Overview

overview

7

Static

static

3

1f2f86f30a...c9.exe

windows7-x64

7

1f2f86f30a...c9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2024 20:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe

  • Size

    2.7MB

  • MD5

    f625bcf9f2cdd921a1dfed2c1a2410f0

  • SHA1

    36587f4aa258dbb2e5e95c3fc8c6c81f48c67239

  • SHA256

    1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9

  • SHA512

    da683e47c8247c22547cab280ba3f71b9800bf9b0b884f748085ae25f74cf2acf21370784222ae53c4d6cc79a45bce42634f84b031cb88682e5def1316592689

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB/9w4Sx:+R0pI/IQlUoMPdmpSpf4

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
    "C:\Users\Admin\AppData\Local\Temp\1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\IntelprocLC\devoptiloc.exe
      C:\IntelprocLC\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Users\Admin%
        C:\Users\Admin%
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1856
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig
            5⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            PID:2032
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1312
          • C:\Windows\SysWOW64\NETSTAT.EXE
            netstat -a
            5⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:2300
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1744
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mint2P\dobaec.exe
    Filesize

    2.7MB

    MD5

    525fec6159e23344b4e7d22dde5251e6

    SHA1

    8aa934f8a71a8d91141ba59469db5fb3e29fe11a

    SHA256

    af387d2625d4a08839769e10903dd4a63ca798716b0082b3e793835785c0691c

    SHA512

    133ed6fcdf243bd8a6693a952a31691309061cb16afafcc994706cddbaf78249748ebd83bc1be8ffdad2826ca73300d029d2c9bb4fe1485f4980cb31fac267a0

    Download Submit

  • C:\Mint2P\dobaec.exe
    Filesize

    2.7MB

    MD5

    17fae993ec56b8648ca9f0cf8adce9a5

    SHA1

    8c45966744f075ed016ad4d717757ab0f22075a2

    SHA256

    ec2c0404460aea7d701014086dd2795af60528750c6059cd552e15b82f52ce8e

    SHA512

    26ee81ba51069b7f011e10459b292976276c23abd1053a9245be6c075923585c8207a9097af970974f4f94dd4e2479fbc8ecdf6def74c7cd6d4b3858dd8d80b2

    Download Submit

  • C:\Users\Admin%
    Filesize

    2.7MB

    MD5

    3a110d6cd556a86b9e2d0fd9a4fa1346

    SHA1

    bf48b370684ecb043d6d8de83b2ebd240dadeedc

    SHA256

    16e7544bdaf93172555bacb702dfed2bfcb82c41c22abc9a2dc12e01570ad9ef

    SHA512

    2b569e0c8eb594159749c850b985ea1391ed80a044dabd0e62f7794b4a38662bc25861fbc8a4af0bcf9c56bbda146d4bac472b2686c9fc7f8550682265e46f3a

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    206B

    MD5

    aad096b4024c0b1da3e079492243aed5

    SHA1

    e141fce01dc18ec1f2ec7fdf06be80b44c213f65

    SHA256

    e2d5cce02f4e6dc9e880a4d3964bf5c61d311dd0651173aecc9a489f2954db42

    SHA512

    0c297a7674de55e3b78380e4c96343e85d973f5e79485c61b367fdc562915431b86300edfb335b237d0c059fd0effc7189345dbcc86aad9659bdc79fcee27d9f

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    209B

    MD5

    f676d663b27b5f12810244153a1168e9

    SHA1

    8bc8872efcb5a40d021b8f2f829f9c9226fcc3b3

    SHA256

    b5d58e863be99a73fc48a2ad247fe1f659b83b1af5821da60b80e6e1bb9b145c

    SHA512

    64a4ae3f6787dbfcd675778c9cf9056806e63a03eee923b96155efa0438bc35c441a58cb97032e20d4a1264cd0a53ce088c2af742357f48746bbcd112275c89a

    Download Submit

  • C:\Users\Admin\grubb.list
    Filesize

    262KB

    MD5

    df4a54c011bd6d5a69223d28a11a3775

    SHA1

    2b8fad8104d26b0e79b4ab1ceacc84dd84e78e9d

    SHA256

    b7c7fdecf178ddea61fb797e22db538ae667d31936c56f7ca2e8cd1b04ca9c2b

    SHA512

    df8dae49e02f1473db9bf28e84afc8d9c9bf5a613978aa38e2bd152d19aa3290555e09e8c0bae2c0b492cb107ce500d3620a3c2157a5bb16325335abce43bb20

    Download Submit

  • \IntelprocLC\devoptiloc.exe
    Filesize

    2.7MB

    MD5

    342b408c39674366cd53c654d11844a7

    SHA1

    45b458cec7910de2ef39eae9506db2ce9641b84a

    SHA256

    60bb301f572e3566ea9d07564cbfe85dfc3984025e9398d76a57b0266219d5b1

    SHA512

    6585958196c994b3e355073bd3c6c4749f6e89214abf9ed1867c004d4f226f849a521b055ca4433fba5bf32240c4a40166b23c76e2c4d5e6ce8b558205744f2b

    Download Submit