Overview

overview

10

Static

static

10

ddecf455e6...a8.exe

windows7-x64

7

ddecf455e6...a8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 11:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddecf455e6cfd04276814dba2e6f642eca80c0f09a912b97f483233b81a4afa8.exe

  • Size

    149KB

  • MD5

    847291ec10f4c2ec9704e647f3985384

  • SHA1

    b304c676cc362fef6229e4e4fd4f40ab64552209

  • SHA256

    ddecf455e6cfd04276814dba2e6f642eca80c0f09a912b97f483233b81a4afa8

  • SHA512

    105ae68d92fb055a6fd88f2d95c73afffeec3f603996678cf7da1c62c01b2bc2e3a57ab1602049d3844207d20d688380835665e95ec103a6c7ccaa3914014a7d

  • SSDEEP

    3072:N6glyuxE4GsUPnliByocWepFAkrUmcmWDVGRJ9Y:N6gDBGpvEByocWe7AuUmcm2VGz+

Score
7/10
defense_evasiondiscoveryspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ddecf455e6cfd04276814dba2e6f642eca80c0f09a912b97f483233b81a4afa8.exe
    "C:\Users\Admin\AppData\Local\Temp\ddecf455e6cfd04276814dba2e6f642eca80c0f09a912b97f483233b81a4afa8.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\ProgramData\BB61.tmp
      "C:\ProgramData\BB61.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BB61.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini
    Filesize

    129B

    MD5

    f8591376ad5500a53ef587bd00114e00

    SHA1

    1067f5c0a52912f72b046e0f35e370d1d5db5017

    SHA256

    c2b9c4d5fa60e29a7a11dd0e7b04cc4ccf08272d34ef10f5c357ddc9e45fe3ce

    SHA512

    5d5a4837e646dc31ff4c75a0f2549d01da314386aa22d869d93feb6b3f9789a1105902968c05b605c8c2dd594e40de46c5603d18f42b03b44099ef284efea948

    Download Submit

  • C:\B8w3glbyj.README.txt
    Filesize

    2KB

    MD5

    b2ee65a230019cd9d69d605d2c392ecc

    SHA1

    ac8e8570fa756081c6892f6d225be0a7e93c64a2

    SHA256

    1ebde9c1e86e81403a167afd1c80590c147ee530280f8dc45860c2da111fa707

    SHA512

    9daaf0eb4abc4e8ccc0bb4c4bca4f2762a5beea2a7fc2c7a10fbfa77004d42905b0ec4aae397bc64050d7da7cf1bacd38f5833a7791dbb279b1ff4b90c831baa

    Download Submit

  • C:\ProgramData\BB61.tmp
    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
    Filesize

    149KB

    MD5

    1c730aceef0a836d49ce00ef4a24b74a

    SHA1

    f84252bde3535d045a743e400fc0843ebd988b37

    SHA256

    0c3fc10a91805c24d9fd7e0316fe02104556e3ad5585bdbc7975062fc1b34277

    SHA512

    32e3c2297cc81ffe731d406de52f73afe2611fda5a214b1987f2866d53d4f5c62d475a72004584e095911fb115cc6ae2d9b99f5954cbaead50be8d3fe6424676

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\DDDDDDDDDDD
    Filesize

    129B

    MD5

    901a4c1cc0f76c66f5dd57d1692a1874

    SHA1

    fa07797907748a9b5a9bba170917042d1285e822

    SHA256

    004a62eac436461222bdd66820b798f869d3cba7604d7d996d095d4108671fae

    SHA512

    c8da96fa9e56f0941659790c420933532a522fe510b0897ac82d2d9c0f51b1330f211c6693890d4d451f3bfbb2cfe8c526adb176d2e1e40c4263f17616bfd31a

    Download Submit

  • memory/2292-2980-0x000000007FE40000-0x000000007FE41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-2981-0x00000000024E0000-0x00000000024F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2292-2984-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-2983-0x000000007FE20000-0x000000007FE21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-2982-0x00000000024E0000-0x00000000024F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2292-3013-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-3014-0x000000007FE00000-0x000000007FE01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4504-2973-0x0000000002A30000-0x0000000002A40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-2975-0x0000000002A30000-0x0000000002A40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-2974-0x0000000002A30000-0x0000000002A40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-0-0x0000000002A30000-0x0000000002A40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-1-0x0000000002A30000-0x0000000002A40000-memory.dmp

    Filesize

    64KB

    Download