Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 21:52

General

  • Target

    5b60ec4b910aa25398b1c239dfcc46b2c570885edf3669e2e57f565f5a0b1b89.exe

  • Size

    901KB

  • MD5

    7890bc6b89a7adbb0b24cd63511d03f5

  • SHA1

    098178fc13e3dcd19fda05a7da09c075c0460a47

  • SHA256

    5b60ec4b910aa25398b1c239dfcc46b2c570885edf3669e2e57f565f5a0b1b89

  • SHA512

    e892d873eb980d7ddcdb7921ddac751a07cb72f91f4768ddfeb1290cd6975c11d6217128d91172c1513a24ceb15ac65bacea8e20f1a6059a004f7515110784e3

  • SSDEEP

    24576:oW8R1KbgAuZ7kJn1O9VysN7h+ZptQ0/Sg883M:VPAW1dm+ZpDqgn3M

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 19 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b60ec4b910aa25398b1c239dfcc46b2c570885edf3669e2e57f565f5a0b1b89.exe
    "C:\Users\Admin\AppData\Local\Temp\5b60ec4b910aa25398b1c239dfcc46b2c570885edf3669e2e57f565f5a0b1b89.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4348
    • C:\Users\Admin\AppData\Local\Temp\5b60ec4b910aa25398b1c239dfcc46b2c570885edf3669e2e57f565f5a0b1b89.exe
      "C:\Users\Admin\AppData\Local\Temp\5b60ec4b910aa25398b1c239dfcc46b2c570885edf3669e2e57f565f5a0b1b89.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Users\Admin\AppData\Local\Temp\5b60ec4b910aa25398b1c239dfcc46b2c570885edf3669e2e57f565f5a0b1b89.exe
        "C:\Users\Admin\AppData\Local\Temp\5b60ec4b910aa25398b1c239dfcc46b2c570885edf3669e2e57f565f5a0b1b89.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4224
    • C:\Users\Admin\AppData\Local\Temp\5b60ec4b910aa25398b1c239dfcc46b2c570885edf3669e2e57f565f5a0b1b89.exe
      "C:\Users\Admin\AppData\Local\Temp\5b60ec4b910aa25398b1c239dfcc46b2c570885edf3669e2e57f565f5a0b1b89.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1620
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
    1⤵
      PID:4976

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\blowjob public pregnant (Christine,Melissa).zip.exe

            Filesize

            687KB

            MD5

            ab4f7d48ce120477bfd812929c611045

            SHA1

            4c77b3c6e9e452f555b8796bdba5a0d33f7650ed

            SHA256

            d32fb28494861a0c98e351837e93ae6df5f1db2bcf0408dcf1b84294e06f7b8d

            SHA512

            2c318602991f73863a7eb86189998702cd0c58eebe4c706a804db48020225be9e94a657929a9ce01dbd363de306c4f1aea8c54e6e4e9fee679893d624996dd61

          • memory/4224-162-0x0000000000400000-0x000000000042B000-memory.dmp

            Filesize

            172KB

          • memory/4348-0-0x0000000000400000-0x000000000042B000-memory.dmp

            Filesize

            172KB

          • memory/4872-87-0x0000000000400000-0x000000000042B000-memory.dmp

            Filesize

            172KB