Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/02/2024, 18:12

General

  • Target

    878c566de276df6679ec513a6450f4b2.exe

  • Size

    185KB

  • MD5

    878c566de276df6679ec513a6450f4b2

  • SHA1

    f2034a88a23cc38d6bf6aa8faa9173bc6b715b50

  • SHA256

    7df76a319373b547219b28e7222c97527bf6589ca2fa617e683517e98978d059

  • SHA512

    7257d443497fb78933208f5ae61e969dcd0eb46478901b2666e7299e3a5bee2e5a40396dbf4a03d693bf0e416ab7ba8160b81ed31fa0b497e606d80fb25cc867

  • SSDEEP

    3072:3k1qCmOEVlxJJLf8Lk8TpUjwIdunWQrHbMsKJDVHi+mvUQwKizTDLyn6OYBQfmzN:3k1ZmOgxJJ43dOdunX7MPJDVC+g6zjaG

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\878c566de276df6679ec513a6450f4b2.exe
    "C:\Users\Admin\AppData\Local\Temp\878c566de276df6679ec513a6450f4b2.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Checks for any installed AV software in registry
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM MSASCui* /IM avg* /IM ash* /IM McSA*
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3136
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\del.bat" >> NUL
      2⤵
        PID:4864

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\del.bat

      Filesize

      183B

      MD5

      822e76592870b80729cf9824146a042d

      SHA1

      d1b4b6e5cc9de93cc653df6c277cf47727c6b79f

      SHA256

      f38d8764fb335a2d68dae5f73a26d21639ab0a43508a3f9ce28f60c1f930d445

      SHA512

      a32001b5269e06f1d424d9ebc30ba60930ab790e0d863970dc482b877f3694bf6f6401b335793ff85cf3047356560f9c8b5781a8d5aa170228794b8079bf2e5e

    • memory/1056-0-0x00000000020B0000-0x00000000020DB000-memory.dmp

      Filesize

      172KB

    • memory/1056-1-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

    • memory/1056-2-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

    • memory/1056-3-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

    • memory/1056-4-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

    • memory/1056-5-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

    • memory/1056-6-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

    • memory/1056-9-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB