Overview

overview

8

Static

static

3

ORDER CONF...cr.exe

windows7-x64

8

ORDER CONF...cr.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31/05/2024, 07:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER CONFIRMATIONS MAIN STORE USP-PO-2403103 USP-PR-2024.scr.exe

  • Size

    1.2MB

  • MD5

    65381bc5947270a4cd95fc31359c70f3

  • SHA1

    c9d54bf3730a72f5fa7ab92659ea1874d539297e

  • SHA256

    9681f60064bcf9cb185d49d8fc355fa75daef418188f0a20db66a96884f14733

  • SHA512

    064d6c12c3123db1c2617ef2f19cbd48a9e52e232b67b9fb992d00c1a056b3ca2030a45e63cd4b49dc4075c8351f1cada740c4c622186fed172aa5cb73b26820

  • SSDEEP

    24576:nOdyJRGkkkHmk1538alCRmlCqyKDZae6ts91hO2ak2yrF+BOtu:nSyH9kEmkP35C0lCqFo5S/aklJ+ot

Score
8/10
collectionexecutionspywarestealer

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORDER CONFIRMATIONS MAIN STORE USP-PO-2403103 USP-PR-2024.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER CONFIRMATIONS MAIN STORE USP-PO-2403103 USP-PR-2024.scr.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ORDER CONFIRMATIONS MAIN STORE USP-PO-2403103 USP-PR-2024.scr.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gOgYYSaHwal.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gOgYYSaHwal" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7446.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2448
    • C:\Users\Admin\AppData\Local\Temp\ORDER CONFIRMATIONS MAIN STORE USP-PO-2403103 USP-PR-2024.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\ORDER CONFIRMATIONS MAIN STORE USP-PO-2403103 USP-PR-2024.scr.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Hexiaadkgs.tmpdb
    Filesize

    148KB

    MD5

    90a1d4b55edf36fa8b4cc6974ed7d4c4

    SHA1

    aba1b8d0e05421e7df5982899f626211c3c4b5c1

    SHA256

    7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

    SHA512

    ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp7446.tmp
    Filesize

    1KB

    MD5

    29d4a7ea692f77df888a6bd98d657488

    SHA1

    21ac98900c71f10ad933e16f26ae9c0adf5dce4a

    SHA256

    d82aba0a5fc84e9b0d8fca237d16ba36740c4eac4bd2c96374af72cf82164287

    SHA512

    fad49c6b55e0cae22241880f36ff9b2f8dc218a925b04b1531ce36025bb20efe4ac7413d3d66aad83ce82762b6a589c56d8bef656fae9cbf158e9c3858d12cae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    4a72a6a2f1b2c8c94eb164fa61b2478a

    SHA1

    3e1ecb1c6f8ad15caab23b128bf6f73899169135

    SHA256

    2a948ec9d71f562fd2f7fa5ea87bf968df2c3fd929def9681cd188142f57ddb0

    SHA512

    9e88029586ce469e1a7cbd71cecf3beee4d28d1b1d7d836a76f6d221089a40ca63512c0b544d959890b53a7102d2f0b70c1a1b35bc208e26f8af0f6e891db8d6

    Download Submit

  • memory/2156-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2156-1-0x0000000000F50000-0x000000000108A000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2156-2-0x0000000074C10000-0x00000000752FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2156-3-0x0000000000460000-0x0000000000474000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2156-4-0x00000000006E0000-0x00000000006E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2156-5-0x00000000006F0000-0x00000000006FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2156-6-0x0000000005140000-0x000000000525A000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2156-12-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2156-46-0x0000000074C10000-0x00000000752FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2912-20-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2912-25-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2912-30-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2912-29-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2912-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2912-26-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2912-22-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2912-32-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2912-33-0x0000000000CD0000-0x0000000000DE6000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-37-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-35-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-86-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-84-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-82-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-80-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-78-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-76-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-74-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-72-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-2320-0x00000000004E0000-0x000000000052C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2912-2319-0x0000000000E30000-0x0000000000ECE000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2912-70-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-68-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-66-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-64-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-62-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-60-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-58-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-56-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-54-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-52-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-48-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-45-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-50-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-43-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-41-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-40-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-34-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2912-2321-0x0000000000C50000-0x0000000000C7C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2912-2322-0x00000000054D0000-0x000000000554A000-memory.dmp

    Filesize

    488KB

    Download