Overview

overview

10

Static

static

3

1484a0ecf7...46.exe

windows7-x64

10

1484a0ecf7...46.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    0s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1484a0ecf720d351f8897c2f9b3f5046.exe

  • Size

    61KB

  • MD5

    1484a0ecf720d351f8897c2f9b3f5046

  • SHA1

    8770a72054cc21f07051df2b4c0f7775cc4fa731

  • SHA256

    a00d950fbee25d407f79f5d7211cbd1f15d27f89bf5714e44f222c9013f6c131

  • SHA512

    136ef22f74ed55859bb143a26b2dbf1f4bb84c267d461e60d44934eb879a9efc4902e05dd386bb4926ea2cc469f8f7efe24ae6d6a4bb45511b4939558b379d97

  • SSDEEP

    768:iKsMqCXfVcWO/M9ZkiANIUhyIYLDwUzc80gmq3oP/oDn:iKseiM9ZkiAPhAr/0O8/o7

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1484a0ecf720d351f8897c2f9b3f5046.exe
    "C:\Users\Admin\AppData\Local\Temp\1484a0ecf720d351f8897c2f9b3f5046.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:64
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 2200
      2⤵
      • Program crash
      PID:1124
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 2200
      2⤵
      • Program crash
      PID:1272
  • C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4900
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 868 -ip 868
    1⤵
      PID:3460
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 868 -ip 868
      1⤵
        PID:100

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/868-1-0x00000000744B0000-0x0000000074C60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/868-0-0x0000000000360000-0x0000000000376000-memory.dmp

        Filesize

        88KB

        Download

      • memory/868-2-0x0000000005210000-0x00000000057B4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/868-3-0x0000000004D60000-0x0000000004DF2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/868-4-0x0000000005000000-0x0000000005010000-memory.dmp

        Filesize

        64KB

        Download

      • memory/868-59-0x00000000744B0000-0x0000000074C60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/868-68-0x0000000005000000-0x0000000005010000-memory.dmp

        Filesize

        64KB

        Download

      • memory/868-96-0x0000000005AC0000-0x0000000005ACA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/868-97-0x00000000744B0000-0x0000000074C60000-memory.dmp

        Filesize

        7.7MB

        Download