Overview

overview

10

Static

static

3

91a0106c0b...bb.exe

windows7-x64

10

91a0106c0b...bb.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2023 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91a0106c0b58cd6fde7a66bb181b3dbb.exe

  • Size

    345KB

  • MD5

    91a0106c0b58cd6fde7a66bb181b3dbb

  • SHA1

    17bdbdb35a47154fec7fdfc4e9f59a053e5d5d7a

  • SHA256

    84843ae0e91bbacae720437937f1bcea3fcae4d9933d71a07a26a8e81479c0f0

  • SHA512

    de013483c8564801292d33a1103fbee5fa3ff41f21c4ddf447a870e5c1ee883bd15e95a2e7440c09b2a049e3578cec3d7f10d1182d4a30729790a1aa1ade5aab

  • SSDEEP

    3072:AP2ZBBNQdf3BgVy/pC35i/fcax7YN9+SVtkwFn1oOKlOvJO2bNLg3r3XN3:zZRQN3Bg0GincaGhVtkU0sxOuq3

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\91a0106c0b58cd6fde7a66bb181b3dbb.exe
    "C:\Users\Admin\AppData\Local\Temp\91a0106c0b58cd6fde7a66bb181b3dbb.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:484
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 1292
      2⤵
      • Program crash
      PID:3980
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:4252
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 484 -ip 484
    1⤵
      PID:1948

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/484-135-0x0000000002E60000-0x0000000002F60000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/484-136-0x0000000002E10000-0x0000000002E4F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/484-137-0x0000000000400000-0x0000000002B62000-memory.dmp

      Filesize

      39.4MB

      Download

    • memory/484-142-0x0000000074790000-0x0000000074F40000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/484-143-0x0000000007460000-0x0000000007470000-memory.dmp

      Filesize

      64KB

      Download

    • memory/484-146-0x0000000007460000-0x0000000007470000-memory.dmp

      Filesize

      64KB

      Download

    • memory/484-147-0x0000000007470000-0x0000000007A14000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/484-148-0x0000000007B20000-0x0000000008138000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/484-149-0x0000000000400000-0x0000000002B62000-memory.dmp

      Filesize

      39.4MB

      Download

    • memory/484-150-0x0000000002E60000-0x0000000002F60000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/484-151-0x0000000008140000-0x000000000824A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/484-153-0x00000000073A0000-0x00000000073B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/484-152-0x0000000002E10000-0x0000000002E4F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/484-154-0x0000000007400000-0x000000000743C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/484-155-0x0000000007460000-0x0000000007470000-memory.dmp

      Filesize

      64KB

      Download

    • memory/484-156-0x0000000074790000-0x0000000074F40000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/484-157-0x0000000007460000-0x0000000007470000-memory.dmp

      Filesize

      64KB

      Download

    • memory/484-159-0x00000000084B0000-0x0000000008526000-memory.dmp

      Filesize

      472KB

      Download

    • memory/484-160-0x0000000008530000-0x00000000085C2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/484-161-0x00000000085D0000-0x0000000008636000-memory.dmp

      Filesize

      408KB

      Download

    • memory/484-162-0x0000000009090000-0x0000000009252000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/484-163-0x0000000009260000-0x000000000978C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/484-164-0x00000000098D0000-0x0000000009920000-memory.dmp

      Filesize

      320KB

      Download

    • memory/484-166-0x0000000000400000-0x0000000002B62000-memory.dmp

      Filesize

      39.4MB

      Download

    • memory/484-168-0x0000000074790000-0x0000000074F40000-memory.dmp

      Filesize

      7.7MB

      Download