Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 20:13

General

  • Target

    3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe

  • Size

    1.4MB

  • MD5

    174daa247aefc52d66f535735e1f3426

  • SHA1

    09f4b3f3fb972a89dc66af59ef84f4e3584c6e00

  • SHA256

    3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc

  • SHA512

    b9ad7ba6f0eb0a4f4bf2fe693dcf26bf75e4ab78f386d0e51931d57b946e4c916273772c0882b6398359275564c1964d79ef09d4dab2b4f67bbda7d51830136f

  • SSDEEP

    24576:bHXsaqaoi0NP91nBvdVhe3lehBaaSwOwgi4EiDeo8y+MfmcxP+:j8anCP9lBbhee7owtiqo8QmKP+

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 1 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 19 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe
    "C:\Users\Admin\AppData\Local\Temp\3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Users\Admin\AppData\Local\Temp\3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe
      "C:\Users\Admin\AppData\Local\Temp\3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3088
      • C:\Users\Admin\AppData\Local\Temp\3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe
        "C:\Users\Admin\AppData\Local\Temp\3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\gay girls stockings .mpg.exe

    Filesize

    1.5MB

    MD5

    18bdf1806ce04e968c32e6f2a3deb01c

    SHA1

    0f6dc97b3cd24107257964c4dfa856b9d86aed5c

    SHA256

    e846f8b8b4031f45dd2479779f80e3b0ed0a0c62ea5cdb5677aafa9b05422c6a

    SHA512

    195f22d1a506e7aca12fd764d63aa6da4c6e36ae94bef2a539165fb4fcdbe58a4071fdbeb35cf4911fccad29541b1027933f363ee31fa34bce202c7bebb49283

  • memory/2844-0-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3088-21-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3932-151-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB