Overview

overview

10

Static

static

10

6ea5906218...9d.exe

windows7-x64

9

6ea5906218...9d.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    140s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ea5906218f8eaa43b3478b278b960b80c4ab1822b01ebb37bfa7aa99ccb5e9d.exe

  • Size

    882KB

  • MD5

    4226dccf4c385f70ce3801c7da731499

  • SHA1

    d28c10fda1e163fd7c9dfe6c7175f076d3638e81

  • SHA256

    6ea5906218f8eaa43b3478b278b960b80c4ab1822b01ebb37bfa7aa99ccb5e9d

  • SHA512

    10ab0e6debba6f214865a8974908f9995da9fd88a31c23f96082cbfc27521084cd9c8be3abbf7bfa77f08280d78814c1524e64334412218d3466ff6e4de34ad9

  • SSDEEP

    24576:vPuZxz0fDjymk4HM5yJlEEM2gOdMvk1ts:eDWDy4FKEM2rdMvsts

Score
9/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 22 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ea5906218f8eaa43b3478b278b960b80c4ab1822b01ebb37bfa7aa99ccb5e9d.exe
    "C:\Users\Admin\AppData\Local\Temp\6ea5906218f8eaa43b3478b278b960b80c4ab1822b01ebb37bfa7aa99ccb5e9d.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2064
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ea5906218f8eaa43b3478b278b960b80c4ab1822b01ebb37bfa7aa99ccb5e9d.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Users\Admin\AppData\Local\Temp\6ea5906218f8eaa43b3478b278b960b80c4ab1822b01ebb37bfa7aa99ccb5e9d.exe
        "C:\Users\Admin\AppData\Local\Temp\6ea5906218f8eaa43b3478b278b960b80c4ab1822b01ebb37bfa7aa99ccb5e9d.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3020
        • C:\Users\Public\Microsoft Build\Isass.exe
          "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\6ea5906218f8eaa43b3478b278b960b80c4ab1822b01ebb37bfa7aa99ccb5e9d.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Users\Admin\AppData\Local\Temp\6ea5906218f8eaa43b3478b278b960b80c4ab1822b01ebb37bfa7aa99ccb5e9d.exe
            "C:\Users\Admin\AppData\Local\Temp\6ea5906218f8eaa43b3478b278b960b80c4ab1822b01ebb37bfa7aa99ccb5e9d.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2572
            • C:\Windows\Temp\{552A2AB7-A36A-478D-BDC9-70B342958FCC}\.cr\6ea5906218f8eaa43b3478b278b960b80c4ab1822b01ebb37bfa7aa99ccb5e9d.exe
              "C:\Windows\Temp\{552A2AB7-A36A-478D-BDC9-70B342958FCC}\.cr\6ea5906218f8eaa43b3478b278b960b80c4ab1822b01ebb37bfa7aa99ccb5e9d.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\6ea5906218f8eaa43b3478b278b960b80c4ab1822b01ebb37bfa7aa99ccb5e9d.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:3024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\{2805AD23-5A28-4A1E-A24A-E8D5C8137E68}\.ba\logo.png
    Filesize

    1KB

    MD5

    d6bd210f227442b3362493d046cea233

    SHA1

    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

    SHA256

    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

    SHA512

    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\6ea5906218f8eaa43b3478b278b960b80c4ab1822b01ebb37bfa7aa99ccb5e9d.exe
    Filesize

    635KB

    MD5

    b73be38096eddc4d427fbbfdd8cf15bd

    SHA1

    534f605fd43cc7089e448e5fa1b1a2d56de14779

    SHA256

    ab1164dcaf6c7d7d4905881f332a7b6f854be46e36b860c44d9eedc96ab6607a

    SHA512

    5af779926d344bc7c4140725f90cddad5eb778f5ca4856d5a31a6084424964d205638815eab4454e0ea34ea56fafca19fadd1eb2779dc6b7f277e4e4ce4b1603

    Download Submit

  • \Users\Public\Microsoft Build\Isass.exe
    Filesize

    216KB

    MD5

    a57ce9b79949479fd2e3b36685bdcc4b

    SHA1

    016773da1b14df7015ffddd6b4347c45bc942c50

    SHA256

    e4579444998ed22b9f1b36f7ddf2e9d4614f1b39a5ce706656b52d02a5c1bda9

    SHA512

    fc1e43a739fc54fdb31bc31b979822028395ea7ed1815b25a841bec8ca0e5fabfbec5355dcd6c90fc369e28e2ada2311ebca01b7f476ea29b58e2fc26526756d

    Download Submit

  • \Windows\Temp\{2805AD23-5A28-4A1E-A24A-E8D5C8137E68}\.ba\wixstdba.dll
    Filesize

    191KB

    MD5

    eab9caf4277829abdf6223ec1efa0edd

    SHA1

    74862ecf349a9bedd32699f2a7a4e00b4727543d

    SHA256

    a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

    SHA512

    45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

    Download Submit

  • memory/2064-107-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-101-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-17-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2064-143-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-130-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-129-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-117-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-16-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-116-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-79-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-80-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-83-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-84-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-91-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-92-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-100-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2064-108-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2156-18-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2640-27-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2960-8-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2960-15-0x00000000045F0000-0x0000000005899000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2960-10-0x00000000045F0000-0x0000000005899000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2960-13-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/3020-20-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download