Overview

overview

7

Static

static

3

b6d4f162f5...7c.exe

windows7-x64

7

b6d4f162f5...7c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe

  • Size

    869KB

  • MD5

    52301e2e4f83bc459f2a1fc537000853

  • SHA1

    d32fd82310fdb782a2ae0c6a7b5cb87ee779bb08

  • SHA256

    b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c

  • SHA512

    8f157f9814b9d48d9455545d9a27e2009f28080d12ecb140b00a47f508c3bd94ed8a93f2a2fe2e22a1b46a558c345fc5e85b1c2ed80d5d5672c4f00f6d70073e

  • SSDEEP

    12288:/n8yN0Mr8ZL6aVs7IypwXK4Qzh+jMlWCEh/yr5QE00vZ5McAA9YlO3d:vPuZLzIfpwiz0wy/ylQd0ccdYlO3d

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe
    "C:\Users\Admin\AppData\Local\Temp\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2528
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Users\Admin\AppData\Local\Temp\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe
        "C:\Users\Admin\AppData\Local\Temp\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe"
        3⤵
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Users\Public\Microsoft Build\Isass.exe
          "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:232
          • C:\Users\Admin\AppData\Local\Temp\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe
            "C:\Users\Admin\AppData\Local\Temp\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe"
            5⤵
            • Checks computer location settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2628
            • C:\Users\Public\Microsoft Build\Isass.exe
              "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:524
              • C:\Users\Admin\AppData\Local\Temp\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe
                "C:\Users\Admin\AppData\Local\Temp\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2532
                • C:\Windows\Temp\{9CFDEF5A-0BF1-4602-9537-639AD575FDF9}\.cr\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe
                  "C:\Windows\Temp\{9CFDEF5A-0BF1-4602-9537-639AD575FDF9}\.cr\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe" -burn.filehandle.attached=540 -burn.filehandle.self=648
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:3356
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1352 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\b6d4f162f5ae5e393b38a7b4530a148f667fefe09ba6eca65ffef29c0af1b47c.exe
      Filesize

      632KB

      MD5

      c27046bd35c5717084bb40c7305b941a

      SHA1

      51510a7753dd2a1236b34b495db21ef18a74c25c

      SHA256

      e0bc82c13bcd1ade084a0421dab88e23e9cc5499323449e585e7dd2116951bd3

      SHA512

      df9dc98043ea5b86c671e769a75e569366223c5a291f5eed22f68af9783a0aa295d8bb0ee0b510767cce7961f2e501124d9fe656044766644e18682f21446214

      Download Submit

    • C:\Users\Public\Microsoft Build\Isass.exe
      Filesize

      216KB

      MD5

      4e3da62191c139e87d1f71984d949fce

      SHA1

      5c8b28ea57a97cbb166e4fbcc141844aad5f253f

      SHA256

      d01f00c25d0328aa0d4bfa21af570f1697a725f23cf7d3cbfb4fef6183bc42bc

      SHA512

      7ca61e187b25fb9afce445e4952091f1248d6e68ff08c1d00d32a9c681f653d4100628ab31c23285e85d2f0daaa523f47f8ca4d3ac4f18d2224ceec999a63b9e

      Download Submit

    • C:\Windows\Temp\{EA55A5A0-B13E-4925-A179-0103A88A7694}\.ba\logo.png
      Filesize

      1KB

      MD5

      d6bd210f227442b3362493d046cea233

      SHA1

      ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

      SHA256

      335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

      SHA512

      464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

      Download Submit

    • C:\Windows\Temp\{EA55A5A0-B13E-4925-A179-0103A88A7694}\.ba\wixstdba.dll
      Filesize

      191KB

      MD5

      eab9caf4277829abdf6223ec1efa0edd

      SHA1

      74862ecf349a9bedd32699f2a7a4e00b4727543d

      SHA256

      a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

      SHA512

      45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

      Download Submit

    • C:\odt\office2016setup.exe
      Filesize

      5.3MB

      MD5

      030a8ae82177ea133b93d2a44c2faf84

      SHA1

      a42fcdbcdc459ba814389ebee1d004c864d68d2f

      SHA256

      7e431124facd06863cca6c2d6c8f5fcb44d541fc269ecbcd49cee8a5d364cb49

      SHA512

      61788f349b1115387b63d3fb7cfe9e52bee9a2585c065df4aaa7d439ece6739114604f1d2b7b90d08d3ee84b20afca88fec559f0fcce612fb20d9da0f433da71

      Download Submit

    • memory/232-28-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/232-27-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/524-41-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/784-0-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/784-13-0x0000000003D50000-0x0000000003D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/784-10-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/784-9-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/784-2-0x0000000003D50000-0x0000000003D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/784-1-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/1232-20-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2240-24-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2240-26-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-11-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-100-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-15-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-79-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-14-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-8-0x0000000001F40000-0x0000000001F41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2528-7-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-92-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-95-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-131-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-101-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-105-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-111-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-116-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-119-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2528-125-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/2628-30-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download