Overview

overview

7

Static

static

3

6802938ccf...48.exe

windows7-x64

7

6802938ccf...48.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-05-2024 11:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6802938ccf10ea9b804bb2d7b8a65048.exe

  • Size

    1.1MB

  • MD5

    6802938ccf10ea9b804bb2d7b8a65048

  • SHA1

    8bdf939d410e197cc97b4125df674d63baae50fe

  • SHA256

    67b19e3b641fc17f4d751a4c81c2461215e51513580f72d4c3fc9e17b623293b

  • SHA512

    1035bd222d77b4a60442aa0147fc658e0cd77c51c8db533a19c96141fd09f492ca1a3a80a78ea6b2f2e22d1a0b4b60d268630622d74dc7f3044175b560f849fe

  • SSDEEP

    24576:lq8OLfvniBfba2rZmLKs+it8EUBqNTLgOiw0GFPw1/m22IOYUB9Nm:Wrnixb/Vmmnit8lUYOiB9VrEYm9Nm

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6802938ccf10ea9b804bb2d7b8a65048.exe
    "C:\Users\Admin\AppData\Local\Temp\6802938ccf10ea9b804bb2d7b8a65048.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Users\Admin\AppData\Local\Temp\6802938ccf10ea9b804bb2d7b8a65048.exe
      "C:\Users\Admin\AppData\Local\Temp\6802938ccf10ea9b804bb2d7b8a65048.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Users\Admin\AppData\Local\Temp\6802938ccf10ea9b804bb2d7b8a65048.exe
        "C:\Users\Admin\AppData\Local\Temp\6802938ccf10ea9b804bb2d7b8a65048.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1708
    • C:\Users\Admin\AppData\Local\Temp\6802938ccf10ea9b804bb2d7b8a65048.exe
      "C:\Users\Admin\AppData\Local\Temp\6802938ccf10ea9b804bb2d7b8a65048.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\canadian nude [bangbus] (Britney,Samantha).mpeg.exe
    Filesize

    1.4MB

    MD5

    1843e55e367d3eaede0d6e7fae650bf9

    SHA1

    b4a2d6e0fc0d74097fb80ef3654f2b62251fee7d

    SHA256

    c3efb451af5918656c3cd93bab8574086e303abe47243dfc6628483ed1dbaea8

    SHA512

    cfa5dfeae17021e13705d99d08e494bf4130259ed80e0ecb8d54ec62d26fb42d3fc66069db039c74e806d17875db6ad163164e632ad8598242e88cd3996ef62e

    Download Submit

  • memory/1000-155-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1520-181-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1520-62-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1708-156-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-205-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-214-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-185-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-191-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-201-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-0-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-210-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-180-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-218-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-222-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-226-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-230-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-234-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-238-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3076-242-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download