8d949b3a294fe15396308f27f1ad287c6e845d45a9180bccfec4f8bc4d569c71

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d949b3a294fe15396308f27f1ad287c6e845d45a9180bccfec4f8bc4d569c71.exe
Size

459KB
MD5

afdb9995f0e5db969d77c4808f540f13
SHA1

74e9a123098ff4fc344fb27b5e1a9103c1cebc3e
SHA256

8d949b3a294fe15396308f27f1ad287c6e845d45a9180bccfec4f8bc4d569c71
SHA512

135c668ed0e899874b32f1c253e00ad1f6a8811d65eff5547f1221cdff9b8071e249a9197b7107c6d4b4691e0366d80e03209fe0813c61909bb4b8b78f7bceb1
SSDEEP

12288:a3aOZZnaNk09pBKhWSzJmNoVqsd5yAi8YWe2dVY:a3aMZnSk09pCWSzvf4Ai8v3dVY

Score

9^/10

evasion spyware stealer

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

8d949b3a294fe15396308f27f1ad287c6e845d45a9180bccfec4f8bc4d569c71.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	8d949b3a294fe15396308f27f1ad287c6e845d45a9180bccfec4f8bc4d569c71.exe

Drops file in Drivers directory 2 IoCs

Processes:

8d949b3a294fe15396308f27f1ad287c6e845d45a9180bccfec4f8bc4d569c71.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	8d949b3a294fe15396308f27f1ad287c6e845d45a9180bccfec4f8bc4d569c71.exe
File created	C:\Windows\system32\drivers\etc\hosts	8d949b3a294fe15396308f27f1ad287c6e845d45a9180bccfec4f8bc4d569c71.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8d949b3a294fe15396308f27f1ad287c6e845d45a9180bccfec4f8bc4d569c71.exe

pid	process
2820	8d949b3a294fe15396308f27f1ad287c6e845d45a9180bccfec4f8bc4d569c71.exe
2820	8d949b3a294fe15396308f27f1ad287c6e845d45a9180bccfec4f8bc4d569c71.exe

C:\Users\Admin\AppData\Local\Temp\8d949b3a294fe15396308f27f1ad287c6e845d45a9180bccfec4f8bc4d569c71.exe
"C:\Users\Admin\AppData\Local\Temp\8d949b3a294fe15396308f27f1ad287c6e845d45a9180bccfec4f8bc4d569c71.exe"
1⤵
- Enumerates VirtualBox registry keys
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:2820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Software Discovery

T1518

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2820-132-0x0000000001130000-0x0000000001135000-memory.dmp

Filesize
20KB

Download
memory/2820-133-0x00000000007E0000-0x0000000000884000-memory.dmp

Filesize
656KB

Download
memory/2820-134-0x0000000001130000-0x0000000001132000-memory.dmp

Filesize
8KB

Download
memory/2820-136-0x0000000001130000-0x0000000001132000-memory.dmp

Filesize
8KB

Download
memory/2820-135-0x0000000001130000-0x0000000001135000-memory.dmp

Filesize
20KB

Download