Overview

overview

7

Static

static

3

use_2024_t...up.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/04/2024, 16:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    use_2024_tо_оpen/Sеtup.exe

  • Size

    343.8MB

  • MD5

    57727a3bcd0c97b5e5cf8a67a2271602

  • SHA1

    44d9e79f30fbe53765d7db71e8120d61b577d718

  • SHA256

    4c849df549c3c4e370289f72322e3bfcbc9ccf521603b816dc095f8d86f38a2c

  • SHA512

    4882ee7eb649a9af7a3bcae41d664886cf3d84f1488f7237e4812b0b93b98cb4839c02a76741a7b86c82c516e1e3db47af412e1045354678c3493c12ba046a30

  • SSDEEP

    98304:k9PPEh7HbYwToFAksVAkTaT6ltkMsXo19Dd4UgNsCctNK2rPk80:03Eh7H/TsTytHsY19DwCxrPc

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\use_2024_tо_оpen\Sеtup.exe
    "C:\Users\Admin\AppData\Local\Temp\use_2024_tо_оpen\Sеtup.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3408
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3928
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"
        3⤵
        • Drops file in Windows directory
        PID:4080
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4140
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        3⤵
        • Creates scheduled task(s)
        PID:1712
  • C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe
    C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe "C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"
    1⤵
    • Executes dropped EXE
    PID:4908

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe
          Filesize

          925KB

          MD5

          0adb9b817f1df7807576c2d7068dd931

          SHA1

          4a1b94a9a5113106f40cd8ea724703734d15f118

          SHA256

          98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

          SHA512

          883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg
          Filesize

          495KB

          MD5

          b36280ab2514b1772d2058fe14633850

          SHA1

          57b4b40365eb4e26aa9f9125acc9965210776195

          SHA256

          a3b628be13ef3a1f09ab8e4af4f59203e7e721283bd9414f2a35c03abd0ecf46

          SHA512

          7c13c658c2be4430aa7e6fa4a6b6116a91e5cf5c9ce425eb698236193b96d12656d264ce3f19940a17b8a59f7b7e5dfb1ea0c0c9dc381a788c3acf4f8fdfddfa

          Download Submit

        • \??\c:\users\admin\appdata\roaming\servicedata\c2gt4h.tmp
          Filesize

          491KB

          MD5

          9533ba8d9930f60f0b6257bdb79b2384

          SHA1

          b0b9dc920e83343784e818dcf4d9607de51118bb

          SHA256

          6a30579a54855ff5899cd73278d61e6b3d69abadc7ffedc6c0e0c3aa03594131

          SHA512

          e86c782b98b28e8eefc03cb703eb2c640d6b748285b76c93f8a892e2427a20de00c7dd4c141e1c38e69b2f78b54f6705e2ae40071aaba0392193fc1a7071259d

          Download Submit

        • memory/3408-0-0x0000000000450000-0x0000000000451000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3408-1-0x0000000000460000-0x0000000000461000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3408-2-0x00000000004B0000-0x00000000014B0000-memory.dmp

          Filesize

          16.0MB

          Download