Overview

overview

9

Static

static

3

032d4c4b1b...72.exe

windows7-x64

9

032d4c4b1b...72.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/04/2024, 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe

  • Size

    455KB

  • MD5

    9eca82d1ff4bee0b79fb73fd9e333a93

  • SHA1

    cdeb36f8dbbf6bc4ef1fba4e33e4d39a7d5e8fdb

  • SHA256

    032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672

  • SHA512

    c70160b2ed7ac3dae0830536de5f2cbf8c3d36b402654d6a7cebcb64a9a49d47023ad0f83ee88057ec845571addfa46839773554e31d06986e26c58db5c893e2

  • SSDEEP

    12288:KLxNI8KjYJK+N5VS+9HTA8gbqk8PP/OsmeMVKsvEfg0+H:KVNYjYJK+d+mk6/Opnv30S

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • Detects executables containing SQL queries to confidential data stores. Observed in infostealers 5 IoCs
  • Detects executables containing base64 encoded User Agent 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe
    "C:\Users\Admin\AppData\Local\Temp\032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4592
    • C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:5644
    • C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
      "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5292
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:2820
    • C:\Users\Admin\AppData\Local\Temp\032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe
      "C:\Users\Admin\AppData\Local\Temp\032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe" silent pause
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4784
      • C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
        "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
    Filesize

    458KB

    MD5

    cbfd4a1ca918e7fc1e3fb55d24a649fc

    SHA1

    69ffc59d100318416731ca273d8885dc8fa7b8c5

    SHA256

    edc4062b110016cbfd3bed0099d45bbf4331591155359192fa72fee87583b290

    SHA512

    051c7087b664f879cde29cc0ea6aea4370c7635364ffa9ec8327892b64dd59e0e3d5192846d0d7913ddecbf64e02a1b64769e150eb404fa4409dd397d0d4e330

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
    Filesize

    458KB

    MD5

    f4b40f4cd9b25058082ab755a4293505

    SHA1

    4586efdf234760f9e7def3d9752f98f4040d36ad

    SHA256

    81f5e211ddf349d534f0641e086335e3dd9bd7fbcf2e5cef723c0bc9fcf5b475

    SHA512

    0630aa442e5daaf046d13be8a0052551cc9cd4ca00039ed2df172c35bd413b2da374ecf98ece3824168da33d3b2e095e65116cb96b1a2bc94a2d8a6b311eac20

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat
    Filesize

    10B

    MD5

    39421abbe92259c8aa00d698b30b708d

    SHA1

    be4a2015eef137bf2809d2dd3b60d7bc7923812a

    SHA256

    670a7aa90d3da948a70f1bbce1d205acb50916501bbee232dd40d2366d6205a1

    SHA512

    d3b309dfff45393f2337db304a402ad04394bc8e03b8d3d542a131b2698b7770854eec8ed0fde42abdc722e47870e9e3d50957fa18c20d8d0b63f16db93af338

    Download Submit

  • memory/4516-73-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4516-85-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4516-74-0x0000000063080000-0x00000000631EC000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4592-1-0x0000000063080000-0x00000000631EC000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4592-0-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4592-47-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4784-72-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4784-87-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4784-61-0x0000000063080000-0x00000000631EC000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4992-49-0x0000000063080000-0x00000000631EC000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4992-48-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4992-94-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/5292-35-0x0000000063080000-0x00000000631EC000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/5292-34-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/5292-93-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/5644-16-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/5644-71-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download