352a5a207a386490fe2feadbe2e77c3955d5cfd2f75e501a1006f4b89e

    SHA512

    1223e156f354a6289a0c1f9c3d156f8cd3f158f5680228eae3149c8d8221f814f81c952515f520300b06dc8b6c22960fb66fbe146c2f6da95313667e4ff67aff

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Svchost.exe:ZONE.identifier
    Filesize

    27B

    MD5

    130a75a932a2fe57bfea6a65b88da8f6

    SHA1

    b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

    SHA256

    f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

    SHA512

    6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

    Download Submit

  • \Users\Admin\AppData\Roaming\Svchost.exe
    Filesize

    8KB

    MD5

    7a214e3fd688843a4b635365d3b7da93

    SHA1

    137f36ae4e70564a89f17f1c087b8f0baa2f1444

    SHA256

    a14289ac6991d9c86283311c301caf25ff6729b7e69368f5d50b9fe287aa22e1

    SHA512

    487f6a9b11ee9059b9eb12b0721f338c876b57bfa8d01af0c3cedbed1bbc0e77c695a15e5722a2dbf59ba68dc4707ee803312f0c2d8f7acdb4583cae02e42aa4

    Download Submit

  • \Users\Admin\AppData\Roaming\Svchost.exe
    Filesize

    21KB

    MD5

    fbe70a8789b886c6863584fb87c95617

    SHA1

    6acfc6215745c17dd6ca4ca9bc8ff1d83186d646

    SHA256

    4e32a2bfb493af1aca12fca0e9826122d5391148bf0e84d57e9131d7ee5c2c5b

    SHA512

    64daad1e60d50ecde8d8166b27b83cea0b43db55aa2479380193721cc453ee53654992b8fb66ee062962147b8eb3b11b7b789755dcfc901be3009111f1955b9d

    Download Submit

  • memory/2180-15-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2180-13-0x0000000000A90000-0x0000000000AD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2180-12-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2180-33-0x0000000000A90000-0x0000000000AD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2180-34-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2180-35-0x0000000000A90000-0x0000000000AD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2856-0-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2856-1-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2856-2-0x00000000000F0000-0x0000000000130000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2856-30-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

    Download