Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
09/03/2024, 03:54
General
-
Target
d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe
-
Size
1.8MB
-
MD5
be174eb4ffb7b227b2e78644b98ef1ab
-
SHA1
f97edc25319588b1c995beb7133daf037a1cca1a
-
SHA256
d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb
-
SHA512
1d03e5ac4ee0caa2abbeda7f11e67d4699b7d35ea488867ffb0809ecc88035c7d53859ba001f02ebc6ad798941a51a31eb27a5c57d8ac4e0ef7552d6a733aeda
-
SSDEEP
49152:tIiiK2Sqn5EoSHWvIwQ92lUBTI3IUJS6Yy16qvXuK:qiiK2Vwu2FBClYqGK
Malware Config
Signatures
-
Detect binaries embedding considerable number of MFA browser extension IDs. 2 IoCs
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
-
UPX dump on OEP (original entry point) 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe"C:\Users\Admin\AppData\Local\Temp\d2d505a4944a92388e3ba620b02cab05c49be2be4e30329113d6da493223e5bb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 20003⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3156 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:31⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3972 -ip 39721⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3168 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
1.7MB
MD5eee5ddcffbed16222cac0a1b4e2e466e
SHA128b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA2562a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA5128f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
-
Filesize
21KB
MD52b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
Filesize
229KB
MD5eda757c6ae24693068781c06550cb3a6
SHA1026eff85b267da853dac6cc00866bd1cb1c02c4d
SHA256748733ef6b3518ec18acbf68a3fa7f43e403738a29a275d6cb2df8e87851c277
SHA51236d171794fa540ecd6112dc1c8f1f393be60af9a1bb8da9e0e64363c390f3c68d370df569738192cfba09361d60e89bac219f0802a5a7c1670c86801c1742060
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
356KB
-
Filesize
27.1MB
-
Filesize
972KB
-
Filesize
27.1MB
-
Filesize
156KB
-
Filesize
1024KB
-
Filesize
27.1MB
-
Filesize
4KB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
4KB