Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-07-2023 18:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    411KB

  • MD5

    bb74d8ec233dd105f813b778f437eeb3

  • SHA1

    9c57c2d705665ca9226fa6ef1c72fab760cd3595

  • SHA256

    edb1307f1fd091e464831bfc974dc7c4db9586095f3112a3bed99f5601213eb8

  • SHA512

    374ec56617cb5fe1dc4a1572b27d49c481bd46d1ba4d1f87b1af533437997c916d75a888c5cacc146a8b61d3e672b27c6c6415cc9ce8426c1032040e76ce451f

  • SSDEEP

    6144:eF/e4oeaMMJ2+3qZK6jaP6aAltjTgXrtC08PJOYXEGo:ezohMMfataqjKw

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 3 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1848
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1728
      2⤵
      • Program crash
      PID:1316
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:3852
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1848 -ip 1848
    1⤵
      PID:4192

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Query Registry

    4
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\wsuAA0B.tmp
      Filesize

      14KB

      MD5

      c01eaa0bdcd7c30a42bbb35a9acbf574

      SHA1

      0aee3e1b873e41d040f1991819d0027b6cc68f54

      SHA256

      32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

      SHA512

      d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

      Download Submit
    • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
      Filesize

      29KB

      MD5

      8019ed8c1e836809e2a6025b48b62bb5

      SHA1

      a870be5ba20effe22e183abdab9a2cdadf4f6db9

      SHA256

      2e56fdb1765c0f9a3f6ce122645fbb732c04b417f66488c0ea39b1f38570b69b

      SHA512

      2d55eddc6a5468e0d5c99038e03a76dc1c356f04a5e3b4c62be38816179ca653c404f316c5953d758f07cedc66c7deeeda147d0517683495f2a808b895ed8b62

      Download Submit
    • memory/1848-148-0x0000000008290000-0x0000000008306000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1848-137-0x0000000004350000-0x0000000004360000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1848-149-0x0000000008320000-0x000000000833E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1848-150-0x0000000002440000-0x0000000002540000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/1848-140-0x0000000007040000-0x0000000007658000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1848-142-0x00000000750F0000-0x00000000758A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1848-141-0x00000000076B0000-0x00000000076C2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1848-143-0x00000000076D0000-0x00000000077DA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1848-144-0x0000000004350000-0x0000000004360000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1848-145-0x00000000077E0000-0x000000000781C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1848-146-0x00000000079F0000-0x0000000007A56000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1848-147-0x00000000081F0000-0x0000000008282000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1848-135-0x00000000023D0000-0x000000000240D000-memory.dmp
      Filesize

      244KB

      Download
    • memory/1848-138-0x0000000006A90000-0x0000000007034000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1848-139-0x0000000004350000-0x0000000004360000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1848-151-0x00000000084F0000-0x00000000086B2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1848-152-0x0000000008720000-0x0000000008C4C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1848-153-0x0000000000400000-0x000000000230E000-memory.dmp
      Filesize

      31.1MB

      Download
    • memory/1848-156-0x00000000023D0000-0x000000000240D000-memory.dmp
      Filesize

      244KB

      Download
    • memory/1848-157-0x0000000004350000-0x0000000004360000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1848-158-0x0000000004350000-0x0000000004360000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1848-159-0x0000000004350000-0x0000000004360000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1848-160-0x0000000000400000-0x000000000230E000-memory.dmp
      Filesize

      31.1MB

      Download
    • memory/1848-161-0x00000000750F0000-0x00000000758A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1848-136-0x0000000000400000-0x000000000230E000-memory.dmp
      Filesize

      31.1MB

      Download
    • memory/1848-134-0x0000000002440000-0x0000000002540000-memory.dmp
      Filesize

      1024KB

      Download