Overview

overview

10

Static

static

10

NZqhGfqWq.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-05-2024 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NZqhGfqWq.exe

  • Size

    536KB

  • MD5

    bc389e564d09707cc36671f296665afd

  • SHA1

    09448c0068106bbf674cae0d7dbb838e469dd896

  • SHA256

    07f3462682d325ceac97d83e7f3d678ab56b9d1b74a51ad6ef6ff49767e30c3d

  • SHA512

    25ea85dba05ce62fcda6d5621d9ef157c24a4037895513c6ca691e74406e25d1f0f0a57a546a5ba5e8cbee0371cc9f285a7e1c6f91bd6c20e29a9a1b3f58d931

  • SSDEEP

    6144:X+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWdG/Wow7+JJU8:OPw2PjCLe3a6Q70zbYow608

Score
10/10
predatorstealercollectiondiscoverypersistencespywarestealer

Malware Config

Signatures

  • PredatorStealer

    Predator is a modular stealer written in C#.

    stealerpredatorstealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NZqhGfqWq.exe
    "C:\Users\Admin\AppData\Local\Temp\NZqhGfqWq.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\Zip.exe
      "C:\Users\Admin\AppData\Local\Temp\Zip.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672.zip
    Filesize

    443KB

    MD5

    6ff1916b27f97eb60cfe05f88e43b53a

    SHA1

    6db96e6dd80b8a90b91b8ebd321bfa5cb096e31a

    SHA256

    35b41e6b95e9c1e0b45410cb4ad4a72e6fe0f1037db45d6dfa4d25a456a51d70

    SHA512

    30998d889903062c9ee2fe65a6e24abfac319a3e2f1a47d17e3479228d05a600f13c7ccc1c01bdc421371faac6d5e93496f1245e090e80a73342b68a3dcc2305

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\ProgramList.txt
    Filesize

    3KB

    MD5

    db688fb8707737b3179a33fdc1e85951

    SHA1

    c25c9d25afe2222324c5bc1581f9d275efc70b8a

    SHA256

    533e12e2d8cc7c43c4c9bc2ab2428a8dbfdcb4f18126d6f63dfa33f4452ea56f

    SHA512

    da2d85750c45a22ba2d7124bb7f39f62fea0d0d7902ebe5114ca82d8e4c50499a8e2335cec18072ca17f437294981a0041bbf5672a129e16efea769c55906268

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\ProsessList.txt
    Filesize

    1KB

    MD5

    97d31405f4f5028ae0850b7d426c3e07

    SHA1

    eca88b014bdf988bc2e383dc0e7020b5c7fddaaf

    SHA256

    bac86897b4c8aaf34b7d3d56497edfd515b99661c4f473ea7d953ca768b3c40f

    SHA512

    c095cb0a31aaaa0bb5ef4eebcdd1207b65f46f4a412d525227f0cfd683df6c3b805128acf18e6121ff84039866d7afb4e265b5e894e3ca1bd9e9f369fcd1a7b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\Screenshot.png
    Filesize

    443KB

    MD5

    7fe6943e706cd5634a7f1269b3de070c

    SHA1

    9fb5104079853eddb3c63fc19b990516eae34bdc

    SHA256

    5a9e453dd2161fa199a8113a0a4a9b33be2988ebb579eaa1e1c2ad52f6d6877a

    SHA512

    da6c4d1e331e28bc7eca2f79893b4ccbcedbd63c21a3b53b0216862130d74fc42c8ac87941c60b621b4db19d0248191207745e75b8632e6d48c8a6d33af63f52

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\info.txt
    Filesize

    315B

    MD5

    c74cef5f50c04f09fe0f0de518ebe6a0

    SHA1

    3cac0da4b7be828e86c0e78f051496e4324f4cef

    SHA256

    2bf506ec760e6ee25424bbebba33640ca5d29ebd1a5572eac3867faa67a1c546

    SHA512

    ded54d437ff6e17e33734481406eaf886b5c152781d4145da181eda4b94b959ba54b9c3d16cedec91e983a31f72d441e97c0983eeaa398c076ccae61852706ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Zip.exe
    Filesize

    31KB

    MD5

    af07e88ec22cc90cebfda29517f101b9

    SHA1

    a9e6f4ae24abf76966d7db03af9c802e83760143

    SHA256

    1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

    SHA512

    b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

    Download Submit

  • memory/840-26-0x000001C6D7270000-0x000001C6D727A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/840-34-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/840-24-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/840-25-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/840-23-0x000001C6BCDC0000-0x000001C6BCDD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/840-27-0x000001C6D72A0000-0x000001C6D72B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1948-0-0x00007FFB470E3000-0x00007FFB470E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1948-4-0x000000001C850000-0x000000001CD78000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1948-3-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1948-2-0x000000001BA50000-0x000000001BC12000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1948-7-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1948-35-0x00007FFB470E3000-0x00007FFB470E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1948-1-0x0000000000990000-0x0000000000A1C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1948-37-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1948-38-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

    Filesize

    10.8MB

    Download