Overview

overview

9

Static

static

3

1cd55f5584...e4.exe

windows7-x64

9

1cd55f5584...e4.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    140s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1cd55f55844375499f19a7a88f0e61eb2662720f05d9e9397cb205bc0a15c9e4.exe

  • Size

    915KB

  • MD5

    fa4a49ff0acd3652ec97a23cf2026331

  • SHA1

    8c168f4efa3b3fadaa6d7b64dada8424ffcb45d3

  • SHA256

    1cd55f55844375499f19a7a88f0e61eb2662720f05d9e9397cb205bc0a15c9e4

  • SHA512

    95dbe72ea0144f5e4d1fd240811487a2c40b3365738758301485e7a91c0f8ea54387e0e77d690a1386dc4c1084d3814bdc4624be06ee29b32575733b60c292cc

  • SSDEEP

    24576:zynTm5wm55BcL/o59eSaxupKurTH1b0OTf:z/ibo58iZrTVb0of

Score
9/10
aspackv2collectiondiscoverypersistencespywarestealer

Malware Config

Signatures

  • Detected Nirsoft tools 27 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 26 IoCs

    Password recovery tool for various email clients

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1cd55f55844375499f19a7a88f0e61eb2662720f05d9e9397cb205bc0a15c9e4.exe
    "C:\Users\Admin\AppData\Local\Temp\1cd55f55844375499f19a7a88f0e61eb2662720f05d9e9397cb205bc0a15c9e4.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3960
    • C:\Users\Admin\AppData\Local\Temp\8D8A.exe
      "C:\Users\Admin\AppData\Local\Temp\8D8A.exe" /stab "C:\Users\Admin\AppData\Local\Temp\8D8A.tmp"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook accounts
      • System Location Discovery: System Language Discovery
      PID:1996
    • C:\Users\Admin\AppData\Local\Temp\9173.exe
      "C:\Users\Admin\AppData\Local\Temp\9173.exe" /stab "C:\Users\Admin\AppData\Local\Temp\9173.tmp" /no_pass_cred
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8D8A.exe
    Filesize

    87KB

    MD5

    c2823f56d69cb70849fecf234c767b61

    SHA1

    13b05525cc52ab396ed046e5326ad36bbe8e0d95

    SHA256

    8f20fb47434eba365a366e5e507e43012aa09c71d36d92a846e1d1e4729a26dc

    SHA512

    b091c33a19c63c1da7b43322eb535a6c455e40e16601b73449f5a9563280ea0d31eb814368af45b169b7de75fbb55a22edacac383fdfa893e40bdbd5e2632724

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9173.exe
    Filesize

    48KB

    MD5

    045585e0b15eef92c44dd4ee86d51c8c

    SHA1

    3fc0961946706ddb3538ef89dd9eb42a8ac9da4c

    SHA256

    481ddfd994085f7fa40e92369e0fca2bdde198ffacdb5138b4de2e6ef0a6aab4

    SHA512

    b5d8f889327d01f7ec348bb3303592f271b289f585fc591953493f05f8ca2ed6f9e83d1018c38df8bb9998bb9ee19b6fb78c8a01e370e8dd32895ded34b94b3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\iepv_sites.txt
    Filesize

    186B

    MD5

    762c597cbf0458242b32a770b29830ab

    SHA1

    079c64621c88414e9e59239eec0c789c0071dd68

    SHA256

    efacaa084e12cf26bc25ad83742b6ae9b1df4a537f13df802563af2270462cd4

    SHA512

    c0c4edc550b8f1fc36ef74b233b0e85a3669cb913057b4854d99d517554b6a8d17201938e7c3225eb6c87e9eb3277c9044f0013f28bd27bd644ee8fd5802d661

    Download Submit

  • memory/1996-13-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1996-15-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3004-27-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/3004-30-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/3960-48-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-52-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-1-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-34-0x00000000005F0000-0x00000000006DE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/3960-35-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-37-0x0000000002480000-0x0000000002481000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3960-45-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-46-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-47-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-0-0x00000000005F0000-0x00000000006DE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/3960-49-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-50-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-51-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-2-0x0000000002480000-0x0000000002481000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3960-53-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-54-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-55-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-56-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-57-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-58-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-59-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-60-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-61-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-62-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-64-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download

  • memory/3960-65-0x00000000007B0000-0x0000000000898000-memory.dmp

    Filesize

    928KB

    Download