Overview

overview

7

Static

static

3

c3357c4244...09.exe

windows7-x64

7

c3357c4244...09.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20/06/2024, 02:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c3357c4244ecab36393d235595827d7960eaa253f51354e9115b34579ae43409.exe

  • Size

    566KB

  • MD5

    7c71bd212572dfac82820686e704d354

  • SHA1

    bb78c42fb6f4814cee9410d3a8e4f356261fa944

  • SHA256

    c3357c4244ecab36393d235595827d7960eaa253f51354e9115b34579ae43409

  • SHA512

    040b1412401fcf1bac7a85609758ccd74361f0cc2d33cd09ae9ad31b05c3824943a00fa8b45e72dc27c885ab73797f77b4f2aafe84228e02059e212786025b65

  • SSDEEP

    12288:dXCNi9BKnMR5U916QffiZrmLF+fkyQzft9JHmdzCq00Q4:oW1NQChm4We0i

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3357c4244ecab36393d235595827d7960eaa253f51354e9115b34579ae43409.exe
    "C:\Users\Admin\AppData\Local\Temp\c3357c4244ecab36393d235595827d7960eaa253f51354e9115b34579ae43409.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\c3357c4244ecab36393d235595827d7960eaa253f51354e9115b34579ae43409.exe
      "C:\Users\Admin\AppData\Local\Temp\c3357c4244ecab36393d235595827d7960eaa253f51354e9115b34579ae43409.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Users\Admin\AppData\Local\Temp\c3357c4244ecab36393d235595827d7960eaa253f51354e9115b34579ae43409.exe
        "C:\Users\Admin\AppData\Local\Temp\c3357c4244ecab36393d235595827d7960eaa253f51354e9115b34579ae43409.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1452

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Windows Sidebar\Shared Gadgets\swedish cum licking nipples ejaculation (Tatjana).zip.exe
          Filesize

          90KB

          MD5

          e6f1677065051a431f93dcecb902b030

          SHA1

          3b72a35940ae137a90555ff3416863cca0b6bb30

          SHA256

          a6554f172ce366c9546ff575f256acd7fedfbcf39960d58f7fe8c66a9340a6d9

          SHA512

          65e29e2163f2b562c55696745501f73e31eaff78793077db2a62dcd261f91db87fa5025ef49578d8d026ff0e0a42b85bedb26be6d5b3aa00db1131e8880f9ed8

          Download Submit

        • C:\debug.txt
          Filesize

          183B

          MD5

          8404a275e42fedd7ceaa3c558f301e1d

          SHA1

          0601697c5e79695585b3c962a9df96ae37ef7283

          SHA256

          350642676b0f773fc042478b21ddadeb4678f74e98c6b5a3f2d17166e4530ec7

          SHA512

          ff5fb7158b94d50046faf4d5d2be3c2131c063352ef54605d1418f544cb940865b6920b152a0c1d3b9d101680cc8778fd98b7d9b113d8837912c80f428e2a6d0

          Download Submit

        • memory/2424-69-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/2424-89-0x0000000004F90000-0x0000000004FBB000-memory.dmp

          Filesize

          172KB

          Download

        • memory/3068-0-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/3068-68-0x0000000005370000-0x000000000539B000-memory.dmp

          Filesize

          172KB

          Download