Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/04/2024, 18:28

General

  • Target

    0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe

  • Size

    1.9MB

  • MD5

    4e221d041d5ee23892fde0844fd995c7

  • SHA1

    44f8ff646a34b9e041f639bb23b21c47aff547d4

  • SHA256

    0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5

  • SHA512

    ff870183dcbc285bd04023a57bd0d25c8fc564d7247960e4da07f86fec3e85051edf6a2993444949f621e60bf1b38474c257a326f3bf81fa9622a5b0fc5427e7

  • SSDEEP

    49152:54VWxxha0+QLXFsc9sz/m2k3HKPqcutQA2NADTb:mGIQLidjk31cOQhNADv

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe
    "C:\Users\Admin\AppData\Local\Temp\0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Users\Admin\AppData\Local\Temp\0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe
      "C:\Users\Admin\AppData\Local\Temp\0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Users\Admin\AppData\Local\Temp\0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe
        "C:\Users\Admin\AppData\Local\Temp\0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2152

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Windows Sidebar\Shared Gadgets\african blowjob lingerie sleeping vagina (Samantha,Samantha).rar.exe

          Filesize

          684KB

          MD5

          9bf31c43268ae5510affa834a598cede

          SHA1

          a9c3faa3085ac7da775308db29b10d0af5cea49b

          SHA256

          40e23f72ac66a528ec1008fc8ff80888d36b97ac4255b62d2577693b4a4557ba

          SHA512

          c0c768ec50eaee2a876f2ef3aa5b0e5a328c68695abe704b95481cd64863e0c210f655231f8cd61e72c3f6e33226a37db63bc2ea0e165797f0f66bb23df15269