Overview

overview

10

Static

static

10

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    30s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08-03-2023 13:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    4.4MB

  • MD5

    15d1bdb5f6e3267b936b401485897479

  • SHA1

    f9f1c88d6d1e929a42c15dc3c0c0afefbe42544d

  • SHA256

    48392e0c0969580a9eaa9fa882b543b319ea08e6492d3a6819bc0c5b64d78396

  • SHA512

    e941ad9a9fddf0dd4a0d3d0bd2b02f55e2a3361de6ce9bcc674e4bb33d82c59a4519e5cf2d90e2d422ab3f860247a8c78abd715b3ceaecbc5b013be0e42812ac

  • SSDEEP

    49152:C2sQ8R/u6S/gPV4PW/vlLr8EdiITRf+EGg7dH1CaSo5qTk6k1lFAw8A7/eFwjDr9:CfQM/fSoPFNLQg1UTOWw8a0cDAOn

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1232
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C "wmic path win32_VideoController get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic path win32_VideoController get name
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:596
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C "wmic cpu get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic cpu get name
        3⤵
          PID:1164

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
      Filesize

      71KB

      MD5

      2beb695add0546f6a18496aae58b2558

      SHA1

      1fd818202a94825c56ad7a7793bea87c6f02960e

      SHA256

      132cb7037ada7d8563c5b8cf64796ed22b0fbc1ccefbbbf5faa3c18545b289ed

      SHA512

      e80fa42ab27afa16e0f6f72639077be7da3e73f7c7b4cecbe0d24637ee76334de77a2b61e7c3afab4e3750e53a93baa68d3cdb9c1eb55fb9a5d580cff94f21f2

      Download Submit