Overview

overview

7

Static

static

3

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-04-2024 14:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.5MB

  • MD5

    6ee8535bb232fe000b49153b670a1803

  • SHA1

    f614e5e362ea0f85f8938e337591c210831db32f

  • SHA256

    c41c07c2d1e2fd62641eba007673cfcd56bdc30a4e608e43656805db673b151f

  • SHA512

    859a1e0a60075e13e9c84ab976758f78f1019aa5d8bda7137bd5efc92bf677e7c01d285087724d11f04bccbf707d490719abb52c22fa97c688a108b971ea54fd

  • SSDEEP

    49152:YImcWL9IPguCKmUIZ79ecM8Cmh2HL7dGfCybeiFkq4nF3SbYN2Y:YH9fF79bMbQExGf5eiFL4nF3Sbi

Score
7/10
spywarestealervmprotect

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        work.exe -priverdD
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\grdfe.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\grdfe.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PzuYODAeYp.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1224
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:1500
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • Runs ping.exe
                PID:868
              • C:\Recovery\3188eae2-d10e-11ee-830b-de7a5808f9ef\csrss.exe
                "C:\Recovery\3188eae2-d10e-11ee-830b-de7a5808f9ef\csrss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:2072

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\PzuYODAeYp.bat
      Filesize

      186B

      MD5

      2dfbe3c14e62c410b40b708fe7234a09

      SHA1

      153f6ecba618d2ea0e5e1ce4dd00f91c9a7d28d5

      SHA256

      3eb444e2c45a1da5e8cea6c2b0ed6216ac43531a4ca5d59a80cff674ab545f3f

      SHA512

      d1b0a0ce12609dec3a16c508e8e8c00fc24e394c19c9ffafef8cd223c3226af456d137cf5409bff7b9648ee8d1322bb7722e9f2f135a9ca792daaa49a1a1f033

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
      Filesize

      35B

      MD5

      ff59d999beb970447667695ce3273f75

      SHA1

      316fa09f467ba90ac34a054daf2e92e6e2854ff8

      SHA256

      065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

      SHA512

      d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
      Filesize

      2.4MB

      MD5

      3ed540faf4896c7f82a2643dfd501525

      SHA1

      2ca1ac39738968ead234b489cc69f859d4e67a7f

      SHA256

      c2958372620455f32fe5836d1aa4d37feeec6009e17ed1df5d14944645eb8a81

      SHA512

      82d8b95f057740cb35f65deecd5d2367814041119b0cb5afc800aa4fa8500f2953ba94d390915b6241d959575e131d6e638b3dae66963de9f8e60e2f9a6dad97

      Download Submit

    • \Users\Admin\AppData\Local\Temp\RarSFX1\grdfe.exe
      Filesize

      2.1MB

      MD5

      99e521a2816ca108f31a4a26e971dd67

      SHA1

      194e9801a30e3bee67d49b160115373022c9ff32

      SHA256

      65c33f919aa4b3be2f4b7316f66ffeac9441e735b6e846b84b8e331951c8c5c7

      SHA512

      4ff9abbecac209b00a9e613daabf3e9df7b0d0db28ce62f3ecc011919617f8ef542f9d95d905ebc62b9b081bc1ab1192410ea9e273cf1bcdac59f78390dbcbb6

      Download Submit

    • memory/2072-93-0x0000000077410000-0x0000000077411000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2072-91-0x0000000077420000-0x0000000077421000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2072-96-0x000000001B6D0000-0x000000001B750000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2072-95-0x000007FEF4FB0000-0x000007FEF599C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2072-94-0x0000000077400000-0x0000000077401000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2072-98-0x000000001B6D0000-0x000000001B750000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2072-99-0x000000001B6D0000-0x000000001B750000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2072-97-0x000000001B6D0000-0x000000001B750000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2072-89-0x0000000077430000-0x0000000077431000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2072-87-0x000000001B6D0000-0x000000001B750000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2072-85-0x0000000077440000-0x0000000077441000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2072-83-0x000000001B6D0000-0x000000001B750000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2072-82-0x000000001B6D0000-0x000000001B750000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2072-81-0x000000001B6D0000-0x000000001B750000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2072-79-0x0000000000C80000-0x0000000000FF8000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/2072-80-0x000007FEF4FB0000-0x000007FEF599C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2688-46-0x0000000000260000-0x000000000026E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2688-75-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2688-59-0x00000000008A0000-0x00000000008FA000-memory.dmp

      Filesize

      360KB

      Download

    • memory/2688-60-0x0000000077400000-0x0000000077401000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2688-57-0x0000000077410000-0x0000000077411000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2688-56-0x0000000000770000-0x0000000000782000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2688-53-0x00000000002B0000-0x00000000002C8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2688-54-0x0000000077420000-0x0000000077421000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2688-51-0x0000000000290000-0x00000000002AC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2688-49-0x0000000077430000-0x0000000077431000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2688-48-0x000000001B610000-0x000000001B690000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2688-47-0x0000000077440000-0x0000000077441000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2688-44-0x000000001B610000-0x000000001B690000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2688-43-0x000000001B610000-0x000000001B690000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2688-42-0x0000000000140000-0x0000000000141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2688-41-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2688-40-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2688-39-0x00000000002F0000-0x0000000000668000-memory.dmp

      Filesize

      3.5MB

      Download