Overview

overview

6

Static

static

3

file.exe

windows7-x64

6

file.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2023, 14:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.8MB

  • MD5

    13adf671ae056aa0e01e696c05736758

  • SHA1

    151edf47d4cf1f8bebe095502b4f4e8ed06dc59b

  • SHA256

    68837e50b37413708ed70f69651613342706345d14d3c2c21ed8ca3e298e5115

  • SHA512

    ae8b633b4234bb470b4acc16c267086a69c12ee6b5bc292b44d1b5536ee47c9517a7201c5f424224938ea5e9875a9ed7f0bef1e9ddd62876cfc12287870e67bf

  • SSDEEP

    12288:3y7uix2TBXVnBGw4I/6QTdp7lRpIlfMer5iiTvdyyF55bI8NMXzpuwFKzCctAtdX:SFzMXzAwPZ

Score
6/10
spyware

Malware Config

Signatures

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
        PID:980
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4732

    Network

    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      71.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      71.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      151.157.15.45.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      151.157.15.45.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      64.13.109.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      64.13.109.52.in-addr.arpa
      IN PTR
      Response
    • 93.184.221.240:80
      322 B
       7
    • 52.152.110.14:443
      260 B
       5
    • 51.11.192.49:443
      322 B
       7
    • 93.184.221.240:80
      322 B
       7
    • 173.223.113.164:443
      322 B
       7
    • 173.223.113.131:80
      322 B
       7
    • 204.79.197.203:80
      322 B
       7
    • 45.15.157.151:39839
      InstallUtil.exe
      1.5MB
       23.3kB
       1090
      382
    • 52.152.110.14:443
      260 B
       5
    • 209.197.3.8:80
      322 B
       7
    • 52.152.110.14:443
      260 B
       5
    • 52.152.110.14:443
      260 B
       5
    • 52.152.110.14:443
      260 B
       5
    • 52.152.110.14:443
      260 B
       5
    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      71.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      71.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      151.157.15.45.in-addr.arpa
      dns
      72 B
       126 B
       1
      1

      DNS Request

      151.157.15.45.in-addr.arpa

    • 8.8.8.8:53
      64.13.109.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      64.13.109.52.in-addr.arpa

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2880-133-0x00000000007E0000-0x00000000009BC000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2880-134-0x0000000005720000-0x0000000005CC4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2880-135-0x0000000005170000-0x0000000005202000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2880-136-0x0000000005210000-0x00000000052AC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2880-137-0x0000000005F30000-0x0000000005F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2880-138-0x0000000005EA0000-0x0000000005EAA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2880-139-0x0000000005F30000-0x0000000005F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2880-140-0x0000000005F30000-0x0000000005F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2880-141-0x0000000005F30000-0x0000000005F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2880-142-0x0000000005F30000-0x0000000005F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2880-143-0x0000000005F30000-0x0000000005F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2880-144-0x0000000005F30000-0x0000000005F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2880-145-0x0000000005F30000-0x0000000005F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4732-146-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/4732-148-0x0000000008110000-0x0000000008728000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4732-149-0x0000000007BB0000-0x0000000007BC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4732-150-0x0000000007CE0000-0x0000000007DEA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4732-151-0x0000000007C10000-0x0000000007C4C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4732-152-0x0000000007F30000-0x0000000007F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4732-153-0x0000000007FB0000-0x0000000008016000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4732-154-0x0000000008FF0000-0x0000000009066000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4732-155-0x000000000A3B0000-0x000000000A572000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4732-156-0x000000000AAB0000-0x000000000AFDC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4732-157-0x0000000009140000-0x000000000915E000-memory.dmp

      Filesize

      120KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.