Overview

overview

8

Static

static

3

5b484a2ea4...e2.exe

windows7-x64

7

5b484a2ea4...e2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    14-01-2024 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b484a2ea446dc0b049554a45a7199e2.exe

  • Size

    842KB

  • MD5

    5b484a2ea446dc0b049554a45a7199e2

  • SHA1

    0e9b03648a491ed221c50026c77c61cf92108de8

  • SHA256

    2bac343d25b4c6b8a6f93682813b85735ca0325ab240a49a2abbc95492866fff

  • SHA512

    88e75e036526cb8d06cdca6d5ddeda3eb73bbb2449606228214ccf68a98431724c08aabb2e2974fef2e27e10c3e626af9223bae058ce6989d12cf34e46456153

  • SSDEEP

    24576:ZNLmjHYHfe+SBa8uzsiYWb+n3BsM8BYkRc37aOu:Zpmj4HW9Ba8EKuMcYDL

Score
7/10
bootkitpersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 17 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b484a2ea446dc0b049554a45a7199e2.exe
    "C:\Users\Admin\AppData\Local\Temp\5b484a2ea446dc0b049554a45a7199e2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\ProgramData\isecurity.exe
      C:\ProgramData\isecurity.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\isecurity.exe
    Filesize

    487KB

    MD5

    fa98835def53ae6d5ace5b9ebe67a0cd

    SHA1

    c484e5836da22375072b19b949fa5de50e504d32

    SHA256

    d179b1979eb3397840fb1988b25544d09a48a24a6612c129440871586afdcabf

    SHA512

    6999b281315c3b40ba8fc08374037776f1df808f382f4bfc9f0e9002b1b2bcee11b9d92b1582c47e4694fd8a62b6451987feddee5dc48213ac281e4d78e27dbe

    Download Submit
  • C:\ProgramData\isecurity.exe
    Filesize

    835KB

    MD5

    94f1bb632e23af11ab8d009cd68f6c39

    SHA1

    426236401df0d42d13cd50dabceb370a90790989

    SHA256

    7e28270e8dac6064b5b308ff11d4f725376ca59ae9cdcbf38014a3eecbb884c9

    SHA512

    61885316becec706e0d4c3fa9dcc65ee3c74233de93ccfb681f7c962d5162b60abb67fa0dea0a8f458b2349930daab92ba3019523662737a05c6261a8a5fdb14

    Download Submit
  • \ProgramData\isecurity.exe
    Filesize

    668KB

    MD5

    33d3dc7894b078b623d9e7e4aeb2c9d4

    SHA1

    b7b1cb5c9c724ff8d2346d04fde187cf291d07a0

    SHA256

    f35f796a865fb2ac5975ab4d7927af7c0e84bf45d470cf98d5b75fdcd48bbdae

    SHA512

    54ae851f3de30b256b7457fd28681ae97b160e32643013d170e1ccba6bc0bda46c169787e94a0f1be7a2671a920f68df8fc1b27ba37938f24fb7a688842a1f4e

    Download Submit
  • \ProgramData\isecurity.exe
    Filesize

    832KB

    MD5

    4bcd587a862df239fc58f5945a3334c1

    SHA1

    67d210ef14c6906192370e9c9f699099eda7c86c

    SHA256

    e3244e52e7294348e5f5297cb56d72cf7b85e284f074fa945f56aea31c7f634c

    SHA512

    e9996c5ccb66a6d27d874e3227f4bb203e17c53a539ba2e09c87188d3e87f91ad68b0b94212173c9c3312338bf4b699c1a4672b7c54940059bdb879f6c2d8ecd

    Download Submit
  • \ProgramData\isecurity.exe
    Filesize

    764KB

    MD5

    203f44ca461f64a1e569acbf5c9eb3ee

    SHA1

    061ae882ae24cd8afdd7d9d17b43dc95c87ebed3

    SHA256

    af2b74cf2593a11ba4b8525bbd254233b08568690736b5332297c89066cb046e

    SHA512

    849f6aca3d6e73fd9c15cbf9a38bf0f9711073b55988c5b72ece69aca3bde806c475cca6068c554bc6099c3cbdb9a788f67909e672f16cc4627cbb635b406786

    Download Submit
  • memory/2148-28-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-30-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-44-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-21-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-20-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-43-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-42-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-23-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-24-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-25-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-27-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-41-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-29-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-40-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-31-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-33-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-34-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-35-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-36-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-37-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-38-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2148-39-0x0000000000400000-0x0000000000A3E000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2320-5-0x0000000076F30000-0x0000000076F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2320-2-0x00000000003B0000-0x00000000003B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2320-8-0x0000000000400000-0x0000000000505000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2320-1-0x0000000000400000-0x0000000000505000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2320-0-0x0000000000400000-0x0000000000505000-memory.dmp
    Filesize

    1.0MB

    Download