Overview

overview

10

Static

static

UDO_Device...nt.exe

windows7-x64

3

UDO_Device...nt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2022 18:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UDO_Device_Enrolment.exe

  • Size

    203KB

  • MD5

    33d42728d32ae2eae31e4e1666b9b41c

  • SHA1

    8eb8f3dd4394d95cbe0294903f11df25966e483a

  • SHA256

    125fabbc234e4aef84704adad60213c510611aa5ee1a86fc238d6497df121e21

  • SHA512

    9548f6328c27b0616ab4a44fa05735189ec14eb5bf302616877faa3a8c2473a378266ffd2435c7f578f99776ec4d1d6e3d82ac71df70bdf18161f6062360c27a

  • SSDEEP

    768:h4KUggNBTPsmV5II2Q0oXbOfq1mkmjJKQfsPE2d1NL3gkGMsG:h4KUggTTPRiQLbOamUPRvR3zG

Score
10/10
spywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp-mail.outlook.com
  • Port:
    587
  • Username:
    udoderbymain@outlook.com
  • Password:
    Derbyuni2021

Signatures

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UDO_Device_Enrolment.exe
    "C:\Users\Admin\AppData\Local\Temp\UDO_Device_Enrolment.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\temp\Windows32\WebBrowserPassView.exe
      "C:\temp\Windows32\WebBrowserPassView.exe" /stext HWID.txt
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\temp\Windows32\WebBrowserPassView.exe
    Filesize

    393KB

    MD5

    2024ea60da870a221db260482117258b

    SHA1

    716554dc580a82cc17a1035add302c0766590964

    SHA256

    53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56

    SHA512

    ffcd4436b80169ba18db5b7c818c5da71661798963c0a5f5fbac99a6974a7729d38871e52bc36c766824dd54f2c8fa5711415ec45799db65c11293d8b829693b

    Download Submit
  • C:\temp\Windows32\WebBrowserPassView.exe
    Filesize

    393KB

    MD5

    2024ea60da870a221db260482117258b

    SHA1

    716554dc580a82cc17a1035add302c0766590964

    SHA256

    53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56

    SHA512

    ffcd4436b80169ba18db5b7c818c5da71661798963c0a5f5fbac99a6974a7729d38871e52bc36c766824dd54f2c8fa5711415ec45799db65c11293d8b829693b

    Download Submit
  • memory/904-132-0x0000000000A40000-0x0000000000A78000-memory.dmp
    Filesize

    224KB

    Download
  • memory/904-133-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/904-134-0x0000000002B60000-0x0000000002B82000-memory.dmp
    Filesize

    136KB

    Download
  • memory/904-138-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/904-139-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4656-135-0x0000000000000000-mapping.dmp
    Download