Overview

overview

10

Static

static

3

030bad2f85...bb.exe

windows7-x64

10

030bad2f85...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    162s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2024 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    030bad2f855ca0f00316ddd0bd266bbb.exe

  • Size

    96KB

  • MD5

    030bad2f855ca0f00316ddd0bd266bbb

  • SHA1

    0576bf7d72f1e1e2e8e1ab60c3aa6e62d8b6f6e8

  • SHA256

    b804b753be765e9449600bb7dd46f36cbaa2bc92e29fe62f4e4bde26a1a87ae3

  • SHA512

    3343118d0daec3defcd823748fe3872666d3b14ddb99770f35bceaa6de18fdb94bcac267ad82beef7b9459181539390d4cdf1b97a8bb1601dc79eba09d2d1eba

  • SSDEEP

    1536:ezDBda3hhnnFhrXzRGxfaBv7kqxgEEVa0:G9da3hhnFhrDu8vZue0

Score
10/10
evasionpersistencespywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    darkwarrior

Signatures

  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\030bad2f855ca0f00316ddd0bd266bbb.exe
    "C:\Users\Admin\AppData\Local\Temp\030bad2f855ca0f00316ddd0bd266bbb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Windows\SysWOW64\cmd.exe
      "cmd"
      2⤵
      • NTFS ADS
      PID:2092
    • C:\Users\Admin\AppData\Roaming\Svchost.exe
      "C:\Users\Admin\AppData\Roaming\Svchost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1140
      • C:\Windows\SysWOW64\REG.exe
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
        3⤵
        • Disables RegEdit via registry modification
        • Modifies registry key
        PID:1688
      • C:\Windows\SysWOW64\REG.exe
        REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:3912
      • C:\Windows\SysWOW64\REG.exe
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:4172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\HDOfgCDNkRuKqwQ.txt
    Filesize

    2B

    MD5

    bafd7322c6e97d25b6299b5d6fe8920b

    SHA1

    816c52fd2bdd94a63cd0944823a6c0aa9384c103

    SHA256

    1ea442a134b2a184bd5d40104401f2a37fbc09ccf3f4bc9da161c6099be3691d

    SHA512

    a145800e53a326d880f4b513436e54a0ab41efc8fdd4f038c0edae948e5ae08d2a7077d5bb648415078dda2571fe92c4d6fa2130a80f53d9dd329e7040729e81

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Svchost.exe
    Filesize

    96KB

    MD5

    030bad2f855ca0f00316ddd0bd266bbb

    SHA1

    0576bf7d72f1e1e2e8e1ab60c3aa6e62d8b6f6e8

    SHA256

    b804b753be765e9449600bb7dd46f36cbaa2bc92e29fe62f4e4bde26a1a87ae3

    SHA512

    3343118d0daec3defcd823748fe3872666d3b14ddb99770f35bceaa6de18fdb94bcac267ad82beef7b9459181539390d4cdf1b97a8bb1601dc79eba09d2d1eba

    Download Submit

  • C:\Users\Admin\AppData\Roaming\qCkjXXyHTvPuSkw.txt
    Filesize

    70B

    MD5

    7f73bd56aefe2f4ea52867acc8f38792

    SHA1

    48b634644a1dcf7bf0b4b7aa37a0979cc03a6eeb

    SHA256

    8efa82676608fc0bb6f95c59a81bba429ca7314191ef218a5de3f912b9bf2236

    SHA512

    1119e0d2ed6a83b78ec74be64e71476462ffa58f442168951a6aa6eb64eae20897109769ce351820192c5aed021b8870616cc870e4d6d77d27eace238d6bf196

    Download Submit

  • memory/1112-0-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1112-1-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1112-2-0x0000000000DF0000-0x0000000000E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1112-16-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1140-10-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1140-11-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1140-17-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

    Download