Overview

overview

7

Static

static

1

a680fb2851...77.exe

windows10-2004-x64

7

Resubmissions

12/10/2024, 18:38

241012-w94ttszbjp 7

12/10/2024, 18:35

241012-w8bfwszajq 7

Analysis

  • max time kernel
    79s
  • max time network
    80s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 18:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe

  • Size

    1.1MB

  • MD5

    66310e73ba135067af9453c699a4c694

  • SHA1

    330a52436c0294d2ead08f7b86b9091591f55878

  • SHA256

    a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177

  • SHA512

    4893113b6fdf875b399fee26ca7153951fa5f84434e5de6504d5645657e9b8396efcdc72889dcc78ed49149434aa13e27006ea7855339f289e06781a7f20d49a

  • SSDEEP

    24576:BEqS1t2qh4zwnOd30BQuO883eB/qeV5WYeXEncWFtDxk4rk:Gd6EYr88O9TDncWNk4rk

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe
    "C:\Users\Admin\AppData\Local\Temp\a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Boats Boats.bat & Boats.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2600
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3416
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:536
      • C:\Windows\SysWOW64\findstr.exe
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2660
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 767644
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4580
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "MinsSlutsCompensationBest" Sexuality
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1132
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Investment + ..\Collectibles + ..\Usr + ..\Tell + ..\Maintain + ..\Arms + ..\Essay + ..\Having J
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3016
      • C:\Users\Admin\AppData\Local\Temp\767644\Hepatitis.pif
        Hepatitis.pif J
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4476
        • C:\Users\Admin\AppData\Local\Temp\767644\RegAsm.exe
          C:\Users\Admin\AppData\Local\Temp\767644\RegAsm.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1488
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\767644\Hepatitis.pif
    Filesize

    872KB

    MD5

    18ce19b57f43ce0a5af149c96aecc685

    SHA1

    1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

    SHA256

    d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

    SHA512

    a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\767644\J
    Filesize

    623KB

    MD5

    d0f8204072b82e078833bf1727c85881

    SHA1

    0b93c822a97dc8f1ce1957cda4eaf25cfe9e416f

    SHA256

    3341c28fa5ec43f8dd6444e072c653ab814c773caf13c1f1dc838a09d3cc3999

    SHA512

    d0cb90bc5f15268581aeb79d1375d81602b886cf82686e9885d7260d62ff3a66f1281be4852572aecda2b63726187ab3faea2d10b30e8f2ae3c85d3d26abf097

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\767644\RegAsm.exe
    Filesize

    63KB

    MD5

    0d5df43af2916f47d00c1573797c1a13

    SHA1

    230ab5559e806574d26b4c20847c368ed55483b0

    SHA256

    c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

    SHA512

    f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Arms
    Filesize

    79KB

    MD5

    0c32b9d39a642771c955215f14cd8e21

    SHA1

    078e15f9c344525b61c8fdab81821ddc9181cd18

    SHA256

    ea0d58d4bc3341422368e5b6259153c05cbeb0c7f3439771ddbe94900d319030

    SHA512

    cb71c50791503c50427e409a151b20076f0a6be70a4565c40c27c25289e7e5c75af702dd3847afe5c34c8609e971af10ac164d3958d8ee5f0f7ce2fb0cbab0d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Boats
    Filesize

    16KB

    MD5

    9d42197cdf269de306f38af0f0641ef1

    SHA1

    78e91ac01fe71e4ee1e2dfe2147d1e7a6647acb5

    SHA256

    c2bb7f9586469b1b703fa67664625705512b1f4c98d10589356c2623dad28d0d

    SHA512

    c09fd69e2d3554b0a611085ff99627de1b5b2cdf6fdc7bc1b7012dc19a59af4fbfcea1c3e9b2925228ff27e60a7385cac532f8eb4a6be0bdd6f74307bebdc76e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Collectibles
    Filesize

    95KB

    MD5

    0d394eb8840f0d8dea95f2b956dc1038

    SHA1

    60ceef3d8abd63ad50b1e78e495b9be4a7726160

    SHA256

    0f8f3828320274f8e23144a4841f0c0564ee11034a5b9630bcb6a467acff6870

    SHA512

    74cd2956e13a5541a00b82b732d4ca1a1f180ad0521a2b3d7a0b889cdcf35a65632e7eb4db408be28f505e05abcb711ea0ea3a83d5517ca5a514f2d5b4d2e191

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Essay
    Filesize

    78KB

    MD5

    517ee413f681d536ad909779d659edb5

    SHA1

    092a92b7cb072a7e80bb176a884cf434074cf7bf

    SHA256

    44ac6b3f22b65c71411027f5dea8bb4712baff0a59765e95e739e0a692fe8e95

    SHA512

    345dbdaeb7770c3a4b1c71a4ebdd0f2fe9793e036e36c51c1b074c773d689df7651aa34f368512e1afc2484591de4f238624a6f9ee2756fc39ca4b58b366a4c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Having
    Filesize

    29KB

    MD5

    e4f0d47e34d39d6621e2f51972ef5033

    SHA1

    e9365bccc76c187862d71cc26d7063e8dbd80d2b

    SHA256

    7438e5d0e5f29dd25fe9ff2e19dc80763261d7cd7e26526419a75bb4fb845069

    SHA512

    ddeae387a0591ff79f45086eb2816ed45293fd7d77da3d1e797759f1a3a0e08118dad51fad02306b27e8611492fee605fe901f2d1e9fe792a8d38e5d68d01f3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Investment
    Filesize

    74KB

    MD5

    91debba345821583a96eaf0dc2602488

    SHA1

    6a8f5ee33eaa8cb6a4442b040440f3276058fa23

    SHA256

    9c517f91c3bb4050831893114b50cf2d45c275d26b6cb62693eb2c4c117fc986

    SHA512

    faed5051460518e78fb409708d458a3eeb14f5b70480a8613b72b7d95fd1f0a124ee2487081d93d39da7e8f4df4801137edfc9d737c16dc43626092d6f395fe1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Maintain
    Filesize

    89KB

    MD5

    fc06001223188daec0ebec3fd58281a5

    SHA1

    67e38a55320148dfcb0e9a794159611c9fc54392

    SHA256

    ed902227489a535235df6c66fa77603444cb06b1bb1964bb25ba9925ed328576

    SHA512

    0c7380beded918d828874f12d1a8705e62ddd9dc31b958b6309a53b4cb1fa682ffaa391147e27d9953ce03f590feac1bb1770a1abbb37e5d3289ac8e5f4a9cc5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Sexuality
    Filesize

    5KB

    MD5

    31091bdd4ac25ac99657ba80ecd99b58

    SHA1

    f0ac4b8914d99395d10b7fcf3593fea104312a52

    SHA256

    c99d10219cf197e96810af6a10905be622508623cb67a902006189e264afbe79

    SHA512

    850f1b201f2e595ca8dec674b58bbbf37141637588c20db660f5ea599d745d4e19a032a98fa78b09c20b83a57f623f59b98b10c7b1a8b25e1f1fa1beb44898d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tell
    Filesize

    99KB

    MD5

    bf47de0749063bb5cdf6101792af5076

    SHA1

    be1082bc1d75aabb97c27a1c2e8e1d985ef1843b

    SHA256

    c4c7cdd21ed46fc747c7034467e1006da9546394239a02cfaa0a00ac910f4e86

    SHA512

    ed04899dbf30df8fa6379cd3165956187a918bc00228000074879adcaa29a9d98aa112f9d462993f38023a3d101fd2b973a2df6a745652e1713be48ddd02255f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Usr
    Filesize

    80KB

    MD5

    c1202143072b2a8542f95275ec0598b2

    SHA1

    6481c289fde305555107ecb5d9922bebe5205d93

    SHA256

    ded71dd2b5a8500aea48c65c9e3154404f9b13c13af60a83831154917f3944ce

    SHA512

    5931e36e5fe9b6d8bebe9ab0fb28a5290a0800a44f94629789867c720068b1994852c143baf7e4f5898cfdecfa77cdc4d4c5abb22c6bb0dec04a29f864253616

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Vocal
    Filesize

    866KB

    MD5

    3b0fd8a40177d6fc4dcb502b414ade5a

    SHA1

    3c4cb556b86ab7932372665480ec4f3ddfce3a93

    SHA256

    a43f4500ef17e216a54a979d265d0825831ce7f4029931efa2a2b863d006261a

    SHA512

    25627124d4ed74d6ef342bbada876b9cadf5ce470438b0a9265a26d8eb3763847de9a1595c0b7700bf65faf7114de92f979f250c9c4b451d1f7860eda3a576a6

    Download Submit

  • memory/1488-35-0x0000000005730000-0x00000000057C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1488-40-0x00000000088D0000-0x000000000890C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1488-31-0x0000000000D50000-0x0000000000DD0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1488-36-0x00000000058C0000-0x00000000058CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1488-37-0x0000000008E10000-0x0000000009428000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1488-38-0x0000000008870000-0x0000000008882000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1488-39-0x00000000089A0000-0x0000000008AAA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1488-34-0x0000000005CE0000-0x0000000006284000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1488-41-0x0000000008910000-0x000000000895C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1488-42-0x0000000009650000-0x00000000096B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1488-43-0x0000000009D40000-0x0000000009DB6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1488-44-0x0000000009D10000-0x0000000009D2E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1488-45-0x000000000AD80000-0x000000000AF42000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1488-46-0x000000000B480000-0x000000000B9AC000-memory.dmp

    Filesize

    5.2MB

    Download