Overview

overview

10

Static

static

3

OurHack2.0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    74s
  • max time network
    69s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OurHack2.0.exe

  • Size

    424KB

  • MD5

    4a1213a8c757f3c6c02e098e6a6b99c3

  • SHA1

    4865d8f010a0929f3dabc631875699738b2c3e7b

  • SHA256

    7ca4702709ff125a7ec1e503b4358a3a8cb5cc282f57b262589e5c113c461b83

  • SHA512

    1613e0ae56a57a6e7935f4e7166c3c4e5b2a5683eb685d136fd32677e8c6f316d16c70064ba13e1101b6477f4fee68864358e091e0e7ab66b30e304b7c8d87c0

  • SSDEEP

    12288:pzDTo+c8NlvH0tGJjeM5u8v+VmlE2GLJ0uQ:9xbP0tkaM5Rwm62001

Score
10/10
collectionspywarestealerupx

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    files.000webhost.com
  • Port:
    21
  • Username:
    kgarbuz2000

Signatures

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OurHack2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\OurHack2.0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Users\Admin\AppData\Local\Temp\mpv.exe
      C:\Users\Admin\AppData\Local\Temp\mpv.exe /stext C:\Users\Admin\AppData\Local\Temp\mpvp.txt
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook accounts
      PID:4708
    • C:\Users\Admin\AppData\Local\Temp\WBP.exe
      C:\Users\Admin\AppData\Local\Temp\WBP.exe /stext C:\Users\Admin\AppData\Local\Temp\WBVP.txt
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2696
    • C:\Users\Admin\AppData\Local\Temp\mespv.exe
      C:\Users\Admin\AppData\Local\Temp\mespv.exe /stext C:\Users\Admin\AppData\Local\Temp\mespvp.txt
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2528
    • C:\Users\Admin\AppData\Local\Temp\pv.exe
      C:\Users\Admin\AppData\Local\Temp\pv.exe /stext C:\Users\Admin\AppData\Local\Temp\pvp.txt
      2⤵
      • Executes dropped EXE
      PID:396
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WBP.exe
    Filesize

    183KB

    MD5

    6d95f03eaf83b31686f263260202ee36

    SHA1

    6633ac9d7790031b49bb2a4170ec77591d94bb58

    SHA256

    29f2a54c829c37fc904a2b682c50b57d6d35e9af5dc7f43d72b68c8c51255103

    SHA512

    a8dda5f3c9e493f9f0e17bfee40a73f74ac6c4276b22589ec9bb163a91f941d966e4ce3b0866be7488fddd229156d73017fb8b22fc3b90903591fef2045c2b46

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WBVP.txt
    Filesize

    3KB

    MD5

    f94dc819ca773f1e3cb27abbc9e7fa27

    SHA1

    9a7700efadc5ea09ab288544ef1e3cd876255086

    SHA256

    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

    SHA512

    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\mespv.exe
    Filesize

    65KB

    MD5

    ffc52f2b4435fcddaca6e15489a88b75

    SHA1

    63ec31a04cf176852344d544ae855da0dac64980

    SHA256

    3f3c8484962b395f304a836ee5e8ee17beaafe982795c9747d8ee98cc6e4ca8f

    SHA512

    389694feccfe6ca352705b9481913fece6d1d47083f235ccdd60c05cfda82606be53845fde0dba8ec3f3748f820a828c9be0ce078c8b9cc853285b23f172841c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\mpv.exe
    Filesize

    50KB

    MD5

    a138fca70622323e45d6018125322051

    SHA1

    b91f8e20569fecabed22e48da5ec626758563488

    SHA256

    677d333648aba8e2538cbbb9fdd8a32901c67a5e10c8f951970313499304783a

    SHA512

    b89f1d513608f5b0f8022a8d983cdfec0064ecd5e8479125b40477738fc0f5e2b1aa77868333fd783cd5cd2233e0f018d16d8865650071b1a371d375c22a54ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pv.exe
    Filesize

    38KB

    MD5

    afe3aeeffaa1e1772a926ca45923f33f

    SHA1

    f20104fa1f75f341818751b5164b5c2b24d2dd9e

    SHA256

    6cbc1d59fdba6445b8e7243a08bd64816f01fcf6ce7f68570d9170e13c8810a7

    SHA512

    083732db58970d192b98c4298444b8eba2ecae5fa982b3d9505cfa17bce920106281f66df507e6e211d969a6c553d212e50dcdcfeab4b900301d01c442a0de91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pvp.txt
    Filesize

    725B

    MD5

    7797a3675f24126badb9c6c867b585fb

    SHA1

    3d9a871fbe04365d1c6b14bcfcdba217b6522cb6

    SHA256

    58389d981661268bd12d2a1f2e64aeed3f74a47fd55477ffed4792d3e7a4c4ab

    SHA512

    04511af2204b66febb0574dedf973ee5932d1960a49e20665da82374d58ba2703b420e2198856bf7d00bb1377cf776a265d8606cdc3cf98b419987b10dccdbd5

    Download Submit
  • memory/396-45-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/396-42-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1996-50-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-54-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-55-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-56-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-57-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-58-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-59-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-60-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-48-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-49-0x000001EC51AD0000-0x000001EC51AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2528-35-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/2528-37-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/2696-23-0x0000000000400000-0x000000000045D000-memory.dmp
    Filesize

    372KB

    Download
  • memory/2696-29-0x0000000000400000-0x000000000045D000-memory.dmp
    Filesize

    372KB

    Download
  • memory/2696-21-0x0000000000400000-0x000000000045D000-memory.dmp
    Filesize

    372KB

    Download
  • memory/4604-1-0x00007FFDAACD0000-0x00007FFDAB671000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/4604-9-0x00007FFDAACD0000-0x00007FFDAB671000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/4604-5-0x000000001BD50000-0x000000001C21E000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/4604-47-0x00007FFDAACD0000-0x00007FFDAB671000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/4604-0-0x00007FFDAAF85000-0x00007FFDAAF86000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4604-6-0x000000001C330000-0x000000001C3CC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4604-3-0x000000001B6B0000-0x000000001B714000-memory.dmp
    Filesize

    400KB

    Download
  • memory/4604-2-0x00007FFDAACD0000-0x00007FFDAB671000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/4604-4-0x000000001B7D0000-0x000000001B876000-memory.dmp
    Filesize

    664KB

    Download
  • memory/4604-7-0x0000000001000000-0x0000000001008000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4604-8-0x000000001C5E0000-0x000000001C62C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4708-15-0x000000000041B000-0x000000000041C000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4708-14-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4708-17-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download