fdf493e7b3d599f645fe0ec1c2ef20f7040c31a028ac954ea6596d71a3a109e3

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdf493e7b3d599f645fe0ec1c2ef20f7040c31a028ac954ea6596d71a3a109e3N.exe
Size

200KB
MD5

e084a43630b34f1c1df862f965d51a10
SHA1

95add3670a38124d3ea0f79c6255287feb2844b2
SHA256

fdf493e7b3d599f645fe0ec1c2ef20f7040c31a028ac954ea6596d71a3a109e3
SHA512

4303687f83b76a99ab2b07edb7c11a2bf4f33b0c6e7363ccb5988ea1b9dd6c645a2426a67507fcfa4b296dc71ac1fb528a657d423f90ef52711b96edc7ba854f
SSDEEP

3072:2GqUIPOWeQyB/qM9djctpsO/r6ElSVN2x4N:BqUaONHBiM/4tKm

Score

10^/10

credential_access discovery spyware stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.drivehq.com
Port:
21
Username:
smartz1337

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2200	0jpz.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0jpz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1932	timeout.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2200	2372	fdf493e7b3d599f645fe0ec1c2ef20f7040c31a028ac954ea6596d71a3a109e3N.exe	31
PID 2372 wrote to memory of 2200	2372	fdf493e7b3d599f645fe0ec1c2ef20f7040c31a028ac954ea6596d71a3a109e3N.exe	31
PID 2372 wrote to memory of 2200	2372	fdf493e7b3d599f645fe0ec1c2ef20f7040c31a028ac954ea6596d71a3a109e3N.exe	31
PID 2372 wrote to memory of 2200	2372	fdf493e7b3d599f645fe0ec1c2ef20f7040c31a028ac954ea6596d71a3a109e3N.exe	31
PID 2200 wrote to memory of 2192	2200	0jpz.exe	32
PID 2200 wrote to memory of 2192	2200	0jpz.exe	32
PID 2200 wrote to memory of 2192	2200	0jpz.exe	32
PID 2200 wrote to memory of 2192	2200	0jpz.exe	32
PID 2192 wrote to memory of 1932	2192	cmd.exe	34
PID 2192 wrote to memory of 1932	2192	cmd.exe	34
PID 2192 wrote to memory of 1932	2192	cmd.exe	34
PID 2192 wrote to memory of 1932	2192	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\fdf493e7b3d599f645fe0ec1c2ef20f7040c31a028ac954ea6596d71a3a109e3N.exe
"C:\Users\Admin\AppData\Local\Temp\fdf493e7b3d599f645fe0ec1c2ef20f7040c31a028ac954ea6596d71a3a109e3N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- \??\c:\0jpz.exe
  c:\0jpz.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 5 && del c:\0jpz.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0jpz.exe

Filesize
18KB

MD5
c749ca987b88624266addb688a43e328

SHA1
6a87ee80a8be1b61562d42ff19e6f7ed10b193b0

SHA256
c87244dedc38f034a6a1d8bdd9a7e0d10689e3801d2ac203bc11820161069255

SHA512
9ec37ac7ccdd364b852b7ad6afaa73728cf6d5c329537ebc2d91a261a87a961293b566b53b1fac411f44edd558c6d2534000f561c9fb0f318ed6902198041795

Download Submit
memory/2372-0-0x000007FEF61FE000-0x000007FEF61FF000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

Filesize
9.6MB

Download
memory/2372-2-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

Filesize
9.6MB

Download
memory/2372-3-0x0000000000560000-0x0000000000567000-memory.dmp

Filesize
28KB

Download
memory/2372-13-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

Filesize
9.6MB

Download