Overview

overview

9

Static

static

3

032d4c4b1b...72.exe

windows7-x64

9

032d4c4b1b...72.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    29/04/2024, 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe

  • Size

    455KB

  • MD5

    9eca82d1ff4bee0b79fb73fd9e333a93

  • SHA1

    cdeb36f8dbbf6bc4ef1fba4e33e4d39a7d5e8fdb

  • SHA256

    032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672

  • SHA512

    c70160b2ed7ac3dae0830536de5f2cbf8c3d36b402654d6a7cebcb64a9a49d47023ad0f83ee88057ec845571addfa46839773554e31d06986e26c58db5c893e2

  • SSDEEP

    12288:KLxNI8KjYJK+N5VS+9HTA8gbqk8PP/OsmeMVKsvEfg0+H:KVNYjYJK+d+mk6/Opnv30S

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • Detects executables containing SQL queries to confidential data stores. Observed in infostealers 2 IoCs
  • Detects executables containing base64 encoded User Agent 2 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe
    "C:\Users\Admin\AppData\Local\Temp\032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2520
    • C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
      "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:3020
    • C:\Users\Admin\AppData\Local\Temp\032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe
      "C:\Users\Admin\AppData\Local\Temp\032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe" silent pause
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1724
      • C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
        "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat
    Filesize

    10B

    MD5

    8b549bc054dae822ecbb803f3490e5f5

    SHA1

    09402858d1610e448f0aeb3788cf3317e8f0cb83

    SHA256

    0762a04e018c81e349b8dd71d9589562e3d49cfa98dc9921acdab54bf3084d77

    SHA512

    7a75ba404c7d031298d722e92373bf8878fe4e728911a414dc69ad654f0470f04b99e8ad4f1f1e56c7a9cbdb959ef6a9c581bc9e7f8eea86b4a758dfd45d4dd3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
    Filesize

    458KB

    MD5

    fa328ef5b76c4794371033972b661a4e

    SHA1

    ffe66c819fc8a8d1801489156c1d2f4cc2c72ab1

    SHA256

    139990f7535ff8af2016ddefc4d81a5c1a0cb42672d8c29cb9b6b1f2a05e9151

    SHA512

    e468d556afac5f938fe92485a11d5591b91b157cc835f749c86a4b1e31b38e561dd58f39060ec0db6d0fd50c806aeaa07a139fc29e557b7ba6bc2decf21738d6

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
    Filesize

    458KB

    MD5

    549ce443b478baabad0e7d5f3a25af5a

    SHA1

    f44953870d97850a1239d15630499c2b52d8c107

    SHA256

    0494b19e9e71ea17232971abc69e493baf799aab486044ef16a7a5eda1fa3ddf

    SHA512

    76ea08012074b5615810693adc171e502272ff81f054faaaa8632f9db0c7b29b7305c0ac283ecc9abb87ee8edc7bed177cd6bbb1bc6ca63782662a625bd33509

    Download Submit

  • memory/1364-105-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1364-92-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1724-77-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1724-90-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2244-32-0x00000000026C0000-0x0000000002729000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2244-43-0x00000000026C0000-0x0000000002729000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2244-44-0x00000000026C0000-0x0000000002729000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2244-0-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2244-62-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2244-16-0x00000000026C0000-0x0000000002729000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2244-59-0x0000000003760000-0x00000000037C9000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2244-1-0x0000000063080000-0x00000000631EC000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2392-93-0x0000000000600000-0x0000000000669000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2392-60-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2392-111-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2392-115-0x0000000000600000-0x0000000000669000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2520-36-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2700-56-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download