Overview

overview

10

Static

static

3

e8fbdc7ffe...48.exe

windows7-x64

10

e8fbdc7ffe...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/09/2024, 04:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e8fbdc7ffee5a0efa3959e1edb5a516d63395cb755a939b9d225ab96600f6e48.exe

  • Size

    116KB

  • MD5

    fb7108076d1f05c1329def47949c2244

  • SHA1

    0b918aea3331ef68f16fd65e52b8b1e6b266b133

  • SHA256

    e8fbdc7ffee5a0efa3959e1edb5a516d63395cb755a939b9d225ab96600f6e48

  • SHA512

    65d3302a403db8c5a3ddb40bc7277bf6c95a24ab51e3bd87ae88c8101d0223c30eb658a20b2d269ec8ddc55e5cd305fe40ee73ee367ec192ce67f6599cef8f93

  • SSDEEP

    1536:YdHRE46IU/k/Ps33emygycfBT2Qhs/cKur447WT+:YJmes335ygycfE3Er446S

Score
10/10
evasionpersistencetrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    iownulol

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8fbdc7ffee5a0efa3959e1edb5a516d63395cb755a939b9d225ab96600f6e48.exe
    "C:\Users\Admin\AppData\Local\Temp\e8fbdc7ffee5a0efa3959e1edb5a516d63395cb755a939b9d225ab96600f6e48.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Local\Temp\Runescape.exe
      "C:\Users\Admin\AppData\Local\Temp\Runescape.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      PID:1876
    • C:\Users\Admin\AppData\Local\Temp\Phish.exe
      "C:\Users\Admin\AppData\Local\Temp\Phish.exe"
      2⤵
      • Executes dropped EXE
      PID:2356

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Phish.exe
          Filesize

          48KB

          MD5

          64018530e2a929b505cf0a89e6853ad2

          SHA1

          6f8d59180066d9f5a68ca3fb9fbcb40909b4ae08

          SHA256

          000b416307ff025c7eff7782ee56e4c8128ba66a492a6610455207d6dcae31d4

          SHA512

          99f7f8fef47b2b7ffb9091ed824396decc8410a1834b70226c3e9e15bd492e66b4bc9dfd78134dac5e62ef16f6c36c9eee07673c1288c70e36167101db45caa3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Runescape.exe
          Filesize

          24KB

          MD5

          5725fddc594fcc26a4b2040f7eb639d2

          SHA1

          1a6c09780cb1819c0c1630d55a6543eaced667c7

          SHA256

          e84fb1db0322b593cd960db8717db63ade23e3d9558cd1e93e717a20d08e9ab7

          SHA512

          ff2e6b84d0dfc89c7bec895bce69b9d53db918198d4bf167b80721ad54fdf68fb93f5b9437977ecb1a412990969818ba001d1df1a27ec13c99c8031b33c0491a

          Download Submit

        • memory/2332-0-0x000007FEF6A2E000-0x000007FEF6A2F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2332-9-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2332-14-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2332-18-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2356-15-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2356-16-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2356-17-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2356-20-0x000007FEF6770000-0x000007FEF710D000-memory.dmp

          Filesize

          9.6MB

          Download