Overview

overview

10

Static

static

10

Pathfinder_2.19.3.zip

windows7-x64

1

Pathfinder_2.19.3.zip

windows10-2004-x64

1

Pathfinder...ig.exe

windows7-x64

10

Pathfinder...ig.exe

windows10-2004-x64

10

Pathfinder...er.exe

windows7-x64

7

Pathfinder...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    28s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    18/02/2023, 23:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pathfinder_2.19.3/Pathfinder_Builder.exe

  • Size

    3.8MB

  • MD5

    89817a0ea4add5696282c943839b64c1

  • SHA1

    217890e8db8ea736f8a84ea9c1835c22c845a240

  • SHA256

    0a7e31c92f26713ba2787eb9172d4a5a105e88ca3cc739e4c62890d263fd1fa0

  • SHA512

    0a39c64b90656820ed9298a793f8d3016a0d629e88506c51410d32afe6746b75d510965014b9414a4c3f63efb54bacff16e79bfc74feb76ea15fd22b9c63bedf

  • SSDEEP

    49152:WHFNVHFpNDv8w7v8xQlPRNso1tCbgJ16LC3s3f2gzKpU5EsjpwKjeQO5nGTBLprH:Ib8xQZ3si2uVQSi9jdl

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Pathfinder_2.19.3\Pathfinder_Builder.exe
    "C:\Users\Admin\AppData\Local\Temp\Pathfinder_2.19.3\Pathfinder_Builder.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:516
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c "schtasks /Create /TR C:\Users\Admin\AppData\Local\Temp\\system /SC ONLOGON /TN system /IT"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\system32\schtasks.exe
        schtasks /Create /TR C:\Users\Admin\AppData\Local\Temp\\system /SC ONLOGON /TN system /IT
        3⤵
        • Creates scheduled task(s)
        PID:1844
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 852 -s 904
      2⤵
      • Program crash
      PID:668

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/516-55-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/516-56-0x000007FEF4890000-0x000007FEF52B3000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/516-58-0x0000000002364000-0x0000000002367000-memory.dmp

    Filesize

    12KB

    Download

  • memory/516-57-0x000007FEF3C70000-0x000007FEF47CD000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/516-59-0x0000000002364000-0x0000000002367000-memory.dmp

    Filesize

    12KB

    Download

  • memory/516-60-0x000000000236B000-0x000000000238A000-memory.dmp

    Filesize

    124KB

    Download