Overview

overview

10

Static

static

3

5b9ed73fd7...6N.exe

windows7-x64

8

5b9ed73fd7...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2024 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b9ed73fd7af6b0f9625ff30b925c84905e76b694a37e41d6207626b2fc3d2f6N.exe

  • Size

    2.5MB

  • MD5

    414753e6caa05ca4a49546cec841ef10

  • SHA1

    998c0b4533f3e00eeacf441fbe29575198a574d4

  • SHA256

    5b9ed73fd7af6b0f9625ff30b925c84905e76b694a37e41d6207626b2fc3d2f6

  • SHA512

    c6f1476229c6587d7209455cbba42f1eb44b72b14842a60b446ab8252330c3f47d332f95645136493dfe07f8f00e4064bf6f789149e9dec0807024f5effdf4a7

  • SSDEEP

    24576:wV9cJXtGndLzF0szq2l9RU0t+kRsKWj+dWdo+Ec0xMki8UsU3AoAMXqozj+inKM:k9cJXcndLzF0OU8VdWdqMXqozj+inKM

Score
10/10
latentbotdiscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b9ed73fd7af6b0f9625ff30b925c84905e76b694a37e41d6207626b2fc3d2f6N.exe
    "C:\Users\Admin\AppData\Local\Temp\5b9ed73fd7af6b0f9625ff30b925c84905e76b694a37e41d6207626b2fc3d2f6N.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\temp333\install_2.dll
      "C:\temp333\install_2.dll"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\pYpM3iGW1O\ybtrrus.exe
        "C:\pYpM3iGW1O\ybtrrus.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Windows\SysWOW64\SCHTASKS.exe
          SCHTASKS /Query /TN "Boomer"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1976
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\pYpM3iGW1O\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5096
          • C:\Windows\SysWOW64\schtasks.exe
            SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\pYpM3iGW1O\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1148
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\pYpM3iGW1O\ybtrrus.exe" enable=yes profile=any
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4572
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\pYpM3iGW1O\ybtrrus.exe" enable=yes profile=any
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:5012
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c ipconfig /flushdns
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4532
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig /flushdns
            5⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Scooter Software\Beyond Compare 3\BCState.xml
    Filesize

    309B

    MD5

    7fbbc74b229677cbcdb28b73aaeb6d29

    SHA1

    15bf28dc6f294335cee32e375d738a0e343ac4f3

    SHA256

    f1c297c82930c30ab7397ebf6f0c90334c743578959140766f0e5e4861fd2dfc

    SHA512

    c2066133b77dd7171ef36ad61ca3493361ffeb82f273deb1f777c4f9d981f21844bbfec6b200f1bacb6b5b9d1a0b1aeddacda20798b2b5e7548240fbb7ec916f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Scooter Software\Beyond Compare 3\BCState.xml.bak
    Filesize

    184B

    MD5

    b1f998980222af62d90b11306a64525b

    SHA1

    2c9f44bc26838f53085bce97010e4cd2974cfb7c

    SHA256

    cc5e921e3e318aa5541f24f5d72cde1f2f022010c8f39eea3fa610ad5ac5c854

    SHA512

    58f75af5641da479d704834c11c45ce88076e7969b05b3849a58ada125ceafef318b3b46d582d8509312737a1264eaa689a36ba9bda3618c021740f5e371dbd6

    Download Submit

  • C:\pYpM3iGW1O\unrar.dll
    Filesize

    174KB

    MD5

    4289541be75e95bcfff04857f7144d87

    SHA1

    5ec8085e30d75ec18b8b1e193b3d5aa1648b0d2e

    SHA256

    2631fcdf920610557736549e27939b9c760743a2cddec0b2c2254cfa40003fb0

    SHA512

    3137a7790de74a6413aca6c80fd57288bcc30a7df3a416f3c6e8666041cd47a9609136c91405eee23224c4ae67c9aebbba4dd9c4e5786b09b83318755b4a55fd

    Download Submit

  • C:\pYpM3iGW1O\ybtrrus.exe
    Filesize

    9.1MB

    MD5

    74d3f521a38b23cd25ed61e4f8d99f16

    SHA1

    c4cd0e519aeca41e94665f2c5ea60a322deb3680

    SHA256

    1d822b3faabb8f65fc30076d32a95757a2c369ccb64ae54572e9f562280ae845

    SHA512

    ec1c8b0eb895fd8947cad6126abc5bca3a712e42475228b9dcb3496098e720abb83d4cba4621edbd8d3ad7f306a5f57ced9c2c98fe2c2d0c8ebbbf99d7faf0f1

    Download Submit

  • C:\temp333\g2m.dll
    Filesize

    2.6MB

    MD5

    e0fa9d4894017e66af927bd72df16793

    SHA1

    b504698acb8d172488277c4fc24a819b1009fdf3

    SHA256

    fca664019d4465e2f9382c47da8acdf6739ee598191bd748c836a5f752031ad2

    SHA512

    839185ed2364b4dce93b245b33ffd9bf2ce3d830cdd45500081af93ae5733eff3ca7def9f66531350d0d8b1a5017b4601140ec7956891e926aa4a77c06ee3096

    Download Submit

  • C:\temp333\install_2.dll
    Filesize

    39KB

    MD5

    d75badd2424af98cbb2dbefea073be58

    SHA1

    f876262525b5a0a325fb3b9f8346fb573a471936

    SHA256

    3496b97ebbe962cf054d85cd666353394f02113171a21bfcec1d46c276366623

    SHA512

    588cd280f607da44acf39c1f4c9bf3551ab9109ecc7567ac0f7353985959fdc8b318ff86da14f91163105ebd78257ddf663e452c027f191ada5d0bf9a97cf9e0

    Download Submit

  • memory/1468-7-0x00007FF6A1650000-0x00007FF6A1754000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1532-39-0x0000000000400000-0x0000000000D36000-memory.dmp

    Filesize

    9.2MB

    Download

  • memory/1532-53-0x0000000000400000-0x0000000000D36000-memory.dmp

    Filesize

    9.2MB

    Download

  • memory/1532-37-0x0000000002A80000-0x0000000002A81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1532-35-0x0000000000400000-0x0000000000D36000-memory.dmp

    Filesize

    9.2MB

    Download

  • memory/1532-40-0x00000000055E0000-0x0000000007733000-memory.dmp

    Filesize

    33.3MB

    Download

  • memory/1532-32-0x00000000055E0000-0x0000000007733000-memory.dmp

    Filesize

    33.3MB

    Download

  • memory/1532-26-0x0000000002A80000-0x0000000002A81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1532-36-0x00000000055E0000-0x0000000007733000-memory.dmp

    Filesize

    33.3MB

    Download

  • memory/1532-54-0x00000000055E0000-0x0000000007733000-memory.dmp

    Filesize

    33.3MB

    Download

  • memory/1532-58-0x00000000055E0000-0x0000000007733000-memory.dmp

    Filesize

    33.3MB

    Download

  • memory/1532-61-0x00000000055E0000-0x0000000007733000-memory.dmp

    Filesize

    33.3MB

    Download

  • memory/1532-64-0x00000000055E0000-0x0000000007733000-memory.dmp

    Filesize

    33.3MB

    Download

  • memory/1532-67-0x00000000055E0000-0x0000000007733000-memory.dmp

    Filesize

    33.3MB

    Download

  • memory/1532-70-0x00000000055E0000-0x0000000007733000-memory.dmp

    Filesize

    33.3MB

    Download