Overview

overview

7

Static

static

5

4270afcad7...8a.exe

windows7-x64

7

4270afcad7...8a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    23-08-2023 23:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4270afcad72547081c6bc723c323cc096fe12a1eb4e6aabff0aeacb21502f98a.exe

  • Size

    1.2MB

  • MD5

    6183ba3237a79b64eee7d174cf1054ef

  • SHA1

    d3d76a213f62c2da7e09d7ae2c09d6ccc08c2450

  • SHA256

    4270afcad72547081c6bc723c323cc096fe12a1eb4e6aabff0aeacb21502f98a

  • SHA512

    02b9f5379090d21e93e30e13307d71073df85483c96eebac8fc82d45de8f321d4d506ccc4acf67c60b0c26fb09ac342bb4f97dd93288b39c08f233916af9e078

  • SSDEEP

    24576:1XU09t8XLX8hf6VAYCG6WouT8wakojp09TPFpae7QknE:1EutzfsCG5h9akoj+vae8kn

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4270afcad72547081c6bc723c323cc096fe12a1eb4e6aabff0aeacb21502f98a.exe
    "C:\Users\Admin\AppData\Local\Temp\4270afcad72547081c6bc723c323cc096fe12a1eb4e6aabff0aeacb21502f98a.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C powercfg -x -monitor-timeout-ac 0
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\powercfg.exe
        powercfg -x -monitor-timeout-ac 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:928
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C powercfg -change -standby-timeout-ac 0
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\SysWOW64\powercfg.exe
        powercfg -change -standby-timeout-ac 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\autFFA9.tmp
    Filesize

    664B

    MD5

    d7b405d844bf2c4b060ca5e150b4a5a2

    SHA1

    cd5293c445722c1718529d96a5cadafc82b02932

    SHA256

    da5d018d7c64afb391151680e5e79478d1cbbb875bc1c5e3be03efdd8f7b1d3d

    SHA512

    8bc3b0e4d037ed6add976717a74fb98cea7e3140abcb0f8ab016fc8833c51c8452bbfb0b7778be62de39be79ae88077f48c8d2ddc4fc5f20cb3e2342f832ef92

    Download Submit

  • C:\Users\Admin\AppData\Local\UCBrowser\User Data\Default\Bookmarks
    Filesize

    2KB

    MD5

    6c898fa48cbf4fde048878e64d1763af

    SHA1

    3cc2a1878a643ca3155951b36908e627de110746

    SHA256

    f5327ba2a1497bc2aee16e635f20fc65ff82d48b776471de70c334611777165c

    SHA512

    6c44230b1a9ff22528e5cf7fe646843f7c612b14fedb0f388601e501119dcfcd4bc0f96b85a6de8d51fb8460e15160a1a341ac518ce9639a79b94ad545697682

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\installs.ini
    Filesize

    75B

    MD5

    a71773639c751022e1f6da6cab72a0a6

    SHA1

    6d5919a00aede2e8db1c49f9303482de20a0fde3

    SHA256

    fe6f9409fd3d21e6def35cba73ee4ccf607856a2cd371d7fabdb5b96fc6373a0

    SHA512

    89e7eaa35d05f8ed3943753e91455c7c4e351b0c6cb890563be9757750fa723d6da2daa2acb673d1a132592343da08195f5a5424014b0fde372f789000107291

    Download Submit