Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2024, 18:28

General

  • Target

    0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe

  • Size

    1.9MB

  • MD5

    4e221d041d5ee23892fde0844fd995c7

  • SHA1

    44f8ff646a34b9e041f639bb23b21c47aff547d4

  • SHA256

    0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5

  • SHA512

    ff870183dcbc285bd04023a57bd0d25c8fc564d7247960e4da07f86fec3e85051edf6a2993444949f621e60bf1b38474c257a326f3bf81fa9622a5b0fc5427e7

  • SSDEEP

    49152:54VWxxha0+QLXFsc9sz/m2k3HKPqcutQA2NADTb:mGIQLidjk31cOQhNADv

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe
    "C:\Users\Admin\AppData\Local\Temp\0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Users\Admin\AppData\Local\Temp\0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe
      "C:\Users\Admin\AppData\Local\Temp\0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4732
      • C:\Users\Admin\AppData\Local\Temp\0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe
        "C:\Users\Admin\AppData\Local\Temp\0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1340
    • C:\Users\Admin\AppData\Local\Temp\0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe
      "C:\Users\Admin\AppData\Local\Temp\0a8eff6adb55385aca0514565ac83b24078e1e2979b6544d51a3c89d06abadb5.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2812

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian gang bang hardcore licking castration .mpg.exe

          Filesize

          1.1MB

          MD5

          345f7f8813847ba17e5767396f86a1ed

          SHA1

          c694558fbf7dadbf62c4e2eea9462f2c0627c51d

          SHA256

          f7e2f5be9d76ac8ba7034023df8d5ef82e61c011316551ff09f5545792e69c4d

          SHA512

          7d7483d6fe005987c99eebcae232fc41dde7bb25300d0edc2b1f8ae93fc12b6a060a31f177794ac1781a82e8221a336a28a15b20fae227bb45080520355977b0