995ac23899a3e47c7063846a031bb13a7067957e436b8fd0c0bf9aaa4c102ff1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05c5260420a04d55c1b5ce35de870a6e.exe
Size

2.0MB
MD5

05c5260420a04d55c1b5ce35de870a6e
SHA1

02e9a866f99bce7dbb35c620c864ee900a3e7ddb
SHA256

995ac23899a3e47c7063846a031bb13a7067957e436b8fd0c0bf9aaa4c102ff1
SHA512

867c27f835e892983204355809713feed3c77424082e0d917433c9d1d6277448ee72a0c8d32eba48d5945ef793767f3f19d2235f69b0c3e16ef3bc0172bdb9a0
SSDEEP

49152:DyiE12gsZbo9Wz8QBvdRE+PJ0fxPN+jdkIr7IvvXfGI:zE1u65QBdREmJ0JPNKdd7I/G

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\Hosts	05c5260420a04d55c1b5ce35de870a6e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3052	05c5260420a04d55c1b5ce35de870a6e.exe
3052	05c5260420a04d55c1b5ce35de870a6e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	05c5260420a04d55c1b5ce35de870a6e.exe
Token: SeDebugPrivilege	3052	05c5260420a04d55c1b5ce35de870a6e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3052	05c5260420a04d55c1b5ce35de870a6e.exe
3052	05c5260420a04d55c1b5ce35de870a6e.exe

C:\Users\Admin\AppData\Local\Temp\05c5260420a04d55c1b5ce35de870a6e.exe
"C:\Users\Admin\AppData\Local\Temp\05c5260420a04d55c1b5ce35de870a6e.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Favorites\Íâ¹Ò×÷·»¹Ù·½Õ¾ [www.zuowg.com].url

Filesize
110B

MD5
f9fc3e4f710ea6068eccca29ed784970

SHA1
eb6f961e7102e3aef227b204ff4dd9563f745812

SHA256
1c12badabe490d7c3d63bb0187965344ce0ed923eab707e446900a9b98913fcb

SHA512
b2d0db7a2c4b4d4e53a8daf2caff6a0ea826133038380e5dcf8c6493417f2884ecd61f047798189a3cff13cca3b9dbe99e5a501ce5de10488b2a337389b019ed

Download Submit
C:\Users\Admin\Favorites\Íâ¹Ò×÷·»×ÊÔ´Õ¾ [42724920.ys168.com].url

Filesize
115B

MD5
514d1b59ae8925c5edea3c446ce588dd

SHA1
60dd675b65c7ffaac6ca731dba265a6f316a6f75

SHA256
6bbfe9e113e075b646ae49400657b8bb20cbab06854b38bf007ac6e15cd7b773

SHA512
5bf3d0f1715b445852ad184907d2161967d51cb8fe9673330438d8705502bc63e263222c43839140c613a427b0b58b297e522b3953c2543453625e01b8017253

Download Submit
memory/3052-0-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download