Overview

overview

7

Static

static

58ee0b2407...cb.exe

windows7-x64

7

58ee0b2407...cb.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    66s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/11/2022, 11:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    58ee0b2407d0635e26a06b385b7e1b46d028ada1c7870b0e568f9fe2fbb5e4cb.exe

  • Size

    192KB

  • MD5

    1f874cba8237160535ec495a781ba22d

  • SHA1

    ba5a5a754584fc205d3b16133ac6ee5b77544643

  • SHA256

    58ee0b2407d0635e26a06b385b7e1b46d028ada1c7870b0e568f9fe2fbb5e4cb

  • SHA512

    e4cdcbcc809fae13d3f2e7cf903370fde1a35b2b6f923eb7752e8f0a88ec8e73913480d43a7978934cfb99d47e169f5f2471119284cfc1afb7e5ac360b97483c

  • SSDEEP

    3072:5f2+b0QUvhzaW3LYZmhjU6zloI4b4eI4weQ50zGQS2Qmuuy2Fw7deCkTu6bFu:V8p57YZ8jUMlrb3e807QPxjyS

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58ee0b2407d0635e26a06b385b7e1b46d028ada1c7870b0e568f9fe2fbb5e4cb.exe
    "C:\Users\Admin\AppData\Local\Temp\58ee0b2407d0635e26a06b385b7e1b46d028ada1c7870b0e568f9fe2fbb5e4cb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\58ee0b2407d0635e26a06b385b7e1b46d028ada1c7870b0e568f9fe2fbb5e4cb.exe
      "C:\Users\Admin\AppData\Local\Temp\58ee0b2407d0635e26a06b385b7e1b46d028ada1c7870b0e568f9fe2fbb5e4cb.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell /?
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1448
      • C:\Windows\SysWOW64\certutil.exe
        certutil -?
        3⤵
          PID:1796
        • C:\Windows\SysWOW64\certutil.exe
          certutil -addstore -f -user "ROOT" "C:\ProgramData\\cert518683.der"
          3⤵
            PID:1756
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$s=Get-Content 'C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\\prefs.js';$s=$s| Where { $_ -notmatch 'network.proxy.type' };$s | Set-Content 'C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\\prefs.js'"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1856
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$s=Get-Content 'C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\\prefs.js';$s=$s| Where { $_ -notmatch 'network.proxy.autoconfig_url' };$s | Set-Content 'C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\\prefs.js'"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2032

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\cert518683.der
              Filesize

              1KB

              MD5

              390373d803fba8d98086b3866ba31203

              SHA1

              b7f0a6b7c672c877106b9529cb040c7cac55c4b5

              SHA256

              040156275fd3bce9afd2761b7572da6d4c8262f8744e0889981b289d0967d87f

              SHA512

              60fa47b25582f499ac809cd234ddbd112ed04d24e2ec292528f0beaa9589035da3de74e2bf075ac18ca7e800727095dfa25b2314a586bf2be9f1a9dcf3cc92a8

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              a6af686a9afea4d4b2d893774af0329a

              SHA1

              9da520f5a77b66ff0042c18454ad8ca01312a3a9

              SHA256

              3975370f5d04efb1459f6af7528384040bb65b0997185d5c7bda4a11dd7f68c2

              SHA512

              cace107b20592cab1015e4ae5d2c64629e17faeb78278e9a0e7ee9458e9c00825368ef24dcdd97f298d28d39873bad5b08f34788e89d8949b38ec89dea901c16

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              4a2e800aa47a8db8d749872a2aa9fd9c

              SHA1

              060f6c1fbf953252352b73b736c8ef23b6b8aef6

              SHA256

              db1cc0ec99d05453bfb6581b912d4d2d3060294a7fa6758c8d708f93279c25f5

              SHA512

              09c02786561adab6223e1d70913152432dfc586e562e696892ade04259322128befd20b1e0b98849b078a5845ebd4fec59291844255987a37da1e7819a1f6243

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\prefs.js
              Filesize

              6KB

              MD5

              f8903ba5c7a1f8fc43e2147a58f80fbe

              SHA1

              203d2b1b30b8c1368a30d5cbe66b8b5da890351b

              SHA256

              e147b227b035abea62feb480822a020cd001f0800bad585b2704c5db572ee6c4

              SHA512

              300521dd112c77aa1c11ce6487c45e4557b03cf8d69d1944459f387f9cd29ad829d47b82f54765dcaada7ecf2a639045fa296b84a70ae96b5811663ecf0e0247

              Download Submit

            • memory/1448-78-0x0000000073F70000-0x000000007451B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1448-77-0x0000000073F70000-0x000000007451B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1612-63-0x00000000003F0000-0x00000000003F4000-memory.dmp

              Filesize

              16KB

              Download

            • memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1620-67-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/1620-60-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/1620-73-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/1620-74-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/1620-69-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/1620-65-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/1620-62-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/1620-93-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/1620-81-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/1620-55-0x00000000001B0000-0x00000000002AA000-memory.dmp

              Filesize

              1000KB

              Download

            • memory/1620-57-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/1620-58-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/1856-94-0x0000000073F30000-0x00000000744DB000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1856-88-0x0000000073F30000-0x00000000744DB000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1856-98-0x0000000073F30000-0x00000000744DB000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2032-92-0x0000000073F30000-0x00000000744DB000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2032-95-0x0000000073F30000-0x00000000744DB000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/2032-97-0x0000000073F30000-0x00000000744DB000-memory.dmp

              Filesize

              5.7MB

              Download