Overview

overview

7

Static

static

de763f9328...fb.exe

windows7_x64

7

de763f9328...fb.exe

windows10_x64

7

Analysis

  • max time kernel
    131s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-11-2020 22:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe

  • Size

    647KB

  • MD5

    dd7a4ea55e1db3432506b4394150a1e1

  • SHA1

    d0484e079e1af25d720d2108e2abd6e17ad755dd

  • SHA256

    de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb

  • SHA512

    d7edf1e611c4bb3ef1246672bac5160549f51fec04cc209d15cf96537fb8239e6cf4710c5d69c13836c6d2d317aea974096e8d719f5ecb8a6a89386edd4cec8b

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 7 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 105 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe
    "C:\Users\Admin\AppData\Local\Temp\de763f9328ac80cc69b3a48038fb2d9564e35d3ba7900ec30fb8620b9dc7d1fb.exe"
    1⤵
    • Checks processor information in registry
    PID:3372
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 780
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4084
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 924
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4056
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1056
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:760
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 924
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2328
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1096
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1152
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3120
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1104
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/760-10-0x00000000047E0000-0x00000000047E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/760-13-0x0000000004D10000-0x0000000004D11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2328-17-0x0000000005140000-0x0000000005141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2328-14-0x0000000004B10000-0x0000000004B11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2756-21-0x00000000055D0000-0x00000000055D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2756-18-0x00000000050A0000-0x00000000050A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3120-24-0x0000000005050000-0x0000000005051000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3120-27-0x0000000005780000-0x0000000005781000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3204-28-0x0000000004D30000-0x0000000004D31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3204-31-0x0000000005880000-0x0000000005881000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3372-1-0x0000000001290000-0x0000000001291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3372-0-0x0000000001001000-0x0000000001002000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-6-0x0000000004F30000-0x0000000004F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-9-0x0000000005460000-0x0000000005461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4084-5-0x0000000004B80000-0x0000000004B81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4084-3-0x0000000004450000-0x0000000004451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4084-2-0x0000000004450000-0x0000000004451000-memory.dmp
    Filesize

    4KB

    Download