Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21-08-2024 11:16

General

  • Target

    d86923504cf20d32c7cb99490c3b37000777d71f932f685f6be22e4bbafbf857.exe

  • Size

    85KB

  • MD5

    e1e788e36729db3bd1c754a160340021

  • SHA1

    fbf1072e91554603dbf86599ad2571a513b2c6db

  • SHA256

    d86923504cf20d32c7cb99490c3b37000777d71f932f685f6be22e4bbafbf857

  • SHA512

    7a442471d5d5451f2fb6005ae368bb6eba299b73dd37711b4136049fc53c067786b4cbe2a038a76a5458d068508dc2c34c3b14e106940e6f718a2f60a61f7535

  • SSDEEP

    1536:bWmBAmo4YsUvAMbRxQx+3KuKkcUoTfTH+k6dwymR:bHoOUvAMbRNKEo3HnpD

Malware Config

Signatures

  • Downloads MZ/PE file
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d86923504cf20d32c7cb99490c3b37000777d71f932f685f6be22e4bbafbf857.exe
    "C:\Users\Admin\AppData\Local\Temp\d86923504cf20d32c7cb99490c3b37000777d71f932f685f6be22e4bbafbf857.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MxWeb32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MxWeb32.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab4E60.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MxWeb32.exe

    Filesize

    1.5MB

    MD5

    cb3696dc44680137c5e84838b3db3495

    SHA1

    9b14db1e4a9aea7779fa0af246ddfa96be418a55

    SHA256

    4e7315adeb47ff58e6dc86a73cfa11027c48e32f7a26fcf1e0460a9aed8c4583

    SHA512

    c57e6833bc2e12709b2e4225970de39acabca538ebb4f9a75a4570295d0115368b306da2616ed3cee3b73a26af8f5b3e3dc2eb4f03874ba924f99cfec87aca4e

  • memory/2708-1-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

  • memory/2708-0-0x0000000000270000-0x00000000002A9000-memory.dmp

    Filesize

    228KB

  • memory/2708-20-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

  • memory/2708-21-0x0000000000270000-0x00000000002A9000-memory.dmp

    Filesize

    228KB

  • memory/2708-23-0x0000000000270000-0x00000000002A9000-memory.dmp

    Filesize

    228KB

  • memory/2708-36-0x0000000000270000-0x00000000002A9000-memory.dmp

    Filesize

    228KB

  • memory/2708-37-0x0000000000270000-0x00000000002A9000-memory.dmp

    Filesize

    228KB