Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:22
Behavioral task
behavioral1
Sample
74f5550fe4a304944f614d859e3e7004.exe
Resource
win7-20231215-en
General
-
Target
74f5550fe4a304944f614d859e3e7004.exe
-
Size
250KB
-
MD5
74f5550fe4a304944f614d859e3e7004
-
SHA1
b53a9617b8e00dabbcb10f7592201f09f8828897
-
SHA256
b97c99f271cb2d218762fe38061ac11774f5135d95bf8945e4d45dbd60e69d57
-
SHA512
5c7acdbb3c4ef6435d60b4026ca751ed58c074cb9d1edee08e6d8a53d3611b14cd8f3a7eda798e924bc4f9f73438120ae55749fa21d058de37ff127ef898d258
-
SSDEEP
6144:BJeIKwbHlRIVao7OtIgV9cwfyGBaPihEiWg8jnCV7pQVRp+mfsg6:zNLIVao7XgV9cwfboiui7uCV7eRpp56
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
74f5550fe4a304944f614d859e3e7004.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 74f5550fe4a304944f614d859e3e7004.exe -
Executes dropped EXE 1 IoCs
Processes:
3.exepid process 8 3.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/5084-0-0x0000000000400000-0x00000000004B2000-memory.dmp upx behavioral2/memory/5084-11-0x0000000000400000-0x00000000004B2000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
74f5550fe4a304944f614d859e3e7004.exedescription pid process target process PID 5084 wrote to memory of 8 5084 74f5550fe4a304944f614d859e3e7004.exe 3.exe PID 5084 wrote to memory of 8 5084 74f5550fe4a304944f614d859e3e7004.exe 3.exe PID 5084 wrote to memory of 8 5084 74f5550fe4a304944f614d859e3e7004.exe 3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74f5550fe4a304944f614d859e3e7004.exe"C:\Users\Admin\AppData\Local\Temp\74f5550fe4a304944f614d859e3e7004.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Roaming\3.exe"C:\Users\Admin\AppData\Roaming\3.exe"2⤵
- Executes dropped EXE
PID:8
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\3.exeFilesize
344KB
MD53dc0297d7b73ebd1e539bf0a9c2683d5
SHA1656ab0f04c78535abf603a406ab1669af4896f78
SHA25622c43e3be6002557aa21246fccfc551f34e5d8c661cd43bfcf01e07d1d624537
SHA512ee76a5fde06f9038d7dc6f850291c7ac80765bc4e0f07ec171a50452d7dc8b97679808db120473b3ff87146fe6cbb0d274d89aadd8524513b6673eb0d80edf3e
-
memory/5084-0-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/5084-11-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB