Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-04-2024 01:25

General

  • Target

    c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe

  • Size

    292KB

  • MD5

    a3bc5a1f20e21874d56c71282c3104fe

  • SHA1

    90e6f287921d4a59ee7df91dacc191ab1645fff9

  • SHA256

    c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d

  • SHA512

    ed8966e993aa10c42b433b8b1f09ea8087a2a63869adacfb3c27eb365fab43259581abc265279fa6fd0b7c1087867b70d1a36626ec0ff39b5ade35c653b2fecc

  • SSDEEP

    6144:dXC4vgmhbIxs3NBR3BHgPZacfQbdErY1iMbnz3Vq8ukh6KQFZE:dXCNi9BHg0VbWGX3VQp2

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
    "C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
      "C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
        "C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Sidebar\Shared Gadgets\horse girls feet .avi.exe

    Filesize

    1023KB

    MD5

    fb784116f908827499ad2eb224ce85ed

    SHA1

    97cc0f3f8b1fad768eb689a5c752b51f95d68626

    SHA256

    452a4d5e51b00eb5da19b57b049a1e5244922aef41cf7456a8cd470bdde9cfea

    SHA512

    5c20490d63d0c180f97df7aea0fc4f303d10aa224247b471c8dbf786ec30f27866c852a74fa6c5a5c67311f5791e783a36eca4951db49f3b379f219c1f6d8d69

  • C:\debug.txt

    Filesize

    183B

    MD5

    322fb3f0bef77a2e1f93a03e4a65816d

    SHA1

    242b156c1d8c8dfea4345972ee0ff50018e00185

    SHA256

    2df76267bac06d3edc88aa82435b645576c9b054e56b43a94d363b3185ae5111

    SHA512

    6fd93b54931f9232032d1d7a564be633a681ba531a7557985e81bc2865bf4f7e31616c723ba3f8c066d0447288dd98f7397e76179e796b94c965ddf0a2b6e06d