Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 09:11
Static task
static1
Behavioral task
behavioral1
Sample
Valentina Studio Pro v13.7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Valentina Studio Pro v13.7.exe
Resource
win10v2004-20231215-en
General
-
Target
Valentina Studio Pro v13.7.exe
-
Size
11.7MB
-
MD5
6c23d52006da52904f755c8268d29ffc
-
SHA1
8d770ad326a02692e7a223749128d402af94e1a7
-
SHA256
d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd
-
SHA512
ae64700be9120d3b4e8b1dc0a94ad4131726d72bd92433461e2af505df67e89bf1e3d62d1b47dd6b632dc087dcea5d15ddcad03fa3956379efc854d0d72bd9b3
-
SSDEEP
12288:Fkbo4c5w0lRq+x83dhmNml3pPw1WIzWTbel9BfrmjsN/pf7Rm:3gqbsmVBfyoN/y
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
3I4IGAMWK.exepid process 2900 3I4IGAMWK.exe -
Loads dropped DLL 5 IoCs
Processes:
Valentina Studio Pro v13.7.exeWerFault.exepid process 2316 Valentina Studio Pro v13.7.exe 2316 Valentina Studio Pro v13.7.exe 2872 WerFault.exe 2872 WerFault.exe 2872 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2872 2900 WerFault.exe 3I4IGAMWK.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Valentina Studio Pro v13.7.exe3I4IGAMWK.exedescription pid process target process PID 2316 wrote to memory of 2900 2316 Valentina Studio Pro v13.7.exe 3I4IGAMWK.exe PID 2316 wrote to memory of 2900 2316 Valentina Studio Pro v13.7.exe 3I4IGAMWK.exe PID 2316 wrote to memory of 2900 2316 Valentina Studio Pro v13.7.exe 3I4IGAMWK.exe PID 2316 wrote to memory of 2900 2316 Valentina Studio Pro v13.7.exe 3I4IGAMWK.exe PID 2900 wrote to memory of 2872 2900 3I4IGAMWK.exe WerFault.exe PID 2900 wrote to memory of 2872 2900 3I4IGAMWK.exe WerFault.exe PID 2900 wrote to memory of 2872 2900 3I4IGAMWK.exe WerFault.exe PID 2900 wrote to memory of 2872 2900 3I4IGAMWK.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Valentina Studio Pro v13.7.exe"C:\Users\Admin\AppData\Local\Temp\Valentina Studio Pro v13.7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\3I4IGAMWK.exe"C:\ProgramData\3I4IGAMWK.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 7523⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\3I4IGAMWK.exeFilesize
159KB
MD5e639201bf0d332f8965649ec7de96c40
SHA16047898d098c27c9e24e9e21310ecd2fd6a7dc20
SHA256fcecfe186349fb25b733b526b9259dec1bd3a3bd94a7cd5015a3b890e371f7fb
SHA51273d010ce917f0827bb1266a1178c026aa6602675788163c38dd9d46ce9f558b855c2ad5bfd70db84e8b58deb241c64050f2dc472c532dbd2453155e569a24b45
-
memory/2316-0-0x00000000010E0000-0x000000000118A000-memory.dmpFilesize
680KB
-
memory/2316-1-0x0000000074550000-0x0000000074C3E000-memory.dmpFilesize
6.9MB
-
memory/2316-2-0x0000000004C50000-0x0000000004C90000-memory.dmpFilesize
256KB
-
memory/2316-11-0x0000000000CE0000-0x0000000000D1D000-memory.dmpFilesize
244KB
-
memory/2316-14-0x0000000074550000-0x0000000074C3E000-memory.dmpFilesize
6.9MB
-
memory/2900-13-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB