Malware Analysis Report

2024-11-30 04:11

Sample ID 240408-bsyahacf76
Target c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb
SHA256 c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb
Tags
persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb

Threat Level: Known bad

The file c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb was found to be: Known bad.

Malicious Activity Summary

persistence spyware stealer

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 01:25

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 01:25

Reported

2024-04-08 01:27

Platform

win7-20240215-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe"

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti-Malware = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\NFbMAPE.exe" C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2980 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2980 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2596 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2596 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2596 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2980 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe
PID 2980 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe
PID 2980 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe

"C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2yf4yukc\2yf4yukc.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B6D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC44A9FDFF959F4A35A98391B3AA3E7F5A.TMP"

C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe

"C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nefoe.zzz.com.uafiles udp

Files

memory/2980-0-0x0000000000FB0000-0x0000000000FC2000-memory.dmp

memory/2980-1-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

memory/2980-6-0x000000001BA50000-0x000000001BAD0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\2yf4yukc\2yf4yukc.cmdline

MD5 a3a8556aaa30abe6312ecded54e4e088
SHA1 3403831f213f9e5fe96344a80aa5ab1d32302820
SHA256 0a825ad448f2b2045cb442794a9641f9f58f1fa9269ac7d6c0c7f14962aedec3
SHA512 543f5df30679ba6dc3f329f25af79fba62a2a3c08f90add51d2f196a8cf6605bf6af09f9ac8b0b8583f6e4e612c60d2aa9e0b2081ba86ae3f455bd342b78a14b

\??\c:\Users\Admin\AppData\Local\Temp\2yf4yukc\2yf4yukc.0.cs

MD5 f9b39b0739c6b5286638cd8b79317202
SHA1 1b403c538536b2fdfc1142a528ce9b69564bf9e5
SHA256 60e6b02bff4ef14ef1c6e3197f147efa3fc7f545a8a437dcda3267788c8b53e6
SHA512 da8ca575ead117cccaab328ab2a7a6d778764254a8e21637f4d10a175fed8a076cbe7145307eaa617e047ec3f9ed0acf4227cf5015c626684c74b6530b172934

\??\c:\Users\Admin\AppData\Local\Temp\CSC44A9FDFF959F4A35A98391B3AA3E7F5A.TMP

MD5 201b358b9eba7b67c454b4670fc37bf8
SHA1 620fb9bced83450e6f27511b8daa914e6287a427
SHA256 173f4b47b48f167c71bd61a75302f144e6ddc1a2e57471ef0883fa2e7352db86
SHA512 5c4efef4776125e3c542b22c321f08a7cb17b3a3cf067e595366cd75cce3839643648042f6c6f2dc2a82efadbbb78ddfceb934a24da64d7e6b0d2263146ba010

C:\Users\Admin\AppData\Local\Temp\RES1B6D.tmp

MD5 bc94b1144254a77b4bc62b78f5f1126c
SHA1 ae3764258a98e25d6d560a3e32a1caa9dec54fdb
SHA256 f907b1dcdcfaf9cdf538ac0bb1b31782f8fcf159a65bb33158124c4b9360a180
SHA512 b32a1edd58c86325d42e46b21d7a9f185d3adfd03c667ca488c0c319f8e7d2dd3e6b23c6ebee455ce8e69c76d6e83b7a2dc74933dea8e821a61dab0d1abd6769

C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe

MD5 7f25406f9ea45178acc8791bebb1b4bd
SHA1 8609dc41bb45b1cef588894b188f659395b0ab13
SHA256 551565b2be7a45f0a5b1023dfa5ec62067af1b9266ee4ab927ba1c95b99f3443
SHA512 a55673b7cdee2122d30aaab9d018b715370747bed0d4039cf87c7e5866ffa427b62a1fc9dfdbd65feee018c8aac9e3f3584e47efa8ea3d6844e19b2b4797e255

memory/2440-28-0x0000000000980000-0x0000000000988000-memory.dmp

memory/2440-29-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

memory/2440-30-0x000000001AD00000-0x000000001AD80000-memory.dmp

memory/2980-31-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

memory/2440-32-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

memory/2440-33-0x000000001AD00000-0x000000001AD80000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 01:25

Reported

2024-04-08 01:27

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe"

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anti-Malware = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\NFbMAPE.exe" C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe

"C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3qikdzx2\3qikdzx2.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES53FC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2BCFFBB8FC3142A3A467CF60D98B8E47.TMP"

C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe

"C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 nefoe.zzz.com.uafiles udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2664-0-0x000002244AEC0000-0x000002244AED2000-memory.dmp

memory/2664-1-0x000002244CA40000-0x000002244CA4A000-memory.dmp

memory/2664-2-0x00007FFF539D0000-0x00007FFF54491000-memory.dmp

memory/2664-8-0x000002244CC20000-0x000002244CC30000-memory.dmp

memory/2664-10-0x000002244CBE0000-0x000002244CBF2000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\3qikdzx2\3qikdzx2.cmdline

MD5 55187dac39a0e400efb81b7f21c3e065
SHA1 ba9a0c995b25047c5be9ad13cfc85bc2935aaba4
SHA256 b0684f1f89322298763ea0a848146e4261948eeef2e26fe16f769aa0bf20a43e
SHA512 161afb473553553ff6f91494a32282999bcef14c5428c6960ae2f8a9cd87059f6032f3d15328f1d954247b349ca9a2cc3bf0fc3fd75f689e37bde055e4db724b

\??\c:\Users\Admin\AppData\Local\Temp\3qikdzx2\3qikdzx2.0.cs

MD5 f7ce09127bf57f3ca232ce17f9dafe2d
SHA1 2ffc33a27685b83269b4285d744f565e037e5413
SHA256 975d9eebca817984e2882fb2b72318d526741b417b05b4dc74a3fca616d652ad
SHA512 af637364a3a0032320d434ec32fc8a50ae45f5dffaae9783d33ec7039c72c232276737a8bf40f39c30d52970100f69215a48984fa8ff68b03d69abf7e650d368

\??\c:\Users\Admin\AppData\Local\Temp\CSC2BCFFBB8FC3142A3A467CF60D98B8E47.TMP

MD5 201b358b9eba7b67c454b4670fc37bf8
SHA1 620fb9bced83450e6f27511b8daa914e6287a427
SHA256 173f4b47b48f167c71bd61a75302f144e6ddc1a2e57471ef0883fa2e7352db86
SHA512 5c4efef4776125e3c542b22c321f08a7cb17b3a3cf067e595366cd75cce3839643648042f6c6f2dc2a82efadbbb78ddfceb934a24da64d7e6b0d2263146ba010

C:\Users\Admin\AppData\Local\Temp\RES53FC.tmp

MD5 a276b49e0d474d209ccb136a5bd6f2f6
SHA1 0b303885c85f08c7f19e66ce91eb415169486530
SHA256 ad943516fd410f67076216d69aff9cbb9d0abc6cfa7fbad18278619e87d65c53
SHA512 ba2a6735a7b06dcc1865a454fda40217bc76b1c1e602d5ee9cbef8f93f3599eb3dd335d3ca447917f54d4b3e866ee088a832bdf1c40e25d561c570311ba302b9

C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe

MD5 1199030d12ea13d836edfbbebacf706d
SHA1 83afec6e941dc1c9392a773c7df0ee5f1d2eac08
SHA256 878b00faccdbda0e5ead3bff8d5b9cc5fbf79d2c5a3715bd03590136af31f2b4
SHA512 649d13f7dab2efdec896ed88a9f2e4853af8ba8ca471b982c8fdabf3a21c38f83d6cadd6a782d2fabc4f41103e8b0f70245ff4b0129353418301f85c083a2f9c

memory/4536-34-0x00007FFF539D0000-0x00007FFF54491000-memory.dmp

memory/4536-33-0x0000000000610000-0x0000000000618000-memory.dmp

memory/4536-35-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

memory/2664-37-0x00000224654A0000-0x00000224655A2000-memory.dmp

memory/2664-38-0x00007FFF539D0000-0x00007FFF54491000-memory.dmp

memory/4536-39-0x00007FFF539D0000-0x00007FFF54491000-memory.dmp

memory/4536-40-0x000000001B1D0000-0x000000001B1E0000-memory.dmp