2883ca6aa4128eba9e009482d2e665ff528465c853e099aa87a9324fc343ff64

Analysis

max time kernel
157s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-03-2024 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Project.exe
Size

147.0MB
MD5

5fff4c7f41fe8a04f7c6ffcb191bfd54
SHA1

e660df9a92442e6a91e0805b3310a94bde5fe414
SHA256

4aba8d9303ced281e6b884dbb045582d9bf24405ced912fb9aeb97335ffe483d
SHA512

7cd6010c78c81f5a9234f3a5849d4c7bc3896a537fd3c4030976f29cabf16aeb331a88c4186fd0bb2edc9b56fa6551065c247a0ca05084aaa72ddfab75d0ff14
SSDEEP

1572864:QroLm1cZ4K5MvHwpkeg9duXYFPEiFWITK886rc028B+yJwG5xmR:FCjwAI8xO

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

Project.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe Project.exe
Loads dropped DLL 2 IoCs

Processes:

Project.exe

pid process

3768 Project.exe
3768 Project.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Project.exe

pid process

4144 Project.exe
4144 Project.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Project.exe

pid	process
3768	Project.exe
3768	Project.exe

pid	process
4144	Project.exe
4144	Project.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Project.exe

description	pid	process
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe
Token: SeShutdownPrivilege	3768	Project.exe
Token: SeCreatePagefilePrivilege	3768	Project.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

Project.exe

description	pid	process	target process
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 2196	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 3372	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 3372	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 4144	3768	Project.exe	Project.exe
PID 3768 wrote to memory of 4144	3768	Project.exe	Project.exe

C:\Users\Admin\AppData\Local\Temp\Project.exe
"C:\Users\Admin\AppData\Local\Temp\Project.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768

C:\Users\Admin\AppData\Local\Temp\Project.exe
"C:\Users\Admin\AppData\Local\Temp\Project.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1736,i,17527139624683394941,18246402110627496960,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\Project.exe
"C:\Users\Admin\AppData\Local\Temp\Project.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --mojo-platform-channel-handle=2144 --field-trial-handle=1736,i,17527139624683394941,18246402110627496960,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\Project.exe
"C:\Users\Admin\AppData\Local\Temp\Project.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 --field-trial-handle=1736,i,17527139624683394941,18246402110627496960,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4856 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a1870455-9b29-4da1-b2cc-572e0471a25a.tmp.node
Filesize
134KB

MD5
109624345394b9641a2dee876c3c354f

SHA1
31d960ef30dca42c7e97c1bb36dd50a1bf0c72d4

SHA256
4450d61845c86710fa7f3f98c77469f2c4a7478c04184c20c0fed589a3e4b52e

SHA512
382a77c62d8ec1150a055bae9b579279344d0a70d579ceaff137818bbbe77f392f98f334ce3bf33cb3c3547d57202426350fca0f713bd3912db5f17979a3d40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b14dbbe9-d0f1-419f-9b61-654f93efcb4b.tmp.node
Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
memory/2196-11-0x00007FF9A66F0000-0x00007FF9A66F1000-memory.dmp

Filesize
4KB

Download
memory/4144-35-0x0000018339040000-0x0000018339041000-memory.dmp

Filesize
4KB

Download
memory/4144-30-0x0000018339040000-0x0000018339041000-memory.dmp

Filesize
4KB

Download
memory/4144-29-0x0000018339040000-0x0000018339041000-memory.dmp

Filesize
4KB

Download
memory/4144-28-0x0000018339040000-0x0000018339041000-memory.dmp

Filesize
4KB

Download
memory/4144-34-0x0000018339040000-0x0000018339041000-memory.dmp

Filesize
4KB

Download
memory/4144-37-0x0000018339040000-0x0000018339041000-memory.dmp

Filesize
4KB

Download
memory/4144-36-0x0000018339040000-0x0000018339041000-memory.dmp

Filesize
4KB

Download
memory/4144-39-0x0000018339040000-0x0000018339041000-memory.dmp

Filesize
4KB

Download
memory/4144-38-0x0000018339040000-0x0000018339041000-memory.dmp

Filesize
4KB

Download
memory/4144-40-0x0000018339040000-0x0000018339041000-memory.dmp

Filesize
4KB

Download