Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 20:46

General

  • Target

    2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe

  • Size

    1.0MB

  • MD5

    e553cc6505679275fbcca0e4f1a73e91

  • SHA1

    862999b23d86bf602a0692f2407cdc97e7e97381

  • SHA256

    2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a

  • SHA512

    f3afe7e78b796d23e0123c941013a78ff3ba34b5149ccb587e9725434cafe84cc275afaba1ccaa0beabdb56304ff63b3f6a39399b15fc9b27fcf8d8819abe0cd

  • SSDEEP

    24576:86SEl5bHLmBnPaAWaRzN1VfD74drcLtFfYC:5BnLuaaRZ1lP4drS

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
    "C:\Users\Admin\AppData\Local\Temp\2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Users\Admin\AppData\Local\Temp\2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
      "C:\Users\Admin\AppData\Local\Temp\2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Users\Admin\AppData\Local\Temp\2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
        "C:\Users\Admin\AppData\Local\Temp\2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Sidebar\Shared Gadgets\asian cumshot girls titts .mpg.exe

    Filesize

    839KB

    MD5

    ce5aab73e95bdd29e71e920c87462a1d

    SHA1

    b1a97154df6623b06d9ff8c3601c7c1e61776a36

    SHA256

    ec2b5f1b1ff8e15e32692788c51c905ba40e6c01f2859b4bd2deec1654f90ea8

    SHA512

    9e9f1d4c3d21f1f85f76b5591ca3248394d9d85b206fd57f4ae239ab66b6e58fcae2b03add885dd36737544def78cdfcd50deed6dc4d0c62e9235bc44e644f36

  • C:\debug.txt

    Filesize

    183B

    MD5

    4ad871ea97315750478446cee0e0c92f

    SHA1

    49ba12ff5f847bba6660f1760d96a8645c096644

    SHA256

    9b76809b8fa976db237e2d65a4cf29ec6861e77e35ecdc41ecb7fab68c88aab0

    SHA512

    50f23f615caab2f4fcf744a696a16ae67db08517004e9384cef07170c33350f8c7cc11c187473c2711ac00e9e739288e234523d3075da268000412eded5074b8