Analysis

  • max time kernel
    142s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    02/02/2024, 23:21

General

  • Target

    VirusShare-011fcece058e729e2c21e7085b600b41.exe

  • Size

    100KB

  • MD5

    011fcece058e729e2c21e7085b600b41

  • SHA1

    5503bce7be753d1b0975811fe33ac0ca808706a8

  • SHA256

    c4885eb9ed1b5650c7cbbcda64be9abfafb7b396e85101c0f2c12b4914c632ae

  • SHA512

    434f4856a7864f2cfd94b63fd42d91e59ee7ceece71cc2b3032700287c542cab7ee752a50844caf9f25926ad5c45f8e24a559a7386aad5f62d5891b59729e7b1

  • SSDEEP

    1536:0AMmzjRQoRKrazFxpwY64ee6d0J+j9NaDJXeUDswIMT+Z3zBP51RbJG1U:BjCoR7XDeY+j9NeZIW+Z9P515Ja

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 7 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 7 IoCs
  • Modifies registry class 46 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Windows\SysWOW64\nsacesh.exe
      C:\Windows\system32\nsacesh.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Drops file in System32 directory
      • Modifies registry class
      PID:2980

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\sogbaol.exe

          Filesize

          100KB

          MD5

          011fcece058e729e2c21e7085b600b41

          SHA1

          5503bce7be753d1b0975811fe33ac0ca808706a8

          SHA256

          c4885eb9ed1b5650c7cbbcda64be9abfafb7b396e85101c0f2c12b4914c632ae

          SHA512

          434f4856a7864f2cfd94b63fd42d91e59ee7ceece71cc2b3032700287c542cab7ee752a50844caf9f25926ad5c45f8e24a559a7386aad5f62d5891b59729e7b1

        • \Windows\SysWOW64\fcmaiuma.dll

          Filesize

          76KB

          MD5

          d47460e7a690aa4518595f6943e64a33

          SHA1

          99dc72b69d36fdf4a206dc4cbebcee0b0e6fecf6

          SHA256

          20d2dbe3fe247d3b47bb76391ce79081033aefd49698b860c0559663247ecc6f

          SHA512

          08b9d09d397255b6a5edba02d71da04907b0bddcf626e0073a084f7d08ba65e696904a44a000d4eababe370a8a47aa19c0ce104765c1053b1a8f323102b36bda

        • \Windows\SysWOW64\nsacesh.exe

          Filesize

          73KB

          MD5

          4f0d325d862e6691089e6353f24cc723

          SHA1

          89a2130b326d498eea816aeeefaf5a19353cddf4

          SHA256

          e27d664a3976999ae06a731ff59db1ffa4950e8285f00516c61acbfc56f98127

          SHA512

          5d6afe8c451d615dd87d88c5fdbd926f1671ebb433ce24f7ea011dcfb26ff6d1c40c8d772021e59bdbd7d7b57dfe9e9b4c89d4a73750e67976437122040cc4ba

        • memory/1248-3-0x0000000000310000-0x0000000000396000-memory.dmp

          Filesize

          536KB

        • memory/2980-16-0x0000000000400000-0x0000000000486000-memory.dmp

          Filesize

          536KB

        • memory/2980-19-0x0000000000400000-0x0000000000486000-memory.dmp

          Filesize

          536KB