Overview

overview

7

Static

static

3

c5d9360975...fe.exe

windows7-x64

7

c5d9360975...fe.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    138s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 02:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c5d93609759a7cce69b2bb09fbdc24f47622acf350984bae54cfb65d712ce3fe.exe

  • Size

    2.2MB

  • MD5

    1fa3b9c4788f64b2c7db9974154ed3b8

  • SHA1

    387ca10633c95177b25457602993a75910f71cc8

  • SHA256

    c5d93609759a7cce69b2bb09fbdc24f47622acf350984bae54cfb65d712ce3fe

  • SHA512

    1c848f8aa6da4df2c2a508c2def77653b5cdad6982417ef39d6906081ad816f4b45635dc848be68d59e78a7e8c73e0b1bdd37d31851eb199753bf145c0cbb07d

  • SSDEEP

    24576:Pe6u/p6D3RSinEBlDfHfnGVaUI6tvW1qMTyM4WE1X4swDOn0LKsdN3fK:POB6zYxf6h581qMWVWEGHmsfPK

Score
7/10
collectiondiscoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 13 IoCs
  • Modifies Control Panel 5 IoCs
    evasion
  • Modifies data under HKEY_USERS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5d93609759a7cce69b2bb09fbdc24f47622acf350984bae54cfb65d712ce3fe.exe
    "C:\Users\Admin\AppData\Local\Temp\c5d93609759a7cce69b2bb09fbdc24f47622acf350984bae54cfb65d712ce3fe.exe"
    1⤵
    • Loads dropped DLL
    • Accesses Microsoft Outlook profiles
    • Enumerates connected drives
    • Drops file in System32 directory
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    • outlook_win_path
    PID:1548
    • C:\Windows\SysWOW64\sqlwm.exe
      C:\Windows\SysWOW64\sqlwm.exe /combine local system
      2⤵
      • Executes dropped EXE
      PID:2316
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {4321344B-ED11-41A8-9D22-49EA98EEB7A3} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\SysWOW64\srvurl.exe
      C:\Windows\SysWOW64\srvurl.exe kfc
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      PID:2512

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Public\Documents\ntuser{4CB43D7F-7DCA-4906-8698-FFFFFFFF8094E303}.pol
          Filesize

          4B

          MD5

          59babb838a876914f6b5402512da3d41

          SHA1

          eb72a9af96d374bc1d0045513ae1f4541060a7e5

          SHA256

          443c07a2c83b7b0253a325d2b72ac757c3aa5b41cd749842bc74fb3ee9b26866

          SHA512

          6c7f7fd694df9949b4716d009242b423216aa52e579414505406d6d3fcaa84fd8c9227e55eb80d28ba40068d80fd6f8be089f2b655ebc72872cd226236fa97ea

          Download Submit

        • C:\Windows\SysWOW64\sqlwm.exe
          Filesize

          2.0MB

          MD5

          138ebcb924dfce3b4e96378195afc0f3

          SHA1

          93e98c5c7ddc503921212e50e6f22b89b25438bf

          SHA256

          7639e64d04a05baadb4fcd5175d331e7427327fe1cbdfd46382e4c26a605fbd4

          SHA512

          22567475478573388b3fd20efe4a79f891c41bd3d62e7eca11fa7c71d4b4abe9559cc2ca72796778f620aa28756e245eacf9058aa6af702addff68d96fd19e81

          Download Submit

        • C:\Windows\SysWOW64\srvurl.exe
          Filesize

          2.2MB

          MD5

          1fa3b9c4788f64b2c7db9974154ed3b8

          SHA1

          387ca10633c95177b25457602993a75910f71cc8

          SHA256

          c5d93609759a7cce69b2bb09fbdc24f47622acf350984bae54cfb65d712ce3fe

          SHA512

          1c848f8aa6da4df2c2a508c2def77653b5cdad6982417ef39d6906081ad816f4b45635dc848be68d59e78a7e8c73e0b1bdd37d31851eb199753bf145c0cbb07d

          Download Submit

        • memory/1548-0-0x0000000000400000-0x00000000005AF000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1548-1-0x00000000005B0000-0x00000000005F8000-memory.dmp

          Filesize

          288KB

          Download

        • memory/1548-2-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1548-44-0x0000000000400000-0x00000000005AF000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1548-75-0x00000000005B0000-0x00000000005F8000-memory.dmp

          Filesize

          288KB

          Download

        • memory/2512-36-0x0000000000400000-0x00000000005AF000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2512-79-0x0000000000400000-0x00000000005AF000-memory.dmp

          Filesize

          1.7MB

          Download