Malware Analysis Report

2024-09-11 13:06

Sample ID 240613-21xl2sthqc
Target 5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842
SHA256 5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842
Tags
discovery evasion spyware stealer trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842

Threat Level: Shows suspicious behavior

The file 5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion spyware stealer trojan

Reads user/profile data of web browsers

Checks installed software on the system

Checks whether UAC is enabled

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:03

Reported

2024-06-13 23:06

Platform

win7-20240508-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe

"C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 inststats-1582571262.us-east-1.elb.amazonaws.com udp
US 8.8.8.8:53 inststats-1582571262.us-east-1.elb.amazonaws.com udp
US 8.8.8.8:53 inststats-1582571262.us-east-1.elb.amazonaws.com udp
US 8.8.8.8:53 api.ibario.com udp
US 8.8.8.8:53 api.ibario.com udp
US 8.8.8.8:53 inststats-1582571262.us-east-1.elb.amazonaws.com udp

Files

memory/2008-0-0x00000000029D0000-0x0000000002B88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\372kut15v8\gui\page_3112_attr_3.png

MD5 205bc8a805c703e624c6074f337e7cfc
SHA1 8d0d96189310bdd587b9ffb0f7a04a6a639cd0e8
SHA256 e3d5927dfe797c41531cc2cbefb8dbb26f63fc83310a2611a45be4502349b81b
SHA512 71e8ad1900450d459439dea8cdb877e8ac9a4f2692e23a3c5b5cbfabb0fc83fd348ba2edce2f82dcc1357fa84b58b0e077d012f7fa3c9d40fb8968d82d3d2571

C:\Users\Admin\AppData\Local\Temp\372kut15v8\gui\page_3112_attr_46.bmp

MD5 19cafe521085d306aa66d256bce120c6
SHA1 a41ae63f80dc451fb68a34f64aa86867f2cdbd6e
SHA256 ce22b3fa0bb7ad842657737c51a287caea2623019fcefbea4906462f49e31894
SHA512 936e0ca8f2accfaba11dc190e89ae3d19e2ba0963824e87c24ab7e1cc006cc7232163c90924a1e93abe7d602b64b4b5543544e114d9059ea56b6f28535c8527d

C:\Users\Admin\AppData\Local\Temp\372kut15v8\wizard.xml

MD5 49e81da1e1ea52b42aecd671910bd1fe
SHA1 c73512ba247545421f3762225c248002a8dbe49a
SHA256 08805f3d48fed7ec832aa938c7115ee7d7a57b726d41fb564dbf1eb67fe2f999
SHA512 bbe12d4b42c11952ae29db145aaeab68c48c004714e25206350be8c51bef557c2188864722e811dd55e8a14c29b35ca97d279ede9efd54eb70544fe23c6f811f

memory/2008-82-0x0000000000E80000-0x0000000000E81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\372kut15v8\gui\3107.html

MD5 45939eb9defb5c150b660f89996674a3
SHA1 bcb8077d86850fa71e82a1cbd290ce6de52d2790
SHA256 61132116aa23602bdfe0cc6091b086d4a0f143c9c30616a3ead0823c53a10bd5
SHA512 5a0b166a20f2284418cde1182f3ab742b5683832f40f3143d502d0c37219446f4d56741f8f5bcdfb253ae326c803363b4d7e705db477558a70e5662210f5b699

memory/2008-159-0x0000000000E80000-0x0000000000E81000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:03

Reported

2024-06-13 23:06

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe

"C:\Users\Admin\AppData\Local\Temp\5684b603c1f01a2112b136e278bad29501628ce5be37742b2d51f9ccdc198842.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 inststats-1582571262.us-east-1.elb.amazonaws.com udp
US 8.8.8.8:53 api.ibario.com udp
US 174.36.241.171:80 api.ibario.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 inststats-1582571262.us-east-1.elb.amazonaws.com udp
US 174.36.241.171:80 api.ibario.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

memory/2548-0-0x00000000047B0000-0x0000000004968000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8d040ltk7k\gui\page_3112_attr_3.png

MD5 205bc8a805c703e624c6074f337e7cfc
SHA1 8d0d96189310bdd587b9ffb0f7a04a6a639cd0e8
SHA256 e3d5927dfe797c41531cc2cbefb8dbb26f63fc83310a2611a45be4502349b81b
SHA512 71e8ad1900450d459439dea8cdb877e8ac9a4f2692e23a3c5b5cbfabb0fc83fd348ba2edce2f82dcc1357fa84b58b0e077d012f7fa3c9d40fb8968d82d3d2571

C:\Users\Admin\AppData\Local\Temp\8d040ltk7k\gui\page_3112_attr_46.bmp

MD5 19cafe521085d306aa66d256bce120c6
SHA1 a41ae63f80dc451fb68a34f64aa86867f2cdbd6e
SHA256 ce22b3fa0bb7ad842657737c51a287caea2623019fcefbea4906462f49e31894
SHA512 936e0ca8f2accfaba11dc190e89ae3d19e2ba0963824e87c24ab7e1cc006cc7232163c90924a1e93abe7d602b64b4b5543544e114d9059ea56b6f28535c8527d

C:\Users\Admin\AppData\Local\Temp\8d040ltk7k\wizard.xml

MD5 49e81da1e1ea52b42aecd671910bd1fe
SHA1 c73512ba247545421f3762225c248002a8dbe49a
SHA256 08805f3d48fed7ec832aa938c7115ee7d7a57b726d41fb564dbf1eb67fe2f999
SHA512 bbe12d4b42c11952ae29db145aaeab68c48c004714e25206350be8c51bef557c2188864722e811dd55e8a14c29b35ca97d279ede9efd54eb70544fe23c6f811f

memory/2548-82-0x0000000005410000-0x0000000005411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8d040ltk7k\gui\3107.html

MD5 45939eb9defb5c150b660f89996674a3
SHA1 bcb8077d86850fa71e82a1cbd290ce6de52d2790
SHA256 61132116aa23602bdfe0cc6091b086d4a0f143c9c30616a3ead0823c53a10bd5
SHA512 5a0b166a20f2284418cde1182f3ab742b5683832f40f3143d502d0c37219446f4d56741f8f5bcdfb253ae326c803363b4d7e705db477558a70e5662210f5b699

memory/2548-104-0x0000000005410000-0x0000000005411000-memory.dmp