Overview

overview

8

Static

static

676305bece...85.exe

windows7_x64

7

676305bece...85.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    73s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    05-02-2022 04:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    676305bece6f0b49d822849ae0873025666d31330d27adf10cb57255f1bdb585.exe

  • Size

    425KB

  • MD5

    5cd2cbf405a8ed0cbc8ffcc39c0949e0

  • SHA1

    ddec66684726f458b47065b443857f78bbb40a1c

  • SHA256

    676305bece6f0b49d822849ae0873025666d31330d27adf10cb57255f1bdb585

  • SHA512

    4bacc3f5c86e7ac12c3ea5bcfdcd4bedb05fefb6221371a989fd48457b2b907fb9e5b147cafc3929bd665039e585a889e79d7ac0a4d1c81be75651b332bedbfc

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs
    persistence
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Drops file in Windows directory 6 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\676305bece6f0b49d822849ae0873025666d31330d27adf10cb57255f1bdb585.exe
    "C:\Users\Admin\AppData\Local\Temp\676305bece6f0b49d822849ae0873025666d31330d27adf10cb57255f1bdb585.exe"
    1⤵
      PID:3032
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe dc38358430901d37a7a40151bcdbb734 4pPx80TLdk+Gzb60DMTtGw.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:4680
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4476

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    5
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    5
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4476-142-0x000002321E050000-0x000002321E054000-memory.dmp
      Filesize

      16KB

      Download