Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 20:10

General

  • Target

    39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe

  • Size

    231KB

  • MD5

    5585f803fad5b438773e7ba57cdb9933

  • SHA1

    3ff53a435ca1d31f7ca952bac220b5665f9435bd

  • SHA256

    39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014

  • SHA512

    1ae124a4e3634183bc0ba042352e15c1d07b93f8332861d333a7c303120c90825d43d8509e423903b9d77b150b7d0f03c7ea01ab14aa3975c1cd5c5ba8586789

  • SSDEEP

    6144:oGHGRpO9p1om9+xs3NBBRsnePcFaCphQKpqu4FeFV6hkiFrtL0T:oGHasii9BEneUFaCph5p9/ihN0T

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe
    "C:\Users\Admin\AppData\Local\Temp\39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Local\Temp\39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe
      "C:\Users\Admin\AppData\Local\Temp\39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:528
      • C:\Users\Admin\AppData\Local\Temp\39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe
        "C:\Users\Admin\AppData\Local\Temp\39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3996
    • C:\Users\Admin\AppData\Local\Temp\39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe
      "C:\Users\Admin\AppData\Local\Temp\39ffa36f2f0dc6350f7c836dfd7b5a2a9cd06ac6e53df53b5c4135efc6756014.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\american nude hardcore hidden beautyfull .mpg.exe

    Filesize

    1.3MB

    MD5

    b9b30e686b150ad5e2569a75ddfdac18

    SHA1

    b1ab153f4a5a8bbad5887d85e8c08b13a6228b61

    SHA256

    e2bdde9b73801336709609350f8e241bd4c7fa4a49918ed8668fcd4f3bd51f18

    SHA512

    fbdd5c40da49504647c5b7809f5472aaa93f5b5c6d2db1544b486be3e3354dd5f6e4ba90c240c3218757b4cafa7bcdde549c60ff11f58931908b44acd4aa2fbd