Overview

overview

7

Static

static

3

8b2b4d2738...77.exe

windows7-x64

7

8b2b4d2738...77.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 01:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe

  • Size

    901KB

  • MD5

    36e6f1987dafb002b19404c9508c6a3a

  • SHA1

    d84face4a94cf065d319c3b2339931bc2c678e53

  • SHA256

    8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77

  • SHA512

    6ace91d5a5f9e67acea49a52634456842139174ae49cdaa1a1867c18dc0dc73658a54b14b5d8935462bc4f199609b9c2eb273f8fc7b7ea4c34d119e24286f771

  • SSDEEP

    12288:JXCNi9B0DfNFHvV0lJUAhUmuW9U2UwMT/XB9lawaY7w8G+wLpyoF3vMFO/zdXxM4:sWanPKlrhUOaTZLf7w8G+syoF9ERe

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
    "C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3956
    • C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
      "C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
        "C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2664
    • C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
      "C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3148
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1844
      2⤵
      • Program crash
      PID:4836
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3956 -ip 3956
    1⤵
      PID:3180

    Network

    • flag-us
      DNS
      136.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      136.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      43.58.199.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.58.199.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      11.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.227.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      136.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      136.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      43.58.199.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      43.58.199.20.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      11.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      11.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\fetish public .rar.exe
      Filesize

      378KB

      MD5

      c3b323ea404f27144f391cf50d169d33

      SHA1

      2e5966c61fb3c8778d05d827e41c57b019e64068

      SHA256

      debf0b77d89954f7eed470e13ac0aea757d0fd669bf7664df8bfe2bceb023123

      SHA512

      0030011a8aa2344465eafc807b7039b4a7fc3832baa472154d667d5ec3c6f702d2dec6c7fc2991bd29cfbd60639ecc6f2ccc298ce0a24d86d8321e1006471e99

      Download Submit

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.