Overview

overview

10

Static

static

10

c5ddccd656...c9.exe

windows7-x64

9

c5ddccd656...c9.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-05-2024 03:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5ddccd656c81bf5244ca9637ffbeb8c4415b255935b0846799a30bf81c335c9.exe

  • Size

    634KB

  • MD5

    418b8dbb11bf11abc5dda81bc7b5640f

  • SHA1

    4ed339ce928db7be44982d3d60d5936f251a8bcf

  • SHA256

    c5ddccd656c81bf5244ca9637ffbeb8c4415b255935b0846799a30bf81c335c9

  • SHA512

    8d821a4a09b353f30e61cc446c7d7f38c9cfe4b77905adc5d81e3b7a46e483a4ab378a2d7ad6d3540e2d295fb7cfb6b0f79740f4dccd23aff794271cd94d5dfd

  • SSDEEP

    12288:oGHasii9BuCyz/g/FaRQ1qoMVYQoRT1q2zyD8tQpRoEAXH77nUwzj7qs9/v1DPY0:8614sFaq6MRcoyDLpR1A377XjmIvt2j8

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5ddccd656c81bf5244ca9637ffbeb8c4415b255935b0846799a30bf81c335c9.exe
    "C:\Users\Admin\AppData\Local\Temp\c5ddccd656c81bf5244ca9637ffbeb8c4415b255935b0846799a30bf81c335c9.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Users\Admin\AppData\Local\Temp\c5ddccd656c81bf5244ca9637ffbeb8c4415b255935b0846799a30bf81c335c9.exe
      "C:\Users\Admin\AppData\Local\Temp\c5ddccd656c81bf5244ca9637ffbeb8c4415b255935b0846799a30bf81c335c9.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4812
      • C:\Users\Admin\AppData\Local\Temp\c5ddccd656c81bf5244ca9637ffbeb8c4415b255935b0846799a30bf81c335c9.exe
        "C:\Users\Admin\AppData\Local\Temp\c5ddccd656c81bf5244ca9637ffbeb8c4415b255935b0846799a30bf81c335c9.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian fetish horse hot (!) (Sarah).mpeg.exe
    Filesize

    874KB

    MD5

    490f41aa822ff687152041698d6363d0

    SHA1

    4ef4ccce8ae2ccf00f769f900bb817a452dca44b

    SHA256

    c9c42e8dcdbdd6a2b3273cc9a9c8d13371b0d6afbf779eac182f4d1763f2f875

    SHA512

    e15212687e3cf1ef5aa883a9e452ef228a2ff8ede1237a0d57cc4013c401c5202ba63438128c205da13610b0d12a17a589f54989713e1287d5d01dc1451202ee

    Download Submit