Overview

overview

7

Static

static

3

873546478e...b8.exe

windows7-x64

7

873546478e...b8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    50s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    873546478ec547e4e82af18fa5004c67794141d9cb98e79a4ff84c86a6c6aeb8.exe

  • Size

    551KB

  • MD5

    19a473d54f8b4f91ed944773bb4c02ef

  • SHA1

    9d5fab1d5b65096390a01f5d1fa7873a97967e81

  • SHA256

    873546478ec547e4e82af18fa5004c67794141d9cb98e79a4ff84c86a6c6aeb8

  • SHA512

    1ebc93e0a482a48b70ccb26a57707de3585a6d1252aa3defe81884111026dade14d48e2bfa2ec6ea0c39a702c5e05834f9c536e100d433a13eb7f6ff0990c8bc

  • SSDEEP

    6144:4+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWLNq4MqTJv9U:LPw2PjCLe3a6Q70zbp/sw

Score
7/10
collectiondiscoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\873546478ec547e4e82af18fa5004c67794141d9cb98e79a4ff84c86a6c6aeb8.exe
    "C:\Users\Admin\AppData\Local\Temp\873546478ec547e4e82af18fa5004c67794141d9cb98e79a4ff84c86a6c6aeb8.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2180
    • C:\Users\Admin\AppData\Local\Temp\Zip.exe
      "C:\Users\Admin\AppData\Local\Temp\Zip.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2580
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2768

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF000206D7Uibnqnma.zip
      Filesize

      385KB

      MD5

      a167d9fcd087b5dfbcd70a2a03336a25

      SHA1

      448be036d3f52d39ca95492d6faee7b0a74bf9c9

      SHA256

      cbc259fb23c98fab60f1d99815392d47adb5b3bee5b68c6f419232c0e5f96923

      SHA512

      33f53deb62155209bd515729d71b79e1ed6c33c47ab8cc003ec0393f00cd680c17789a862e767a8663c04c4bdba4112d1d10e1dae348aac0e8abc150f774a704

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF000206D7Uibnqnma\Files\desktop.ini
      Filesize

      282B

      MD5

      9e36cc3537ee9ee1e3b10fa4e761045b

      SHA1

      7726f55012e1e26cc762c9982e7c6c54ca7bb303

      SHA256

      4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

      SHA512

      5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF000206D7Uibnqnma\ProgramList.txt
      Filesize

      2KB

      MD5

      b46b382221250b211162f5f25dd3f5a4

      SHA1

      7124e5524d58b63f148b5e7e3029d3743f6b6214

      SHA256

      b5419570dc597238994e2c8ed1db189d824e00482cd4bfc54ef50988871e1e75

      SHA512

      e794b1a234fd2bd10c27ebf5390d59d24f3f59843c26adaa674aea5fd21c2a10855daf835e501f5df017c9a58f8bb546bd4999a10c3ee0eb3e82b548f668332e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF000206D7Uibnqnma\ProsessList.txt
      Filesize

      526B

      MD5

      541aded603c80c6097770a095a06d013

      SHA1

      2bf39251141951b62db62721d85d7f987d5a4854

      SHA256

      c7b99cc848d44974c2cca43cbb3a4ddebfcb7acbe99a24aa2857f92ec95327c3

      SHA512

      8de2f97d4caec6ff3bdd1601d743167c6802a5aad5315cced5db12b746b085ead811b8a9588c8c6749c19a185eba3e064ae85bc973dcf28fa95c333d50db70ae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF000206D7Uibnqnma\Screenshot.png
      Filesize

      385KB

      MD5

      10b613b68001be661876547f678022e3

      SHA1

      c02d451e915c32743ba7e523ddbe5ef1c1cb9330

      SHA256

      f37820dc993238ce8e49478a45ac4e6596e1ad1eefe36e430e6dcb81ff101acc

      SHA512

      b64db66eb09c469bbb3669c99a0a4f072eec86235429e61050b0ec61856ff720003bc157731e1a4b12ca8dbf86e938f45f63794bf00a88c8ef65addce30cc2d0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF000206D7Uibnqnma\info.txt
      Filesize

      325B

      MD5

      fa67f980cf38cca4c9127f6ba79375f9

      SHA1

      ab4b4b7de702944cbd0f0951b84235885675524b

      SHA256

      480dc2637ddc779abf51d729e51ac15f251e771ce430b793413eb69022145bfd

      SHA512

      5e949a001611f41d5ee4a8cc4a2f75841a500b1fb29350fec1b5a4db4ab93e5b26791cc472c037126e209cfcd47525e9cf18f2ff58422ab0b84db1c0c068c6d7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Zip.exe
      Filesize

      32KB

      MD5

      3331f4e716921b0a3710ef0291958254

      SHA1

      e5661e224e52476e0c463fae38e1c40fd3a40c16

      SHA256

      41bb07763250248ddd7273e9c2be51f095a4ad6cadb513bf186c92e5804e4d82

      SHA512

      d50b307ba97b432288291ca22dbaed0b72053cc1a3a907111eb2ac5c6b2679d3b9b15e93c86bacd02d9d3c2d5945d5e73daa1f2a92b14db27840d7658fa9c244

      Download Submit

    • memory/2180-4-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2180-0-0x000007FEF4EB3000-0x000007FEF4EB4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2180-3-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2180-2-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2180-24-0x000007FEF4EB3000-0x000007FEF4EB4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2180-1-0x0000000000A80000-0x0000000000B10000-memory.dmp

      Filesize

      576KB

      Download

    • memory/2180-26-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2180-27-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2580-17-0x0000000001220000-0x0000000001230000-memory.dmp

      Filesize

      64KB

      Download