Overview

overview

10

Static

static

e9d7ac8344...9a.exe

windows7-x64

10

e9d7ac8344...9a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9d7ac8344ca51c7e82db7a8b076740dd66f073ac19e3e7035f4501590c40d9a.exe

  • Size

    521KB

  • MD5

    e83a8bb1ec87ddaa5001285d4e753ac2

  • SHA1

    359912ff3b47615960e0a325727fc4e9c0176b40

  • SHA256

    e9d7ac8344ca51c7e82db7a8b076740dd66f073ac19e3e7035f4501590c40d9a

  • SHA512

    051c897e8d5a2c404ca3aeb900042a6373105d8d4af21d21ddf06bbea3a593f24d04a532359a91e30d079f13da4f67ee4ceeab6e75d45a2bb4ff94ed08b98dcf

  • SSDEEP

    6144:125mswOyIZjyMrmhc2TawSgaOt2da2k78qh90GiTwXw35lk9jgvy89:12wRIZgmTOJDz9fA35lk9N

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies registry key 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9d7ac8344ca51c7e82db7a8b076740dd66f073ac19e3e7035f4501590c40d9a.exe
    "C:\Users\Admin\AppData\Local\Temp\e9d7ac8344ca51c7e82db7a8b076740dd66f073ac19e3e7035f4501590c40d9a.exe"
    1⤵
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:672
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • Modifies registry key
        PID:1160

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/672-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1160-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1252-54-0x00000000761E1000-0x00000000761E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1252-55-0x0000000074C50000-0x00000000751FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1252-58-0x00000000003F6000-0x0000000000407000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1252-59-0x0000000074C50000-0x00000000751FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1252-60-0x00000000003F6000-0x0000000000407000-memory.dmp

    Filesize

    68KB

    Download