Overview

overview

7

Static

static

3

a8d6e729b4...2b.exe

windows7-x64

7

a8d6e729b4...2b.exe

windows10-2004-x64

7

Resubmissions

29/01/2024, 14:22

240129-rpxgssdbfq 10

29/12/2023, 02:19

231229-cr3n9scaen 7

Analysis

  • max time kernel
    119s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 02:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a8d6e729b4911e1a0e3e9053eab2392b.exe

  • Size

    416KB

  • MD5

    a8d6e729b4911e1a0e3e9053eab2392b

  • SHA1

    c1730126a7673bafe780d92fcca9d88707df0ff3

  • SHA256

    cf0becb19e10b2dcd972fbe94aea00c51b8290b052263117e7ed8721d48ee104

  • SHA512

    f99e1a711067b78472f57a0abc11373aac96b503a6eee9faa200ce3f94e969628602b9a4b733f144d01e9453b809c70f20a98bf91433497c241b769f97e7ad2b

  • SSDEEP

    6144:tDKW1Lgbdl0TBBvjc/OjdSKnpdU1CIzJ2B+CFBKlHBBU1H206cqeeqBG:Fh1Lk70Tnvjc2xn8n+BKlHBW1QdqBG

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8d6e729b4911e1a0e3e9053eab2392b.exe
    "C:\Users\Admin\AppData\Local\Temp\a8d6e729b4911e1a0e3e9053eab2392b.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
      2⤵
      • Executes dropped EXE
      PID:1476

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
          Filesize

          4KB

          MD5

          d4910f56121ae1e3049ee0ed506ed5dc

          SHA1

          be48eba194f3e507873740cb844c7724ff4ba616

          SHA256

          ac70c1847bdf903a698de1badb72b9f9539ae9cc75cb3acc3062e4622977ee95

          SHA512

          c551d52823886f9cec7024457a06028526e8581f3dabd63646db57b9fa4760ccd9a295431cb1d037c20ead0be96f9fa21b04b8611a66429467ef538a8f0468d6

          Download Submit

        • memory/1476-18-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1476-17-0x0000000000B70000-0x0000000000B78000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2504-6-0x0000000074690000-0x0000000074D7E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2504-4-0x0000000001E70000-0x0000000001EB8000-memory.dmp

          Filesize

          288KB

          Download

        • memory/2504-5-0x0000000004A40000-0x0000000004A80000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2504-0-0x0000000074690000-0x0000000074D7E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2504-8-0x0000000004A40000-0x0000000004A80000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2504-9-0x0000000004A40000-0x0000000004A80000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2504-10-0x0000000004A40000-0x0000000004A80000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2504-3-0x0000000004A40000-0x0000000004A80000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2504-16-0x0000000074690000-0x0000000074D7E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2504-1-0x0000000001E20000-0x0000000001E6C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2504-2-0x0000000004A40000-0x0000000004A80000-memory.dmp

          Filesize

          256KB

          Download