Overview

overview

7

Static

static

1

AWB-746262783-3.exe

windows7_x64

7

AWB-746262783-3.exe

windows10_x64

7

Analysis

  • max time kernel
    129s
  • max time network
    23s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    30-06-2020 14:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AWB-746262783-3.exe

  • Size

    317KB

  • MD5

    b12a47d8c210538c98d0bae4c80e3673

  • SHA1

    7db0e6af04c83227a3553fd422a4c55833f6743c

  • SHA256

    a64a6a0ae6521ef4dc140dcb3ea44f18c7cebe6ee6fee03c7b3ce1d125065aad

  • SHA512

    0dcbbc05a8a5a8290446862bfebd4f8e86ca777e377bebd8758973ed250f752d4dbb9a415881f38e487a52fd8f6300f73bf6e50d45c8b6bb342d1e07a02cfd36

Score
7/10
spyware

Malware Config

Signatures

  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Suspicious use of WriteProcessMemory 80 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AWB-746262783-3.exe
    "C:\Users\Admin\AppData\Local\Temp\AWB-746262783-3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:272
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe Fireside,Pretor
      2⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:1100
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
        3⤵
          PID:1092
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
          3⤵
            PID:1528
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
            3⤵
              PID:1524
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious behavior: EnumeratesProcesses
              PID:1512

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Credentials in Files

        2
        T1081

        Discovery

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Fireside.DLL
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\Mantel
          Download Submit
        • \Users\Admin\AppData\Local\Temp\Fireside.dll
          Download Submit
        • memory/1100-0-0x0000000000000000-mapping.dmp
          Download
        • memory/1512-4-0x0000000000000000-mapping.dmp
          Download
        • memory/1512-5-0x0000000000400000-0x000000000044A000-memory.dmp
          Filesize

          296KB

          Download
        • memory/1512-6-0x0000000000400000-0x000000000044A000-memory.dmp
          Filesize

          296KB

          Download
        • memory/1512-7-0x0000000000000000-mapping.dmp
          Download