Overview

overview

10

Static

static

3

archive/AppFile.exe

windows7-x64

10

archive/AppFile.exe

windows10-1703-x64

10

archive/AppFile.exe

windows10-2004-x64

10

Resubmissions

08/08/2024, 18:04

240808-wn4a6swhrk 10

08/08/2024, 17:49

240808-wd3a5awhjl 10

08/08/2024, 17:38

240808-v7shcawglr 10

08/08/2024, 17:24

240808-vy135azfne 10

Analysis

  • max time kernel
    190s
  • max time network
    193s
  • platform
    windows7_x64
  • resource
    win7-20240729-es
  • resource tags

    arch:x64arch:x86image:win7-20240729-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    08/08/2024, 17:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    archive/AppFile.exe

  • Size

    716.0MB

  • MD5

    0bbd85dcd282a7fbe78c2ce3c97165ac

  • SHA1

    e0e5a31d3ee971f0a7c98766d84c78bc3a31193a

  • SHA256

    e682ed5c59779bc89389b243172f7f6b6372319820e8f65aefdd93c0a1a3be33

  • SHA512

    3ac34ae372651b5b8a0ac41699633a969158505cd1e429d5312a052ba621bda2cb823bffb4d0333390a6c31a9407bb44b162997ee4348682732b09dc6d820da2

  • SSDEEP

    98304:mSdaaItMOwNcT43nfPk4fqUgL0r+pOEMpDclH:7du6OE3fLXrbEyD

Score
10/10
credential_accessdiscoveryevasionspywarestealer

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 1 IoCs
    evasion
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Embeds OpenSSL 1 IoCs

    Embeds OpenSSL, may be used to circumvent TLS interception.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\archive\AppFile.exe
        "C:\Users\Admin\AppData\Local\Temp\archive\AppFile.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Supply Supply.cmd & Supply.cmd & exit
          3⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2736
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2844
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2600
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 727240
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2708
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "documentsproposalsbutlercd" Brazilian
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2456
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Fiji + ..\Bean + ..\Divorce + ..\Flexibility + ..\Tea + ..\Cult + ..\Formula + ..\Reforms + ..\Compile + ..\Worm + ..\Fear + ..\Computational + ..\Completing + ..\Many + ..\Hungry + ..\Indie + ..\Attributes + ..\Represented + ..\Reviewed + ..\Patches + ..\Edge x
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2200
          • C:\Users\Admin\AppData\Local\Temp\727240\Cheap.pif
            Cheap.pif x
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2636
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1696
      • C:\Users\Admin\AppData\Local\Temp\727240\Cheap.pif
        C:\Users\Admin\AppData\Local\Temp\727240\Cheap.pif
        2⤵
        • Modifies firewall policy service
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:656
        • C:\Users\Admin\Documents\piratemamm\0zCHVDmVFx4ZQwSa3BccZlAg.exe
          C:\Users\Admin\Documents\piratemamm\0zCHVDmVFx4ZQwSa3BccZlAg.exe
          3⤵
          • Executes dropped EXE
          PID:2428

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\727240\x
            Filesize

            1.5MB

            MD5

            4bb73af45c8da8f46cd4c14929169feb

            SHA1

            c01b1d1a28d1c8eb9c060c077b77b0e38c1fdd75

            SHA256

            d3ca610be76ba951146eb42f5c5e46caa55155993ff283fa29aeae8db76d1b79

            SHA512

            831d37dfbeee96e8eb15b7a793df84d6bbdb5aa03fb0789dfb20a2f499eba873b7d677b5f4883f16884bbbaf4315f02e9677df0671690d23811e6a228d6fcccc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Attributes
            Filesize

            99KB

            MD5

            a61652cca66b8f0cf888255668d88d68

            SHA1

            d2a39ff4839ed2c39eca0cde88e1b3de0da15968

            SHA256

            8fb58d47dc79ccdf62a3115dae2540a9eba32f69f59912225030c807d932da1d

            SHA512

            93c98209fba214577cdf8d4ca00523a13fb013d95b6b44ff292fbfc0617426732c7088d6dfba6e762672620d425b9abd0979a42e13a979700092672f11532bf5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Bean
            Filesize

            76KB

            MD5

            6ef0bbad3b2c89ef71abb194b908cd3a

            SHA1

            cd1f3cc1c7e6be92004924c48401a7c9c250aef5

            SHA256

            66329e385dc784cace369bf0d7e0a5a06a610850b1152d7bdb8bdae97c097ee7

            SHA512

            aab6222beb3c6c5e9d281aec44e5a15a11f8394617086c8e9b4494b34441c82380fddf43bbc4abad6a39a6dde193498e8952a0c44facae1402fbe483c9672548

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Brazilian
            Filesize

            513B

            MD5

            fdcd2abdd06d2b8581d2a17ead8abc6f

            SHA1

            c2d76ede6d308f389c1b5a71b697846207e78fc8

            SHA256

            1d851fefa46a99de8b7d901ef7b080601c17c148e2c8b0c457fe3d5e203dbcd3

            SHA512

            d08ba771235842003aad64f059bc00bfaee52005b6ce2d2ce3b839d1e42c28f0dc9a369188b9e1f4d46899e130a812e6d19c09e901cfc3778bd8131207b51df2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Compile
            Filesize

            53KB

            MD5

            e3e6c8826f252728c4f7e9df3ab28f7f

            SHA1

            364efad9a4593f4a92b84b1924e9e11e5af95bf4

            SHA256

            5843067834c87fbdd6ff8c6316e9a395c6fbe6b7172376737d9399e5a6eba9cf

            SHA512

            201946364df1f75222f739ee93a0930db259220a918f09e231221e50b739d0525a1f64172c2ca63676574276b28e6a3bd28b80db5890c6a5933d82079ba1a7e3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Completing
            Filesize

            79KB

            MD5

            7922de2ad5e2a203212dce1dfa714cec

            SHA1

            68693241c049d4ae1dee56719ae5edd5e3544db0

            SHA256

            4d05de63c788ff7ba0fc3f7e155160444e044647d37ab293c525e330f3436347

            SHA512

            d2ed378f57b455438412dd262cb33b59573ca65a3af5bcd098b500566a6b5598788394cba1c062807f9223dcc6e670bf0c4e779e56364f5539dbe1f88c83ba44

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Computational
            Filesize

            56KB

            MD5

            53a404e3ad657649518432d3f3262aa7

            SHA1

            56ad4edd5125ee81dcfd44f17eeef65a6ad6bafa

            SHA256

            328e98d5fcf519f0b505b1394151c93038351777f190c28a9b920fa8c7b4302c

            SHA512

            89ad78c9cc37e745a3bc874f67096ab25cd2fbffb3c25dd8a51027877bf762c5b66be62ed17b0253c5927e0c66e9a5db737381412624df34a61f6d81fd6a8fb6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Cult
            Filesize

            86KB

            MD5

            2328b01b07ed6167d47851e8db4ce988

            SHA1

            921c22b876718ffe5d8d9efb98b70ac092eef163

            SHA256

            b700a63f618bcc194d2c70ee0d25a5b619f88932b88c2b2d31eb26eb9c0f2f61

            SHA512

            099110ff8da82d13caffe7c7b1291f34f026c0938f522519a5387e2a8d9095ca1bfaf55f0748ff5abb1cabaa13279b7d86ac2c89394b0f5acf5340b0806fb009

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Divorce
            Filesize

            58KB

            MD5

            0a64d11e2155d8b06e6e2473f0eee478

            SHA1

            a319b8d449a59ed67f3739d12ee928a33651fc57

            SHA256

            0ec84e64c76986f9be8b44263152434d0fdcc560c8c4d55a389f99bc1677c538

            SHA512

            d1bbc6d2f3f14a3fb803cced018cf22bba7692f5360d09e11beedd522db19d0b8fa303cc3f9a03ebf6738dcfc874cc856bd6b5600b45db4a825d6e1328cf3b61

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Edge
            Filesize

            50KB

            MD5

            843b8f76f304a74516b856b8aefae830

            SHA1

            c2564f002ce2ff6750e56c92952bba724e6431f2

            SHA256

            410f11bcc32ef2aa2ca8116917278a1f08fa1f77b9e505e4dc31ddcf0c6278ce

            SHA512

            489f5be3f7b63eeb1342a3eb19c91e9a46a202c0e2011ab2cce3c31c3c21bb33d887702ab2d4e51b5d0a1e106f733f1c57fc0067d50a235f2b554330b0a60af0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Fear
            Filesize

            83KB

            MD5

            6d537dfcfae02265fc8519f1c6dcbb8b

            SHA1

            3f0458b6ee0a2d848e43f218450e53da0e75f5eb

            SHA256

            e4e63f638ff2d07817118b39064b6f86de6842a956932d19b2e2928a23c4c442

            SHA512

            d60200093ed6adbeff9c603a81da9d8dc77bf8a5c00e0978cc65c2269ef9783fde0e4e4757e0cc4d38bdc55dca47802bae7a67e5a4cd5863720eae00e0555e31

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Fiji
            Filesize

            78KB

            MD5

            e1de885cebecb5485c1440261cc8cd9e

            SHA1

            afc856de1dae2d360deac4e5567ed1fe99ac22ea

            SHA256

            fbf363f46a80bd4008e43057788a91e3455830a0c476deabf0d9ce219feed5be

            SHA512

            a4d5f2d31944a38ac62974e740affa9d0f808afd1725ceabde1e340772653babe7ebb63eb2f7619f9c59649b22b57bfc1c9ef67190a33faa3284a71f1d9c3cd1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Flexibility
            Filesize

            74KB

            MD5

            8ecd24294168e3afe1bab0b31777f3e5

            SHA1

            6936681df98ce14dfa8f9d8759b678329e2453d3

            SHA256

            6747e5ce1824302b03fb13ea56459d19c02d89a0535b2d5d7cfae6c840b5bf39

            SHA512

            0b97cac1fba2a1872878a182cbe5a9f22e7b42636576e410088be0bbeaa083d8213ca240a72b61b691d809989d170d3321cec3eab20348a9e465fea291cfac8e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Formula
            Filesize

            85KB

            MD5

            afa636c620829e4dee529f2480552f41

            SHA1

            109175d5acd00f0eadd137dfcbcdc984b4705139

            SHA256

            c3e849bcb4dd789ad2dd51ddb3bb51f61509ae16b959e97c6fbec893d3f3943c

            SHA512

            52ad163dfefba154d43af5e00d68046523bec4833f189add38ca4cccc63a6cefdd751cf106ec812656c8d81ce78d4e092626de97759b4d4cee86e15a40724b57

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Frontier
            Filesize

            1.0MB

            MD5

            481244feaa38535eb93e7834207e2273

            SHA1

            cbf5076bc1017e7f0db5562f4a6eca4582458aef

            SHA256

            fc5ad89c885d2312256a3d413aff3ee1612493ceb86fdd31a67df3d927eb7286

            SHA512

            35ed209905d2f1987021d885bedaec78ecb13077247c09103f33af7e50bce2f139914a024203c25550ef345f087d617d891ded5293644ad4b3acc7a46e11d239

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Hungry
            Filesize

            58KB

            MD5

            5ec77633a8cba2c7b37d31a857402565

            SHA1

            0e72b0943611467cf1415702874c6e900da04e01

            SHA256

            2973b6805a786c2601fc89ac20e11cb0bc6ab6bef72a2cf0f56e43b0791c1144

            SHA512

            72437f8e922ead29a259aa82995f9e82916c23eb6a1a10cb3192fa833c488c5009884178e5bae7ddbb373279a7ce92f67f30032eac48e58daa35e6513f48bb41

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Indie
            Filesize

            88KB

            MD5

            0cd645b755da22e0caaaf11deffb9b74

            SHA1

            02c3deef153f5bcd0803adcc2a861179469dfcbc

            SHA256

            96fa003644d00bd2d93057c9ca9336d5d431fecd55b3db800aaca94e8b33ad09

            SHA512

            679ce27bfd0aa575af149f92ab85e156232059ac89585d88bc406bc4c5c64cc3baa942aab5e41b753b69674ea9a3b6c170f5d3be27f5f8d63c51faccf89033ac

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Many
            Filesize

            64KB

            MD5

            20f97490c2d3b7483149d2f767a5aa4e

            SHA1

            d89692308718c57759a8fe22eb33336047624ff5

            SHA256

            429992a0bed7b71116112bc1336a26fe1ddefc6fa41ff77eb9ae1870c27aae28

            SHA512

            d6c022c10b67bb18dc8e7c1b84eec8a53c22276067146622fd0cfb18100b8db5ddcbc6cf2790a4410c7441cf251b2948415966fa9f26cb4e1ee9afeeb33ac9ab

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Patches
            Filesize

            87KB

            MD5

            e37280b53ac41bf21c150bdefab1aca1

            SHA1

            b3a3aa05bf767e26847d4c7f1cf10d68720a5638

            SHA256

            c3e7e1af7e488413ce7fd063964f732ce94ab509909a66a97eb6ba9a6d7e41ba

            SHA512

            1f56b2d0416d361ec11fe0aa2484a4590c9206effb70c1b647cff979e2c8d4e0c3a8b919e22d0044c92f0707e8af42e11ee4d52735fe940d2ac43218477f4236

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Reforms
            Filesize

            63KB

            MD5

            ab5467bdc46a4829815a8185e59ea6a5

            SHA1

            b31a116274b2de76089b2cf49f25c27c5708965a

            SHA256

            f6168b8ff728188fcd4842502ec345bf242f6108d0a588973e23075af73bdf84

            SHA512

            f916b7da0d3c977c6888832041e05d3c16625e4fda7117f4b8d94fd4916317054e8faedaa7c31d590884c7d3ffaea4ceb30693e3b457b805e5c6c8b59eedf24b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Represented
            Filesize

            62KB

            MD5

            8d3634a46a1becb132aee9a211829e33

            SHA1

            22a7340451629074bb9759a24af9e126092596d4

            SHA256

            35312ab76a248d384cd179408e3547d4eb45587fc4f2a12fb3232f08234e2738

            SHA512

            4ba493eab4baa9548d065fe16ef835ad6e6e719df6b5ba552fcacd3b345f40c6d74ca3749495fd5197e0a3206998df170e74dc03154834f673d7360e9565b17d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Reviewed
            Filesize

            82KB

            MD5

            3da8c9a90b4101de625f18dd40ce213e

            SHA1

            d06c9aa45c19717a50c600eb8b12120364d4e4ab

            SHA256

            fba8862aad3b21ed65a09b327fb35d6e3fd5d81464859b28eb6bf7a06f398a89

            SHA512

            624c96799dbb0db784bcc52587217c3d968010f272c2f6864153b634bfd8cccdb349c3bf703eaf06c3b45880e67409af72b117befddb9e0da639003dc4d2fb22

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Supply
            Filesize

            18KB

            MD5

            83b7c701ee65a108f762209d7093843d

            SHA1

            1ca0b121ffe19d25c2f96cf13cb5c9ec93c7ccdf

            SHA256

            24b6d203ec7efd376610cf56401f580bbca18f3856fe40b936773ac3b5e99042

            SHA512

            51013a544d1a0bcad927b959dbd9329257dcce41e772ec1d9721cf086bb11037f375bbeba678965fcb875416e48cf749cc6776cbd090a750b020162046c7150b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Tea
            Filesize

            71KB

            MD5

            32d103d228f2af278c10cc37b668f88f

            SHA1

            c1cb159d035155db18bd3a97eb195ef7d3e7116b

            SHA256

            871b67bc5bd9f6f918e3d5ac5b76653f8ced8d541523291303ee282f76f6edbd

            SHA512

            29117094138836dc5a59147b6f58b9ad8e8719b1c61035555f67aaeb9275bc4eada0ea37fbdc2085f2dc4c1b3e84013a103672188f1813bce640394d2526f3c1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Worm
            Filesize

            99KB

            MD5

            ed91c39832092390ae0ff0f17d4a305b

            SHA1

            d0a5c3a8ed522173cd5507e84ae57df5234537b8

            SHA256

            fb6d80b8e5f951be19bc5bfd60ed24065bd2bd0f27d295801d05adb2ad022837

            SHA512

            b353de65271b301a68109d6061c0573b4f9366d91ffbdf160e5fdd732699de1238518bcc1fa1408d797c4b7a1b57dee5015b53a11bdf400392bd4ef59718f0ad

            Download Submit

          • C:\Users\Admin\Documents\piratemamm\0zCHVDmVFx4ZQwSa3BccZlAg.exe
            Filesize

            7.0MB

            MD5

            72f119a51ed452aaa3dcfa4f980f7d76

            SHA1

            df6472d058a43f8c5e9cccaad52003be152279c8

            SHA256

            f2e31778bc042827e79f1768da0f252bcd002ba1f392f9fe8ef6aa3459cc035a

            SHA512

            1f674eb3c7992d212661ebffc42345f02ed6ba79ab9eef1c9088f16a054c72b00762fb7e00645016aa3f73f4f46156bf87f1ce83d270cbf9a9bb8e061c639a2b

            Download Submit

          • \Users\Admin\AppData\Local\Temp\727240\Cheap.pif
            Filesize

            1.0MB

            MD5

            c63860691927d62432750013b5a20f5f

            SHA1

            03678170aadf6bab2ac2b742f5ea2fd1b11feca3

            SHA256

            69d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353

            SHA512

            3357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de

            Download Submit

          • memory/656-59-0x0000000000490000-0x000000000063E000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/656-61-0x0000000000490000-0x000000000063E000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/656-69-0x0000000000490000-0x000000000063E000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/656-58-0x0000000000490000-0x000000000063E000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/656-81-0x0000000000490000-0x000000000063E000-memory.dmp

            Filesize

            1.7MB

            Download