Overview

overview

8

Static

static

9fc38c978d...90.exe

windows7-x64

8

9fc38c978d...90.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 22:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe

  • Size

    251KB

  • MD5

    07674572cf79953c21898b8014967e52

  • SHA1

    fd6c764b9b4fbd2c1dec2f26a5386bc48e769346

  • SHA256

    9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90

  • SHA512

    7c947f210c575d6b38a7fb5e5dd4ecee409c2df389fb285644175be1e713ca29d0a9dc321bcb37fa85ed26a7a08e9a12c3e9d9be45de7f42e1fae3c8015a8f0b

  • SSDEEP

    3072:4ar2vYb/wk6D6EWOzYQjqRbC+h7jTBLjF5FemO9QbBLUcLTUEwhdI:4ayvYb/wk6TWOALhXTB0meQlUcLQEw

Score
8/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe
    "C:\Users\Admin\AppData\Local\Temp\9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\search.json.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\search.json.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4664
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
          PID:1924
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2f13090c.bat"
        2⤵
          PID:812

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\search.json.exe
        Filesize

        251KB

        MD5

        07674572cf79953c21898b8014967e52

        SHA1

        fd6c764b9b4fbd2c1dec2f26a5386bc48e769346

        SHA256

        9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90

        SHA512

        7c947f210c575d6b38a7fb5e5dd4ecee409c2df389fb285644175be1e713ca29d0a9dc321bcb37fa85ed26a7a08e9a12c3e9d9be45de7f42e1fae3c8015a8f0b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\search.json.exe
        Filesize

        251KB

        MD5

        07674572cf79953c21898b8014967e52

        SHA1

        fd6c764b9b4fbd2c1dec2f26a5386bc48e769346

        SHA256

        9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90

        SHA512

        7c947f210c575d6b38a7fb5e5dd4ecee409c2df389fb285644175be1e713ca29d0a9dc321bcb37fa85ed26a7a08e9a12c3e9d9be45de7f42e1fae3c8015a8f0b

        Download Submit

      • memory/812-143-0x0000000000B40000-0x0000000000B6C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/812-142-0x0000000000000000-mapping.dmp

        Download

      • memory/812-146-0x0000000000B40000-0x0000000000B6C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/968-132-0x0000000002750000-0x0000000002786000-memory.dmp

        Filesize

        216KB

        Download

      • memory/968-133-0x0000000000400000-0x0000000000445000-memory.dmp

        Filesize

        276KB

        Download

      • memory/968-145-0x00000000005B0000-0x00000000005DC000-memory.dmp

        Filesize

        176KB

        Download

      • memory/1924-141-0x0000000000000000-mapping.dmp

        Download

      • memory/1924-147-0x00000000003A0000-0x00000000003CC000-memory.dmp

        Filesize

        176KB

        Download

      • memory/4664-135-0x0000000000000000-mapping.dmp

        Download

      • memory/4664-138-0x0000000002430000-0x0000000002466000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4664-139-0x0000000000400000-0x0000000000445000-memory.dmp

        Filesize

        276KB

        Download

      • memory/4664-144-0x0000000002430000-0x0000000002466000-memory.dmp

        Filesize

        216KB

        Download