Overview

overview

7

Static

static

3

a9280272bf...1b.exe

windows7-x64

7

a9280272bf...1b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 03:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9280272bf246833cac57134c1ae9f2175b1e6e2c3c696676f2094bc64c4271b.exe

  • Size

    2.7MB

  • MD5

    d4da6fd35f9c36a37219dbd3508c54fd

  • SHA1

    5245fedbde6369d227e622ad9511ca994207c3bb

  • SHA256

    a9280272bf246833cac57134c1ae9f2175b1e6e2c3c696676f2094bc64c4271b

  • SHA512

    60cb6c43d60d8f159611586d6889387c3ef2836e70981fea5fe49c394cf01f0eb44e2146c988da1f7c2bdc945e4730ed6650347faa34672646fe0e2fa454d72c

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBo9w4Sx:+R0pI/IQlUoMPdmpSpK4

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9280272bf246833cac57134c1ae9f2175b1e6e2c3c696676f2094bc64c4271b.exe
    "C:\Users\Admin\AppData\Local\Temp\a9280272bf246833cac57134c1ae9f2175b1e6e2c3c696676f2094bc64c4271b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\SysDrv17\devbodloc.exe
      C:\SysDrv17\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Users\Admin(
        C:\Users\Admin(
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig
            5⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            PID:1536
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4600
          • C:\Windows\SysWOW64\NETSTAT.EXE
            netstat -a
            5⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:2456
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2792
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1896
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1040,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
    1⤵
      PID:3572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\KaVB1I\dobdevloc.exe
      Filesize

      2.7MB

      MD5

      832c4e71a2d5119d360777ddd0b96cab

      SHA1

      432ad8d4ccf89fc87c84865f5db5ff203f42cbb4

      SHA256

      4ba9794c1f433880f23236792957a99d936d7a06a9989fb27ffee665c55f50aa

      SHA512

      ab8a7b0d85c694693f0b6e262554390ed1d5ef22a84e527f76efff9e8cd1fef770b01d07dc90f22f244f40cc6a538c32bc32bc07a850cb0c780a18f03af80194

      Download Submit

    • C:\KaVB1I\dobdevloc.exe
      Filesize

      2.7MB

      MD5

      8e254d0e53e952d05a81b15714258b2c

      SHA1

      26b9e638ca4e255cafc0fa23dc2fea50fc21a4ef

      SHA256

      87b8ba1d015f63bf5234268ca99c5c2120a078a700f9c6978b03c0047b13932f

      SHA512

      2398e21a293568624a278a3dd5ed64a6eb182985f07b66ccf98bf45ca4436e6b85e262429b296ec692c269058e976668a1ed023e299be6bdfb4c924010443b60

      Download Submit

    • C:\SysDrv17\devbodloc.exe
      Filesize

      2.7MB

      MD5

      d0675fcacafc92670f035090d881d761

      SHA1

      8f43691a862cf98f7ffae7831f1780d02e005019

      SHA256

      9fe26de8f20d0501871ae1140560f8c3a975d2d7303130c771f43e3c4c02853d

      SHA512

      e5ef56a67618a6caae05fc2f203226f6af64affa4bdee7e47c9d9de30e8d6ec54491ef4becce049c087c44b85369ba09bbad962a31f4b52eead38643812c42cf

      Download Submit

    • C:\Users\Admin(
      Filesize

      2.7MB

      MD5

      5390262eda2a400ae3928b2da2225e53

      SHA1

      fb27a02bf8ca2031da605fce4063846946374867

      SHA256

      2b0fb596c46449c15cdbdca92bfc5fb004ef5b51d778d85e132972b772be927c

      SHA512

      998671175c0034ac16aab63a3db7550ece1b35fc4ab16b732b010f6fd38056674c1d61038b6059e3000b0b2d4745d44b0d8740187350671fdb902563e3ae83b1

      Download Submit

    • C:\Users\Admin\253086396416_10.0_Admin.ini
      Filesize

      209B

      MD5

      b6561ff223c6cf0c3fd0ded0cdda2b74

      SHA1

      17ab4c1ebc4f5f1ac1e5034e8cba4c45b267a210

      SHA256

      993f66ba25d0cc94e1628064625af3f16be73a88a37c02a6658f3136b5e5446b

      SHA512

      3ee0afbe45398a4e26444c581fd1f109c2959d04d696eef4952ec442c1e4f73dfe8504941fb6657c4524a3033aace7910f49d4f2c1339dbb252eaa36878aa04d

      Download Submit

    • C:\Users\Admin\253086396416_10.0_Admin.ini
      Filesize

      207B

      MD5

      c930d63f553561f1bd17d336a60fccc9

      SHA1

      a4705f142f3c2348f7b3b04b301d229d05882246

      SHA256

      e58d383a2ee24d8fd2be565a268357d149384e1630a9ab8f69dcfe54d509e459

      SHA512

      14b6de0e62746146d2ddf211cec5014381ad6029ce494b968a31fb8bbb4355e8736abc6dcbdae8be122f51a1cf077db3a8118b1b5ab889a6240fcfe4bd9452f8

      Download Submit

    • C:\Users\Admin\grubb.list
      Filesize

      39KB

      MD5

      d4bc2cb599c66ec88c33fbf270b6f466

      SHA1

      1d8d4a67622f6f3e58cbe1513af250e8abbb43ee

      SHA256

      35cfd59e70b64a657fedb7d54dd15b533b7706ed26101f848017355a5ce38cd4

      SHA512

      8dd65c3001bcda1d8fe8831f45319d629f0837000b64929fda54a43bf614236f2506941caa590b1d34a84cdcd0e7f9faee3e2e33f2f3b177f78b11d7501d543d

      Download Submit