Overview

overview

10

Static

static

10

uni2.exe

windows7-x64

7

uni2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    31s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2023 03:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    uni2.exe

  • Size

    3.0MB

  • MD5

    7b7f66624ef0b602dc8b5cf5ab0e0cc7

  • SHA1

    7ce5ff0bc6ed6160b34d110f58c4e3b3131b6471

  • SHA256

    417aee1f9b38131b40df67ca5ade203e6e45fb3b2928ba209ef2afacc3d6d8fe

  • SHA512

    622a202c7ad573c7f6d98905b7b4edeb8e0084d069e3943fbfc03046df5f19fe48e48aeda4f8c396a8a79fa85f136720cc3312c8a8cb6564a9928a76fe1f4e8d

  • SSDEEP

    49152:n2F3dmZsmanH2CXOwjygvaBsLFA8pHht8k1r:aPmEjpLO8pZ

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\uni2.exe
    "C:\Users\Admin\AppData\Local\Temp\uni2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\System32\Wbem\wmic.exe
      wmic os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:904
    • C:\Windows\system32\cmd.exe
      cmd /C "wmic path win32_VideoController get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic path win32_VideoController get name
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1736
    • C:\Windows\system32\cmd.exe
      cmd /C "wmic cpu get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic cpu get name
        3⤵
          PID:2044

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
      Filesize

      71KB

      MD5

      dfeffc3924409d9c9d3c8cae05be922b

      SHA1

      a89046cbf54c00e17ff0a5f3e1a8f01eb399bce4

      SHA256

      06ea3ad1c1c1067bfdfaa5ad8a91632fac6cad9776ded85fa65d3b6181d89be6

      SHA512

      d9614ecf528a2bf48cafe99a4c54d5c9f3656d628001fbf575d367d5ad8008cf30a58a7b3d9489d8534064442df89a7263df4a91d0863dcd6cc33574c576da33

      Download Submit