Overview

overview

8

Static

static

sample.exe

windows7_x64

7

sample.exe

windows10_x64

8

Resubmissions

04-11-2022 23:59

221104-31zxvacbc3 8

24-12-2020 17:30

201224-s43rdxvlqn 8

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    24-12-2020 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    26KB

  • MD5

    c7cfaca6501361febe27a6b3e66a61bf

  • SHA1

    55a3414b9668596e120139a059db91a306281dcc

  • SHA256

    fd32cec288cec4f16dc5430cf86dc17e1d4cf941d635979fc17a59c8d6d83d44

  • SHA512

    490814ad45e81ca6712c179fc6f9849788da1e379a02597136a52cc8695d895b648676f1ae2ee200effdac0f0dac7d56bef0af3b6854c8c150f33120af4d75a1

Score
7/10
persistencespyware

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • JavaScript code in executable 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 196 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 218 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 279 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://primearea.biz/product/235093/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    d8794710f1a7e49c82ac9ebeac0571f9

    SHA1

    6627b433dff125e5cd02367d7f913d1606613f2d

    SHA256

    4e9eb85aeb94e389a938359414059986c184b350408eb70026c088962381300d

    SHA512

    f9319dc608e65b652150f2b50817c81b741e8058cc667ece2f0be863e184697ad8eb0ada1a29277daa7c8ca79438dccd97d9722c93b30db006221a374c3815a1

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
    MD5

    883d4d4799e711ef486ddf1591424d11

    SHA1

    82f5f763d54eb22c67b881b2c5f762985f820c41

    SHA256

    bb1e69b55fd091fb50966d5150f5e1037ae5a197b97aa1caa8fbc62505c7cb10

    SHA512

    a52fc4836d968cd54f50bb7ce74a80563bf76e75ce9ea9ff37f4fc244bc5c55ff2f6191384aef9524c80801262209cf012597b8bed588c2664bcc6307d13b7a9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QYUGNZKW.txt
    MD5

    a6ff9833d741e526a3e198bdebbacecd

    SHA1

    86e3cbcf250e3af6eac0c676309df4edc8757b02

    SHA256

    70de6dafd48184d8407537279b6957ff1ab62f6f9f632a2bde5c926777ceb9dc

    SHA512

    148fec85434460933431139941b5f8f43eac383852deafdfcbc6fea60509ed66343f33b91883a982b94443f074bbe070be189ad33aff2194fd2f11818c760e22

    Download Submit
  • memory/932-2-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/932-3-0x00000000009E0000-0x00000000009E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1220-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1764-6-0x000007FEF61A0000-0x000007FEF641A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1780-5-0x0000000000000000-mapping.dmp
    Download