Overview

overview

8

Static

static

8fba92e773...77.exe

windows7_x64

8

8fba92e773...77.exe

windows10-2004_x64

8

Resubmissions

03-05-2022 13:05

220503-qbj4wafba7 8

20-04-2022 06:43

220420-hgxcdshgam 8

Analysis

  • max time kernel
    62s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-04-2022 06:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fba92e7730c734197c8e5977533df77.exe

  • Size

    975KB

  • MD5

    8fba92e7730c734197c8e5977533df77

  • SHA1

    8106d808d0199d230b5943f15b1d85d05334d3ea

  • SHA256

    72cb26ac08fa4ba35112a093b506eb97f730537f9a011a20ad8049d4da6fcb77

  • SHA512

    ab1e7246e219b63b65082de10be4f6880bee0e1b04a50722bb7a1b8cfa81853a5793f581decfc43b5f1cf02d01fdd4fa3bc047cbc28afc0f37f6f87b75b397bb

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 4 IoCs
  • Checks processor information in registry 2 TTPs 41 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fba92e7730c734197c8e5977533df77.exe
    "C:\Users\Admin\AppData\Local\Temp\8fba92e7730c734197c8e5977533df77.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
      2⤵
      • Blocklisted process makes network request
      PID:2192
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 624
      2⤵
      • Program crash
      PID:4132
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 852
      2⤵
      • Program crash
      PID:3572
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 952
      2⤵
      • Program crash
      PID:4816
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 996
      2⤵
      • Program crash
      PID:4568
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:540
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2884 -ip 2884
    1⤵
      PID:4160
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2884 -ip 2884
      1⤵
        PID:4484
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2884 -ip 2884
        1⤵
          PID:4796
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2884 -ip 2884
          1⤵
            PID:4956

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Wysrrtpeu.tmp
            Filesize

            3.1MB

            MD5

            64fe5740f3dd726c1fbb9cac70e55666

            SHA1

            e2a830f232878c5da0be1795c7a4518e4ee52431

            SHA256

            ae1638c788ae8f402a7f6df7f01e8cc837206e042460309a8eca4ca9a5f83bf0

            SHA512

            727369b06dc9ec443fe60ec4033fe3a3aa278e50a841924c54dbe51fc3227be8b2bc226ffc1a19614a38c2050dfd97f6782c42003f7acc655dc785bc25a3e5fc

            Download Submit

          • memory/540-158-0x0000000003220000-0x0000000003C70000-memory.dmp

            Filesize

            10.3MB

            Download

          • memory/540-162-0x0000000003DB0000-0x0000000003EF0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/540-161-0x0000000003DB0000-0x0000000003EF0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/540-157-0x0000000000E60000-0x0000000001790000-memory.dmp

            Filesize

            9.2MB

            Download

          • memory/540-156-0x0000000003F80000-0x0000000003F81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/540-159-0x0000000003220000-0x0000000003C70000-memory.dmp

            Filesize

            10.3MB

            Download

          • memory/540-160-0x0000000004180000-0x0000000004181000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2192-136-0x0000000000640000-0x0000000000643000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2192-135-0x0000000000630000-0x0000000000633000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2192-134-0x0000000000620000-0x0000000000623000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2884-138-0x0000000002ED0000-0x0000000003920000-memory.dmp

            Filesize

            10.3MB

            Download

          • memory/2884-151-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2884-145-0x0000000002720000-0x0000000002721000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2884-146-0x0000000003B20000-0x0000000003C60000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2884-147-0x0000000003B20000-0x0000000003C60000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2884-148-0x0000000002730000-0x0000000002731000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2884-149-0x0000000003B20000-0x0000000003C60000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2884-150-0x0000000003B20000-0x0000000003C60000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2884-152-0x0000000003B20000-0x0000000003C60000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2884-144-0x0000000003B20000-0x0000000003C60000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2884-153-0x0000000003B20000-0x0000000003C60000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2884-143-0x0000000003B20000-0x0000000003C60000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2884-142-0x0000000002700000-0x0000000002701000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2884-141-0x0000000002ED0000-0x0000000003920000-memory.dmp

            Filesize

            10.3MB

            Download

          • memory/2884-140-0x0000000003A90000-0x0000000003A91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2884-139-0x0000000002ED0000-0x0000000003920000-memory.dmp

            Filesize

            10.3MB

            Download

          • memory/2884-130-0x0000000002353000-0x000000000241A000-memory.dmp

            Filesize

            796KB

            Download

          • memory/2884-132-0x0000000000400000-0x00000000005F6000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/2884-131-0x0000000002460000-0x000000000264A000-memory.dmp

            Filesize

            1.9MB

            Download