Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 20:45

General

  • Target

    2eb629533113620356f68988bbb9565e037e377b2b6c1b8cffe759835e324fa9.exe

  • Size

    1.2MB

  • MD5

    1b28c04285ccba5d8e09e4660d7b9b9d

  • SHA1

    12443b6d6e9a43b742c8a1806577fc3491cf5019

  • SHA256

    2eb629533113620356f68988bbb9565e037e377b2b6c1b8cffe759835e324fa9

  • SHA512

    b78b6040b3b6123fa8a0b6871d376c955830cc46d8ef36d7f47fc52014c35bddd883a7e4731dec95990802e432164f361f6607cd9bb83bf6155ca2eef712918b

  • SSDEEP

    24576:oWAKsyqHQwQxf33BHtrTAVku9yfQRCl+pzunen5OAHIHDdoFQy6Vc+B/:VaHnEHBxT2kJfQRClsun4fH5wVH/

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2eb629533113620356f68988bbb9565e037e377b2b6c1b8cffe759835e324fa9.exe
    "C:\Users\Admin\AppData\Local\Temp\2eb629533113620356f68988bbb9565e037e377b2b6c1b8cffe759835e324fa9.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:6084
    • C:\Users\Admin\AppData\Local\Temp\2eb629533113620356f68988bbb9565e037e377b2b6c1b8cffe759835e324fa9.exe
      "C:\Users\Admin\AppData\Local\Temp\2eb629533113620356f68988bbb9565e037e377b2b6c1b8cffe759835e324fa9.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:64
      • C:\Users\Admin\AppData\Local\Temp\2eb629533113620356f68988bbb9565e037e377b2b6c1b8cffe759835e324fa9.exe
        "C:\Users\Admin\AppData\Local\Temp\2eb629533113620356f68988bbb9565e037e377b2b6c1b8cffe759835e324fa9.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:6100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\trambling lingerie voyeur ejaculation .avi.exe

    Filesize

    1.6MB

    MD5

    231e122abcd5e5fb7625ed691e027dae

    SHA1

    739688474b185f6e3b725f3704ac4c4a8534d135

    SHA256

    11d2c2f6fec0ffb15ab1428988484e1af5fafa72d698fb6115e860a66bf8ae45

    SHA512

    c115762e35aa87f2e035acb78c38d78579c8b6a04050c7d946a292013dbf96091ab287803146635939132a5ee112005d5e214312fe6cd50f3f3beff092b7caa2

  • C:\debug.txt

    Filesize

    146B

    MD5

    309fd551497ef25b69bee6a8bb087436

    SHA1

    c5e416ae58ffd24405affb024e4d609ca128dcfa

    SHA256

    69f29d90e5222f8dcb1dd380ff017e82b1dc664fe2ff8cfc9ff45442b069abe4

    SHA512

    50d9d85bac14981f7771ab844ac674e6b6964afcf9386447d8ccc492fa710f8cfecebf63b301b71ab17635ccf25d8869258dacf3acd3a988f67dbf2f5aae1620

  • memory/6084-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB