Analysis

  • max time kernel
    145s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2024 15:34

General

  • Target

    d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe

  • Size

    146KB

  • MD5

    0f9efaba9a13338ad97e0e6ef2aabd6d

  • SHA1

    97db912c8f0055152837e424cd8764f905a29930

  • SHA256

    d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0

  • SHA512

    c8ab75ae0046c1c33f1141d1d85aeae9eaf4952f8cc9bb6993c0d29bd8f67c7a1430339020b4652ee399899f1c993c34feeeef54bfd0c37fa56825437f85149a

  • SSDEEP

    3072:g6glyuxE4GsUPnliByocWepRdJxGkpV4wTwAY:g6gDBGpvEByocWedG

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe
    "C:\Users\Admin\AppData\Local\Temp\d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:2824
    • C:\ProgramData\5526.tmp
      "C:\ProgramData\5526.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3312
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5526.tmp >> NUL
        3⤵
          PID:2336
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:2124
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:576
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{51D224B0-A549-4015-93CF-10B5918BB20B}.xps" 133620752507900000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:1436

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\CCCCCCCCCCC

        Filesize

        129B

        MD5

        155d28967354179b7a8c33f5caa84e64

        SHA1

        872d2eecc08411b79e9223f08d3ab6c3ec2484e8

        SHA256

        0b34afddb6e3c968580e915175e87dae31497b3b211b4862f79d821f4870fd21

        SHA512

        5d7cea8895cafb15d252c0abf5f2fe2585ab37b0df94fc67add121876be1f74560a446b1a7aac63c0d4ec52a821590a14ceb9379c3a00571c7a619ab8095cb95

      • C:\ProgramData\5526.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

        Filesize

        146KB

        MD5

        cc749c0b9c1c135a3a8ae517be2ad6eb

        SHA1

        16f9e3d52eb41ad6d1bb64d8ceecc7b2b6fe73b2

        SHA256

        608e6cf2e5269b4ab2ac9712180225aa1b8b8ffa0b27291528713dc7893acce4

        SHA512

        209cd2d4b05084e0768b0a9039984ee5993bbc6c772491e138bb3f6a6a6615391bfd451cce3cf9777320a081aa4a615c5cf3a3cab6e967c76e2df286ad25f657

      • C:\Users\Admin\AppData\Local\Temp\{679D2609-8A32-4F65-BA62-25A944374A85}

        Filesize

        4KB

        MD5

        ebc89f1c5ca41fa44000511b4b9246e2

        SHA1

        483d2633b24710a7c2187bcaff861be4d8c6f845

        SHA256

        64198fcb57193552da8956960e80342501e86256196b83af8b131e2e2d0dd161

        SHA512

        c5cb030cddc489d51253ea8da3bb68ad71220116142da04a6f5256abadd70fd4a5b9abe762e97915dd8db1f3b3b5356310722b584eb84231ce333f5a2bdcd0a0

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

        Filesize

        4KB

        MD5

        008ff7cb90df200af3efdce8b9e6bfd9

        SHA1

        1827aeff78b458dcdd17302b1590595430f25170

        SHA256

        053ce41070f323e6c0c968e474d58ff8ad20da6fcf4392efc61dfeda740868f6

        SHA512

        a4251efab94278f408e4cd6eb831de5826aa8245b3a3fbd9beb2367779708246319d34df907b0f7125b253ac8fdfa0f56de498632f0f7bbfa297be0edbf33c75

      • C:\hokwnrPwS.README.txt

        Filesize

        865B

        MD5

        80ce254bf1170938cb7d41f5a98bf0ad

        SHA1

        f8eb2e6395f16c206d32d5fefccd4f7419324bc9

        SHA256

        36b49a373e27694fa1be03e9557ef503c0e436289de49ff59718f19c4131f4ea

        SHA512

        d1f065109ef0aaa0a57a58bc2018e5042bda9883e584520943c4a8ef0b3d424d88eba0f69b6d29fb92a52837d388f0ec31136d3c79f07469eaaa811976db86f7

      • F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        8b3d63f2d18c9b6b1fff0052fc371c70

        SHA1

        e9825a4178660fa541501eb080698a71401f8555

        SHA256

        6e828475f2a38be6be5b5ec961ccc3a9a15378ba67ba0c11972d4599cec5e2dd

        SHA512

        b25111b9eb41da174e0e3edeff348c64e14e01206b36d6605c7a73616f376243b1be1c75379c1bdd33831359240cd574cc257161c67a88095e5ee52e8700a8ad

      • memory/408-1-0x0000000002780000-0x0000000002790000-memory.dmp

        Filesize

        64KB

      • memory/408-0-0x0000000002780000-0x0000000002790000-memory.dmp

        Filesize

        64KB

      • memory/408-2-0x0000000002780000-0x0000000002790000-memory.dmp

        Filesize

        64KB

      • memory/1436-2759-0x00007FF8F9A30000-0x00007FF8F9A40000-memory.dmp

        Filesize

        64KB

      • memory/1436-2761-0x00007FF8F9A30000-0x00007FF8F9A40000-memory.dmp

        Filesize

        64KB

      • memory/1436-2757-0x00007FF8F9A30000-0x00007FF8F9A40000-memory.dmp

        Filesize

        64KB

      • memory/1436-2762-0x00007FF8F77F0000-0x00007FF8F7800000-memory.dmp

        Filesize

        64KB

      • memory/1436-2763-0x00007FF8F77F0000-0x00007FF8F7800000-memory.dmp

        Filesize

        64KB

      • memory/1436-2760-0x00007FF8F9A30000-0x00007FF8F9A40000-memory.dmp

        Filesize

        64KB

      • memory/1436-2758-0x00007FF8F9A30000-0x00007FF8F9A40000-memory.dmp

        Filesize

        64KB