Overview

overview

8

Static

static

97ae053956...in.exe

windows7_x64

8

97ae053956...in.exe

windows10_x64

8

Analysis

  • max time kernel
    7s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    03-11-2020 07:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97ae0539568cfb2e8a4d2f156b190f2c53e5cacdc38b2f3af3fac3e61a16230c.bin.exe

  • Size

    589KB

  • MD5

    cb012d603d143ba32014c24a0f5aafa3

  • SHA1

    eab1d2959d4f7dde4bc69cc355071565a2cf3553

  • SHA256

    97ae0539568cfb2e8a4d2f156b190f2c53e5cacdc38b2f3af3fac3e61a16230c

  • SHA512

    ae118dd8cd51e615cd4312d80c8a5fc2cb03ac3dcb2eaea65464800a6942f908b2d3191b2f3ef49180803757c642c4cdd93908dfa99d1e0d42eacf506e9de6af

Score
8/10
discoveryspyware

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97ae0539568cfb2e8a4d2f156b190f2c53e5cacdc38b2f3af3fac3e61a16230c.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\97ae0539568cfb2e8a4d2f156b190f2c53e5cacdc38b2f3af3fac3e61a16230c.bin.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:596
    • C:\Users\Admin\AppData\Local\Temp\SU925.tmp
      C:\Users\Admin\AppData\Local\Temp\SU925.tmp
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SU925.tmp
    MD5

    b1e90e6ef07e0b4ed5ee6aee4a7bd319

    SHA1

    a530298c46e7190b8e085116bd8a59297f1aa82e

    SHA256

    dc021a0ca0bb3f66d54d15d2b236422c0b90399ea762c7d7aa6d727b9bd5b46c

    SHA512

    5dd5bb01b3520c07d7b8147f9669e69fc264d82d595b92f8cc9b3d96f53addadd2291b003b3aa1dd2197ade1213d7a30d166fd893c7b56e8979713082dc17b55

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SU925.tmp
    MD5

    b1e90e6ef07e0b4ed5ee6aee4a7bd319

    SHA1

    a530298c46e7190b8e085116bd8a59297f1aa82e

    SHA256

    dc021a0ca0bb3f66d54d15d2b236422c0b90399ea762c7d7aa6d727b9bd5b46c

    SHA512

    5dd5bb01b3520c07d7b8147f9669e69fc264d82d595b92f8cc9b3d96f53addadd2291b003b3aa1dd2197ade1213d7a30d166fd893c7b56e8979713082dc17b55

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SU925.tmp
    MD5

    b1e90e6ef07e0b4ed5ee6aee4a7bd319

    SHA1

    a530298c46e7190b8e085116bd8a59297f1aa82e

    SHA256

    dc021a0ca0bb3f66d54d15d2b236422c0b90399ea762c7d7aa6d727b9bd5b46c

    SHA512

    5dd5bb01b3520c07d7b8147f9669e69fc264d82d595b92f8cc9b3d96f53addadd2291b003b3aa1dd2197ade1213d7a30d166fd893c7b56e8979713082dc17b55

    Download Submit
  • memory/1972-4-0x000007FEF6010000-0x000007FEF628A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/2000-2-0x0000000000000000-mapping.dmp
    Download