Overview

overview

7

Static

static

f4486eaeca...8d.exe

windows7-x64

7

f4486eaeca...8d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    155s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 11:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4486eaeca1f35ee98e6592497f60b6f620ea3c7c7d95621f509aca214736b8d.exe

  • Size

    126KB

  • MD5

    056fef6c349dd03925c26e7732ae4370

  • SHA1

    7aee423fb4a85beda6abce75a74d446729e2a218

  • SHA256

    f4486eaeca1f35ee98e6592497f60b6f620ea3c7c7d95621f509aca214736b8d

  • SHA512

    5ce2efa2ea5a0e802e1cc67857c66f9c4266c5884700f284f231f79cb0a4ba31b327b05a0da89bc0c45122bbeebf4b480105fa5e43e4f23f9bdf3f7675a6bee7

  • SSDEEP

    3072:zpF3T6kXMn/Yf96OHt1SNh/dX2miQpWv2IeXhHYM4p4m0e1Am:zHOUMnY96OmN7l/ieX11Y

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4486eaeca1f35ee98e6592497f60b6f620ea3c7c7d95621f509aca214736b8d.exe
    "C:\Users\Admin\AppData\Local\Temp\f4486eaeca1f35ee98e6592497f60b6f620ea3c7c7d95621f509aca214736b8d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Users\Admin\AppData\Local\Temp\f4486eaeca1f35ee98e6592497f60b6f620ea3c7c7d95621f509aca214736b8d.exe
      C:\Users\Admin\AppData\Local\Temp\f4486eaeca1f35ee98e6592497f60b6f620ea3c7c7d95621f509aca214736b8d.exe
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1960

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\f4486eaeca1f35ee98e6592497f60b6f620ea3c7c7d95621f509aca214736b8d.exe.log
    Filesize

    319B

    MD5

    a4da81a3544d9cd85f257967c0a431fe

    SHA1

    ba6f59ae5c6a2674a1fda758b5ded92f76d5edb3

    SHA256

    ad372efe5e610b9c2a331ac8f17f83542ef78b92c875c206d76c84e158fb271e

    SHA512

    12348d4cb4b6534a43f122d18fc7276c524c5b7e8f242f446eefb4d2ffea8018aed53a854cb840b2f30669caf74d14daff4276c6676a15221c58c84b210d393f

    Download Submit

  • memory/1960-135-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1960-137-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1960-139-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4028-132-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4028-133-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4028-138-0x0000000075470000-0x0000000075A21000-memory.dmp

    Filesize

    5.7MB

    Download