Analysis

  • max time kernel
    154s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-04-2024 20:10

General

  • Target

    39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe

  • Size

    231KB

  • MD5

    5585f803fad5b438773e7ba57cdb9933

  • SHA1

    3ff53a435ca1d31f7ca952bac220b5665f9435bd

  • SHA256

    39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014

  • SHA512

    1ae124a4e3634183bc0ba042352e15c1d07b93f8332861d333a7c303120c90825d43d8509e423903b9d77b150b7d0f03c7ea01ab14aa3975c1cd5c5ba8586789

  • SSDEEP

    6144:oGHGRpO9p1om9+xs3NBBRsnePcFaCphQKpqu4FeFV6hkiFrtL0T:oGHasii9BEneUFaCph5p9/ihN0T

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe
    "C:\Users\Admin\AppData\Local\Temp\39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Local\Temp\39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe
      "C:\Users\Admin\AppData\Local\Temp\39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Users\Admin\AppData\Local\Temp\39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe
        "C:\Users\Admin\AppData\Local\Temp\39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Sidebar\Shared Gadgets\spanish cum catfight sm (Karin,Sonja).mpg.exe

    Filesize

    1.8MB

    MD5

    83ea3fbc445a1d09f958eb4b73c78ab4

    SHA1

    182ba11beb8630ac0016abd82f9b172caa0c1532

    SHA256

    1e8a67f2add8debcbba7dedf748d6636347427dd7306728a75bbf63d2a78d1f3

    SHA512

    d27dab1a5b4fc716c97d4ef704aba3802c7d46ed2de251f700aec5ec4479b54fadfb467106d02da4dc9ad65b1a5c979ed4c50b990b5fe4727ca3468200856541

  • C:\debug.txt

    Filesize

    183B

    MD5

    01e0f34462e929e03ac9ecbf7b8e626d

    SHA1

    a6e1d3719bc4e33ba41180d03fd2acd9ac939cdd

    SHA256

    ba688cf1befc0b610394e8f13c8fe83d201defd1415b1d39c5da420aed558964

    SHA512

    49d2ce886d72a4a7d927c60bd53d789a5adb81251d8b7d93d7737a4a6d88248539d17b5080829ed36a4792cbd263063964534b046e65ef75554d1b79e47ea220