Analysis

  • max time kernel
    92s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2024 02:19

General

  • Target

    d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe

  • Size

    146KB

  • MD5

    0f9efaba9a13338ad97e0e6ef2aabd6d

  • SHA1

    97db912c8f0055152837e424cd8764f905a29930

  • SHA256

    d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0

  • SHA512

    c8ab75ae0046c1c33f1141d1d85aeae9eaf4952f8cc9bb6993c0d29bd8f67c7a1430339020b4652ee399899f1c993c34feeeef54bfd0c37fa56825437f85149a

  • SSDEEP

    3072:g6glyuxE4GsUPnliByocWepRdJxGkpV4wTwAY:g6gDBGpvEByocWedG

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe
    "C:\Users\Admin\AppData\Local\Temp\d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:5100
    • C:\ProgramData\8A20.tmp
      "C:\ProgramData\8A20.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8A20.tmp >> NUL
        3⤵
          PID:4848
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:2628
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4944
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{12028925-39B7-4269-91E3-376A42A9DA82}.xps" 133620279022570000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:4408

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-4018855536-2201274732-320770143-1000\UUUUUUUUUUU

        Filesize

        129B

        MD5

        a59fbc5f3b4314eac7573286cdd0e6bc

        SHA1

        f22771d999fe90d8d098bb10f8f04eb6e0797bce

        SHA256

        7c5ef8105077fdfb0df6b99796e64181b4988c48d2072c66aa5b43a394851841

        SHA512

        a00a6cbffd45afdc3fdfaa3c748b00c610b71aa385836e83af8cc27d318d1d6b6680064a7912398f988cb2e33f6826e995abd03344e538467b93c554e71083a6

      • C:\ProgramData\8A20.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        146KB

        MD5

        894ee1ef05b5f1ae528c59bdbed44eb2

        SHA1

        1ff2911b5e031de0d2fccbbfd9735a54e7f57ffc

        SHA256

        1fb9cbf3f0c7ace13c8b19bc49a63cccc288e0ce2451a9c8475810a9674be5a9

        SHA512

        cf8dfa49044f929df03d73d49a72a5666dfa1dec5967efa56882da00d8ec6c02e82e07dd89e26514d97b7d193a3da42eff603c2e87a282c925595c93b707283b

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

        Filesize

        4KB

        MD5

        fd4261e039a36a98fd568023f9d5e50c

        SHA1

        eae15f7d54e3cf1e403767e8ba3998142ad21bbf

        SHA256

        edb03ad16234a6bf2f9e85f035a675b94be0ca6395d7bbe572d43639cb890581

        SHA512

        31f7c453f5c4f23142be49228aaff3f105a7cbc3b2b5fedbda04e912147a28397e83de2bbd5f22ec362d0520894c25e6612aba4889b4face7659cb2f510c987a

      • C:\hokwnrPwS.README.txt

        Filesize

        865B

        MD5

        80ce254bf1170938cb7d41f5a98bf0ad

        SHA1

        f8eb2e6395f16c206d32d5fefccd4f7419324bc9

        SHA256

        36b49a373e27694fa1be03e9557ef503c0e436289de49ff59718f19c4131f4ea

        SHA512

        d1f065109ef0aaa0a57a58bc2018e5042bda9883e584520943c4a8ef0b3d424d88eba0f69b6d29fb92a52837d388f0ec31136d3c79f07469eaaa811976db86f7

      • F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        a752bcf2b559019a2fcf1b8dd2927eda

        SHA1

        0ebd2d52f90498e45e852ef76d1b03150f2733b5

        SHA256

        1f9fba5a02a4b1486ecef6155d83218a2c915a5a87d788eefa562fe9275e1353

        SHA512

        e7133848f8e46306bda0cfe63f8eee86f5d66dfc39839cbd5a55cb381543c85d3ffc6e99b8e4ce425658ec78bcbb3d79f43530a477302395ecaffb9572700326

      • memory/2044-2-0x0000000002860000-0x0000000002870000-memory.dmp

        Filesize

        64KB

      • memory/2044-0-0x0000000002860000-0x0000000002870000-memory.dmp

        Filesize

        64KB

      • memory/2044-1-0x0000000002860000-0x0000000002870000-memory.dmp

        Filesize

        64KB

      • memory/4408-2823-0x00007FF935CF0000-0x00007FF935D00000-memory.dmp

        Filesize

        64KB

      • memory/4408-2821-0x00007FF9380D0000-0x00007FF9380E0000-memory.dmp

        Filesize

        64KB

      • memory/4408-2820-0x00007FF9380D0000-0x00007FF9380E0000-memory.dmp

        Filesize

        64KB

      • memory/4408-2819-0x00007FF9380D0000-0x00007FF9380E0000-memory.dmp

        Filesize

        64KB

      • memory/4408-2818-0x00007FF9380D0000-0x00007FF9380E0000-memory.dmp

        Filesize

        64KB

      • memory/4408-2817-0x00007FF9380D0000-0x00007FF9380E0000-memory.dmp

        Filesize

        64KB

      • memory/4408-2822-0x00007FF935CF0000-0x00007FF935D00000-memory.dmp

        Filesize

        64KB