Overview

overview

10

Static

static

10

c1be767404...8e.zip

windows7-x64

1

c1be767404...8e.zip

windows10-2004-x64

1

00195a0548...01.exe

windows7-x64

10

00195a0548...01.exe

windows10-2004-x64

10

103494894d...b8.exe

windows7-x64

8

103494894d...b8.exe

windows10-2004-x64

8

15e918d1df...c8.exe

windows7-x64

10

15e918d1df...c8.exe

windows10-2004-x64

10

1adf26633c...96.exe

windows7-x64

10

1adf26633c...96.exe

windows10-2004-x64

7

25bbed4562...a9.exe

windows7-x64

10

25bbed4562...a9.exe

windows10-2004-x64

10

29b828a2d4...7b.exe

windows7-x64

10

29b828a2d4...7b.exe

windows10-2004-x64

10

2f0d81e068...61.exe

windows7-x64

10

2f0d81e068...61.exe

windows10-2004-x64

10

317ce86a4e...85.exe

windows7-x64

10

317ce86a4e...85.exe

windows10-2004-x64

10

3c764ae83e...36.exe

windows7-x64

8

3c764ae83e...36.exe

windows10-2004-x64

8

40c918b435...1df.js

windows7-x64

3

40c918b435...1df.js

windows10-2004-x64

7

4963827ab4...5e.exe

windows7-x64

10

4963827ab4...5e.exe

windows10-2004-x64

10

50d670fcdb...0d.exe

windows7-x64

7

50d670fcdb...0d.exe

windows10-2004-x64

10

55911205ed...78.exe

windows7-x64

10

55911205ed...78.exe

windows10-2004-x64

10

5a48f7ceeb...a3.exe

windows7-x64

10

5a48f7ceeb...a3.exe

windows10-2004-x64

10

6700ee6916...ce.exe

windows7-x64

10

6700ee6916...ce.exe

windows10-2004-x64

10

Resubmissions

27/07/2024, 17:08

240727-vnrrpszapr 10

24/07/2024, 13:55

240724-q8e67aygrr 10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 17:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9.exe

  • Size

    682KB

  • MD5

    218ed2d0aee62452d3229a459cb492fb

  • SHA1

    a2322a164ff11c0c71336e225c9087a5512cafd6

  • SHA256

    25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9

  • SHA512

    989bbaf89e9a5d43ba698786753843d5f467637d0ec7881b2763115f32d7ef6475f05709573f9563d7d8a0856e59270b6f9f0082d92c1779d2ace7638bf42fba

  • SSDEEP

    12288:JxOhZvdJ25Sy0V3gY7t4H3TvGre9SHhuuq8iZAlxWxxyEAN8RriCroxfL41:JCFn3J7mXTvOfUnmn58hiCku1

Score
10/10
collectioncredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.schafoundation.org
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    schafEST2012.

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9.exe
    "C:\Users\Admin\AppData\Local\Temp\25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9.exe
      "C:\Users\Admin\AppData\Local\Temp\25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9.exe"
      2⤵
        PID:3948
      • C:\Users\Admin\AppData\Local\Temp\25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9.exe
        "C:\Users\Admin\AppData\Local\Temp\25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9.exe"
        2⤵
          PID:2344
        • C:\Users\Admin\AppData\Local\Temp\25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9.exe
          "C:\Users\Admin\AppData\Local\Temp\25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9.exe"
          2⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:3228

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2232-10-0x000000007459E000-0x000000007459F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2232-11-0x0000000074590000-0x0000000074D40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2232-2-0x0000000005400000-0x00000000059A4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2232-3-0x0000000004E50000-0x0000000004EE2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2232-4-0x0000000004F00000-0x0000000004F0A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2232-5-0x0000000005150000-0x00000000051EC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2232-6-0x0000000074590000-0x0000000074D40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2232-7-0x0000000005130000-0x0000000005140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2232-8-0x0000000006160000-0x000000000616E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2232-9-0x00000000061A0000-0x000000000622C000-memory.dmp

        Filesize

        560KB

        Download

      • memory/2232-1-0x00000000003B0000-0x0000000000460000-memory.dmp

        Filesize

        704KB

        Download

      • memory/2232-15-0x0000000074590000-0x0000000074D40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2232-0-0x000000007459E000-0x000000007459F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3228-14-0x0000000074590000-0x0000000074D40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3228-12-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/3228-16-0x0000000074590000-0x0000000074D40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3228-17-0x0000000006E80000-0x0000000007042000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3228-18-0x0000000006D00000-0x0000000006D50000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3228-19-0x0000000007580000-0x0000000007AAC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3228-20-0x0000000074590000-0x0000000074D40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3228-21-0x0000000074590000-0x0000000074D40000-memory.dmp

        Filesize

        7.7MB

        Download