117997909896e79ac09f81a7ff9611bc153762a45cb15f1fb06ac9e0be1c7558

Analysis

max time kernel
137s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e396aa398fb1fa0f6c9db780211f758649e9a1f26bb5a2e7026b1cfec6ea9c0d.exe
Size

1.7MB
MD5

710785459d065a7e822861764ec36480
SHA1

d7d641f65e380e71f13dd04a6a37c903b532fb32
SHA256

e396aa398fb1fa0f6c9db780211f758649e9a1f26bb5a2e7026b1cfec6ea9c0d
SHA512

7fc4596b4cc119c9f939d4577e54c788dccd3c9aa84d8bfcd8dde14ee22da8b525b5c06201c045634e346444c78bf923c5e203e88af7717fac80178f52f7fa45
SSDEEP

24576:TV+UOwZmL/nvlkykFlTrAEdghT0WUQ2YUhOxiq2p7j4jNyXpcHLYiSHdX3Ra/KhV:TXZnl3AEyRV2YUIxPsDnI/wM2

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3964	Angle.pif

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3924	tasklist.exe
4984	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3360	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3924	tasklist.exe
Token: SeDebugPrivilege	4984	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3964	Angle.pif
3964	Angle.pif
3964	Angle.pif

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4652	3004	e396aa398fb1fa0f6c9db780211f758649e9a1f26bb5a2e7026b1cfec6ea9c0d.exe	102
PID 3004 wrote to memory of 4652	3004	e396aa398fb1fa0f6c9db780211f758649e9a1f26bb5a2e7026b1cfec6ea9c0d.exe	102
PID 3004 wrote to memory of 4652	3004	e396aa398fb1fa0f6c9db780211f758649e9a1f26bb5a2e7026b1cfec6ea9c0d.exe	102
PID 4652 wrote to memory of 4772	4652	cmd.exe	103
PID 4652 wrote to memory of 4772	4652	cmd.exe	103
PID 4652 wrote to memory of 4772	4652	cmd.exe	103
PID 4772 wrote to memory of 3924	4772	cmd.exe	104
PID 4772 wrote to memory of 3924	4772	cmd.exe	104
PID 4772 wrote to memory of 3924	4772	cmd.exe	104
PID 4772 wrote to memory of 868	4772	cmd.exe	105
PID 4772 wrote to memory of 868	4772	cmd.exe	105
PID 4772 wrote to memory of 868	4772	cmd.exe	105
PID 4772 wrote to memory of 4984	4772	cmd.exe	106
PID 4772 wrote to memory of 4984	4772	cmd.exe	106
PID 4772 wrote to memory of 4984	4772	cmd.exe	106
PID 4772 wrote to memory of 1508	4772	cmd.exe	107
PID 4772 wrote to memory of 1508	4772	cmd.exe	107
PID 4772 wrote to memory of 1508	4772	cmd.exe	107
PID 4772 wrote to memory of 3468	4772	cmd.exe	109
PID 4772 wrote to memory of 3468	4772	cmd.exe	109
PID 4772 wrote to memory of 3468	4772	cmd.exe	109
PID 4772 wrote to memory of 3880	4772	cmd.exe	110
PID 4772 wrote to memory of 3880	4772	cmd.exe	110
PID 4772 wrote to memory of 3880	4772	cmd.exe	110
PID 4772 wrote to memory of 3816	4772	cmd.exe	111
PID 4772 wrote to memory of 3816	4772	cmd.exe	111
PID 4772 wrote to memory of 3816	4772	cmd.exe	111
PID 4772 wrote to memory of 3964	4772	cmd.exe	112
PID 4772 wrote to memory of 3964	4772	cmd.exe	112
PID 4772 wrote to memory of 3964	4772	cmd.exe	112
PID 4772 wrote to memory of 3360	4772	cmd.exe	113
PID 4772 wrote to memory of 3360	4772	cmd.exe	113
PID 4772 wrote to memory of 3360	4772	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\e396aa398fb1fa0f6c9db780211f758649e9a1f26bb5a2e7026b1cfec6ea9c0d.exe
"C:\Users\Admin\AppData\Local\Temp\e396aa398fb1fa0f6c9db780211f758649e9a1f26bb5a2e7026b1cfec6ea9c0d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /k cmd < Catch & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3924
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:868
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4984
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe"
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c mkdir 30248
      4⤵
      PID:3468
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Jobs + Promo + Rally + Latinas + Assumes 30248\Angle.pif
      4⤵
      PID:3880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Armstrong + Who + Standing 30248\C
      4⤵
      PID:3816
  - - C:\Users\Admin\AppData\Local\Temp\3511\30248\Angle.pif
      30248\Angle.pif 30248\C
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3964
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3511\30248\Angle.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3511\30248\Angle.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3511\30248\C

Filesize
1.0MB

MD5
63a9c9726e44b53f5066bd2a893d3d60

SHA1
cc7d9f2e2357189e70a0aa4ddb8f506f1915b1f5

SHA256
9a9d8dabae4130ad40b43fa1cb38d14b0120ee6bc8dfe45024c7240ff4c79156

SHA512
e1ae9065619cdf55dccc1454605c6c428de930d8091911b536f6bd3aa03be8113b459185d0f595b2da7a4ae8a2f7de85e2ff4501625f707dc34190ef7dea1a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\3511\Armstrong

Filesize
423KB

MD5
9ef598da23f3cd6cb1ddfb589e43189f

SHA1
dfacfbf8c2009b94d4784111c40f4003ed6c793c

SHA256
422fc32f4ebffac3e75ba2c5073780dcc67cad64e03f379153a63f29fdd2bd56

SHA512
be81c6c1918b9db09b467c01d6ac62e30526e24811853472fd2a4254cd808dd82cfa81739b07af2276fddcd03646cc2b04b9007cebb1be1acc256beaa51134de

Download Submit
C:\Users\Admin\AppData\Local\Temp\3511\Assumes

Filesize
278KB

MD5
6850d82a929aa9638756704d1ee8a544

SHA1
79a67a37d7bc491d353365897483f0081d89cb10

SHA256
3e34a511e700b4fef15d98c9a2d2dadc589194d4010077b387fda740353d3a95

SHA512
1a9a9a284b71635e612ef800d652705e104d7233458e968d0b41cd27b8af0e09e1c32499110f38720413d98d7bdea396431a3963c717aab73df5afde25a9629a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3511\Catch

Filesize
12KB

MD5
718bb1691450f42b1a46fe23f2eb507f

SHA1
6e5fcd14d4f5511b969699e650024e731b0b49aa

SHA256
461155c91a86d6ff3ed6d517a459b36ab53e1f73ede7f054578c26e9284d3f80

SHA512
7188c1c24db1624d602f48e60d834f3b71d70f975a00e7e1e6298113266339fb55a14101c51fa251494d9d2614a1a592beb29d2376c570cc8187353f19ec1cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\3511\Jobs

Filesize
257KB

MD5
102c7e49642516f9821d97b94ebdbdb7

SHA1
de28c06d5de6b689859a6d98a5d9bc656b0530d7

SHA256
6f47049fcdb5d2e5fe4ef66ce428794379f97b2099e97798406d666a1c187ed8

SHA512
5f067423bd94de1fe35fda9bb972502c11e4c26f224b05a1f9a56dad8caf0ea64d058772f202ba659c3036e493d7d22f68b38a043f8b51e5ce2d0eb25f2dc61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3511\Latinas

Filesize
108KB

MD5
c40de8b387bc0d237a37c945c3af3288

SHA1
66a93a7bb3b9db0b9a77247559c93db3ffb4ed8d

SHA256
fb0fd4d0ca1080a431792aba2f0c9018c6656bedcfc8536a15f0dd48db7bfcf9

SHA512
697a5d0f4e64b15d4bf389e829231ce668b7ad9253d4628c85fc8de70cfd31ff28bd40681ebc078365cd1f7b933c58a70e7c6b3b2d7232c944d0817785348347

Download Submit
C:\Users\Admin\AppData\Local\Temp\3511\Promo

Filesize
129KB

MD5
6494d8de7e5c15e5d636474e0a650fe6

SHA1
1aedd0ed9c1310a691f8a420617db357ebab8430

SHA256
e50b45a5d2f5d0ef07b1098f086fe7d365a6858239ece89d23540f52031914ee

SHA512
d7c84f1f737947d6929d8183700d48656c6ddf6f495d0e2aab673dfe4ac75e7b6e70e3e7ede4493162f1d3677860ec6236b56fc7662f307952a108d397e68196

Download Submit
C:\Users\Admin\AppData\Local\Temp\3511\Rally

Filesize
152KB

MD5
cd2e635cabae7d929cd246778dbfb69b

SHA1
36dc87dae8c8b0e74993a6344a710096c7c08df9

SHA256
1422ab4975976de3009c7ec349a7e884aab78be0d500cda9dc667f97875d5f3c

SHA512
382adc28eb085f5b27ad72c9795e308f222a7caf7062e6e4e0cfb6d701a08b5f12d2778733d78f0272fe69543305fb55e3b6b19a6c26d3b41d2d837abdb382b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3511\Standing

Filesize
241KB

MD5
e701bf28bbf816c83af809f9e49fead3

SHA1
5df6c66e4c4273b198df4cf0d032af259e87add7

SHA256
5890b69fae8e2cfd953ba20417218a2488e5b22808f2cc2471e7169cb01905fc

SHA512
071ee1fc7249a9462e25d352e70f12067ef916a3c8810aae5887d17c5b47737570bd5ab0d3f55fa49e7dba4604adc18451757dba71eba64ba3623b6af5d5dada

Download Submit
C:\Users\Admin\AppData\Local\Temp\3511\Who

Filesize
400KB

MD5
fffb5356e6db9b95590db265c8ae6d6e

SHA1
113e8c89aae36df57f5dd8f27b96825f48d30202

SHA256
837c0f706fcaf7c5a62043749bf59cc0a6596a51847e49fde7e83b57c735712a

SHA512
774352afcbbae36bb57ee65e4c36b0d82b6f7aaa6e1534ebaa1c4a9d6cb5f558cdb264325a04ff9beb2797991f9a29a883ed65539fadc86972186d721ccae623

Download Submit
memory/3004-1-0x0000000000300000-0x00000000004BF000-memory.dmp

Filesize
1.7MB

Download
memory/3004-10-0x0000000000300000-0x00000000004BF000-memory.dmp

Filesize
1.7MB

Download
memory/3004-6-0x0000000000300000-0x00000000004BF000-memory.dmp

Filesize
1.7MB

Download
memory/3004-27-0x0000000000300000-0x00000000004BF000-memory.dmp

Filesize
1.7MB

Download
memory/3004-28-0x0000000000300000-0x00000000004BF000-memory.dmp

Filesize
1.7MB

Download
memory/3004-0-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/3964-34-0x00000000013D0000-0x0000000001456000-memory.dmp

Filesize
536KB

Download
memory/3964-32-0x00000000013D0000-0x0000000001456000-memory.dmp

Filesize
536KB

Download
memory/3964-30-0x00000000013D0000-0x0000000001456000-memory.dmp

Filesize
536KB

Download
memory/3964-33-0x00000000013D0000-0x0000000001456000-memory.dmp

Filesize
536KB

Download
memory/3964-31-0x00000000013D0000-0x0000000001456000-memory.dmp

Filesize
536KB

Download
memory/3964-29-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/3964-36-0x00000000013D0000-0x0000000001456000-memory.dmp

Filesize
536KB

Download
memory/3964-37-0x00000000013D0000-0x0000000001456000-memory.dmp

Filesize
536KB

Download
memory/3964-38-0x00000000013D0000-0x0000000001456000-memory.dmp

Filesize
536KB

Download