Overview

overview

10

Static

static

10

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-06-2024 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e.exe

  • Size

    149KB

  • MD5

    ee3b16d7188ad9b08cb1cbe52708b134

  • SHA1

    946ec3b88c7eb1442512cd1ba450b05132e48dc6

  • SHA256

    b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e

  • SHA512

    2c1272dd493ff6361dcadfbbffc39aaa8c84a3a7b925597de0fa12381c045307943e7bb3827b5c22709c2be010c2d0e1036c79c5f933c58ee05acabb672ab542

  • SSDEEP

    3072:vOWXtBuFND5H/QUszPu4bk5GB2fu3/X9e5FuZl1yotj3ZzQ2pw22sIq/L:vh9BuFND5H/QUszPrFBeuZl1yotj3Zzw

Score
10/10
xehookspywarestealer

Malware Config

Signatures

  • Detect Xehook Payload 1 IoCs
  • Xehook stealer

    Xehook is an infostealer written in C#.

    stealerxehook
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e.exe
    "C:\Users\Admin\AppData\Local\Temp\b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4480
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delete.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:4820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\delete.bat
    Filesize

    200B

    MD5

    feee1759dda2bec5f505a2822ab15861

    SHA1

    179963b1437fcf2ceb4ff7220ed1e04e8ca40259

    SHA256

    b3c757fc656f50f9468eef860bc915cda1f3d2ca753902aa93ca9bcb4f7ecdae

    SHA512

    1bad72b628575af2aa7ebdedee2fb73668afd0baea2f7bb7b77ef1237ac4119d0cb47746376b10c55f8a2c94e6eb45712f8e6d752b673be87ce4d06bc8bf08cd

    Download Submit

  • memory/4480-0-0x00007FFD62DB3000-0x00007FFD62DB5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4480-1-0x0000000000930000-0x000000000095C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4480-2-0x0000000001180000-0x000000000119A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4480-3-0x00007FFD62DB0000-0x00007FFD63872000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4480-8-0x00007FFD62DB0000-0x00007FFD63872000-memory.dmp

    Filesize

    10.8MB

    Download