Overview

overview

10

Static

static

10

5bd2f0540f...0f.exe

windows7-x64

9

5bd2f0540f...0f.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5bd2f0540f6facd358ebd73b1b9edad5d825fee8816def9356354e4343ce220f.exe

  • Size

    357KB

  • MD5

    5209f601f75ee3e823f2e584f77b03f4

  • SHA1

    755193138f704c9797df3880302f0abf81e53eba

  • SHA256

    5bd2f0540f6facd358ebd73b1b9edad5d825fee8816def9356354e4343ce220f

  • SHA512

    a3651f7410f0ef99e72dc071baf7f567b757828da6dced8283cf095729f3d7ac32688b7b949616b339c5649dd9f4ffb7558c4d9e9e8d77604c2af30c37935578

  • SSDEEP

    6144:/rTfUHeeSKOS9ccFKk3Y9t9YZJqCBX+kqmCJds:/n8yN0Mr8ZJquUls

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 21 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bd2f0540f6facd358ebd73b1b9edad5d825fee8816def9356354e4343ce220f.exe
    "C:\Users\Admin\AppData\Local\Temp\5bd2f0540f6facd358ebd73b1b9edad5d825fee8816def9356354e4343ce220f.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2368
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\5bd2f0540f6facd358ebd73b1b9edad5d825fee8816def9356354e4343ce220f.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Users\Admin\AppData\Local\Temp\5bd2f0540f6facd358ebd73b1b9edad5d825fee8816def9356354e4343ce220f.exe
        "C:\Users\Admin\AppData\Local\Temp\5bd2f0540f6facd358ebd73b1b9edad5d825fee8816def9356354e4343ce220f.exe"
        3⤵
        • Executes dropped EXE
        PID:2192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
    Filesize

    681KB

    MD5

    242f50607c1087d89ed1f501bea4851a

    SHA1

    8dfca81f09d81f2ce2e675ba48a1ed0aa5cb6d0e

    SHA256

    a6efedbc6666912d85d622720423aaa526763a16ef802c212a144307470ea758

    SHA512

    094d9caf261771ca995128312c3d122bfc8055fbe565c3ba367e50eaa07d36ddfc602efea826742df0d893f855e2127ab21b5644307c4e540e04957170b533ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5bd2f0540f6facd358ebd73b1b9edad5d825fee8816def9356354e4343ce220f.exe
    Filesize

    140KB

    MD5

    1793928d1c8daf03a8b67a60a0ffbd93

    SHA1

    c777c5be2321bf493877efef590eec8c822e2072

    SHA256

    84a2bb3191f370ba456dd8637e08cd47ef1c80a54d081881cd1e16a8c67f0238

    SHA512

    64ef94fb34b637c5d40878f4d3b0db7f2d74e89be35fca959ee9354cdf8f5bd61d90e8aa1ff795ddafe60ba5d1a0d4b57c41b1bf8750d24d685aa98f4142c11a

    Download Submit

  • C:\Users\Public\Microsoft Build\Isass.exe
    Filesize

    216KB

    MD5

    189d4b2a83e17869255961df5c63933e

    SHA1

    5ea50055133566dce52e5dc262dba169d4aa1ac0

    SHA256

    305a51d23f4b2f395722608873e097a767ab74a0d75d31ec98a000fa4625842e

    SHA512

    960d9ab4ff1f6d4d8245d6b48a089d89c2b0976c8b10ec29e9a4df834f73b12262d5e7796f9a49c9e23b12d69d4740dba01bb8ea751072dd979307bc19a8517e

    Download Submit

  • memory/388-4-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/388-6-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2192-22-0x00000000005E0000-0x0000000000608000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2368-49-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2368-38-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2368-81-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2368-24-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2368-27-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2368-28-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2368-7-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2368-32-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2368-33-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2368-72-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2368-42-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2368-48-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2368-8-0x0000000001A80000-0x0000000001A81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2368-59-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2368-60-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2368-71-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2972-17-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2972-20-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

    Download