Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-04-2024 23:07

General

  • Target

    8a1edd7a6dec7c28aec32e5de4e755c5d804ece35ceae18be40378fa01fdc34a.exe

  • Size

    91KB

  • MD5

    83045f4f72ded46ca32d8779bc413227

  • SHA1

    abc00ab6f2c9a05342219dd5fe859cfef807cf09

  • SHA256

    8a1edd7a6dec7c28aec32e5de4e755c5d804ece35ceae18be40378fa01fdc34a

  • SHA512

    b7e03d54313990a77c2c8de12be44a706e6ea787266d3f8fa85181a2a4e9b0cf3de961086c43cb1f1fc1befce16f5a7cc664d67ae249c3809195fdde8caa2845

  • SSDEEP

    1536:QRVCaKgzbLc54hukfgvYnouy8zV1Ayj4m/QWR/Rlq88vlnRqPR/1aViDRknJM2S9:YjbLl/gvQoutR1Tj4mYWR/R4nkPR/1aO

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 5 IoCs
  • UPX dump on OEP (original entry point) 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a1edd7a6dec7c28aec32e5de4e755c5d804ece35ceae18be40378fa01fdc34a.exe
    "C:\Users\Admin\AppData\Local\Temp\8a1edd7a6dec7c28aec32e5de4e755c5d804ece35ceae18be40378fa01fdc34a.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Users\Admin\AppData\Local\Temp\8a1edd7a6dec7c28aec32e5de4e755c5d804ece35ceae18be40378fa01fdc34a.exe
      "C:\Users\Admin\AppData\Local\Temp\8a1edd7a6dec7c28aec32e5de4e755c5d804ece35ceae18be40378fa01fdc34a.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Users\Admin\AppData\Local\Temp\8a1edd7a6dec7c28aec32e5de4e755c5d804ece35ceae18be40378fa01fdc34a.exe
        "C:\Users\Admin\AppData\Local\Temp\8a1edd7a6dec7c28aec32e5de4e755c5d804ece35ceae18be40378fa01fdc34a.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2388
    • C:\Users\Admin\AppData\Local\Temp\8a1edd7a6dec7c28aec32e5de4e755c5d804ece35ceae18be40378fa01fdc34a.exe
      "C:\Users\Admin\AppData\Local\Temp\8a1edd7a6dec7c28aec32e5de4e755c5d804ece35ceae18be40378fa01fdc34a.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Sidebar\Shared Gadgets\canadian cum cumshot big bondage .rar.exe

    Filesize

    111KB

    MD5

    4b89b6f640005d0edbbc1cb03d6cc0da

    SHA1

    1a7904b8e78a61d2e46a0931d58bcdf5196d48ca

    SHA256

    5562e3940d01f2151122054a9a44bfaeb3cf71cc616b73e209e45d34fe6732c9

    SHA512

    787ff9baa50df93ffcdd83fd937698d9c08ca2b80d844a71b30455d65fea204d20024c917f9d4ee3efc9cfc0110f9654f9f847141ab951f684b4f7cdba5c71f8

  • C:\debug.txt

    Filesize

    183B

    MD5

    2a6e668b6bd0d25c0a3b429ba53102e3

    SHA1

    2e4411006e20fad6ba897ec18732dc5345f419bf

    SHA256

    fb356dd27824b102c4dcaecc407a5b23764396b56b5e26ed25318654b67a6d24

    SHA512

    d4a500177fe3804482cca863cb43a5853773c974b73d4853ea51695b89b87ee19b29cc94df4893581e8fa942b77bc4aecc63d594dce621a720d276e93e4c643a

  • memory/2388-98-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2388-54-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2456-14-0x0000000004A60000-0x0000000004A80000-memory.dmp

    Filesize

    128KB

  • memory/2456-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2456-56-0x00000000050C0000-0x00000000050E0000-memory.dmp

    Filesize

    128KB

  • memory/2456-92-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2456-94-0x0000000004A60000-0x0000000004A80000-memory.dmp

    Filesize

    128KB

  • memory/2456-99-0x00000000050C0000-0x00000000050E0000-memory.dmp

    Filesize

    128KB

  • memory/2496-103-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2576-15-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2576-97-0x0000000004A40000-0x0000000004A60000-memory.dmp

    Filesize

    128KB

  • memory/2576-95-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2576-53-0x0000000004A40000-0x0000000004A60000-memory.dmp

    Filesize

    128KB