Overview

overview

10

Static

static

3

e0f87ea261...1d.exe

windows7-x64

10

e0f87ea261...1d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 01:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e0f87ea261dc02d89f0a2258334e3b7403de30e7604c5b8160e29c9f23bee51d.exe

  • Size

    8.8MB

  • MD5

    ee4f83a8ead6120a3f100c9be2b3c896

  • SHA1

    ba3a45b9f3687406c55e6025d8454172a8757138

  • SHA256

    e0f87ea261dc02d89f0a2258334e3b7403de30e7604c5b8160e29c9f23bee51d

  • SHA512

    450ac224954fb94098c25c09733b84a950d8fb7b6dcffbf55322d3f03ffabba77503127f31c3910494852adaeb3c5c3939aebe4bcc9a9d3200928b1c695f2cad

  • SSDEEP

    196608:O4xEPDZ2UywCbw3/GUQHZqW80JbR5vT4b4BaqFz1GI9Ke:OY+8Uyho/GUQHZqW80JbR5vT4b4BaqFz

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0f87ea261dc02d89f0a2258334e3b7403de30e7604c5b8160e29c9f23bee51d.exe
    "C:\Users\Admin\AppData\Local\Temp\e0f87ea261dc02d89f0a2258334e3b7403de30e7604c5b8160e29c9f23bee51d.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4964
    • C:\Users\Admin\AppData\Local\Temp\e0f87ea261dc02d89f0a2258334e3b7403de30e7604c5b8160e29c9f23bee51d.exe 
      C:\Users\Admin\AppData\Local\Temp\e0f87ea261dc02d89f0a2258334e3b7403de30e7604c5b8160e29c9f23bee51d.exe 
      2⤵
      • Executes dropped EXE
      PID:4848
    • C:\Users\Admin\AppData\Local\Temp\icsys.ico.exe
      C:\Users\Admin\AppData\Local\Temp\icsys.ico.exe
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2172
      • \??\c:\windows\wininit.exe
        c:\windows\wininit.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1992
      • \??\c:\users\admin\appdata\local\svchost.exe
        c:\users\admin\appdata\local\svchost.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • System policy modification
        PID:3136

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\e0f87ea261dc02d89f0a2258334e3b7403de30e7604c5b8160e29c9f23bee51d.exe 
          Filesize

          208KB

          MD5

          47216a1ba69974a29b372452793bf33a

          SHA1

          e19ab9bdcb854325fb1073c907c6657be2f32ee2

          SHA256

          02656101bd5905a550e72daf168568d3fda3a4b1a5ec3c0a93f1bc4c3062b987

          SHA512

          cc43017a1011c784473bd8f588d858ae06885ac65ec86d1c8c4c8cf9c5aa6b0e9d177a29ac65f69701bf09f5ef8b3cb55937a5781ca03cb9bab53bdaa28b6d7a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\e0f87ea261dc02d89f0a2258334e3b7403de30e7604c5b8160e29c9f23bee51d.exe 
          Filesize

          186KB

          MD5

          7f0fa1ff961b41775775293c49096d3f

          SHA1

          a8e07b08d087b1419df7e7230c62744a2eba39c4

          SHA256

          f354621e41737a7a70b4e15e009c6c0008934e6e382238d19f58b7cf92470db3

          SHA512

          8c76785bc33c1a688a172d201389e8d47098291b5a90fe81d305c3514bc4676f3b1f4efe004e469f160d7671b067ed2befa8d96ace09b34a2e995e0b9fa16bf5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\icsys.ico.exe
          Filesize

          85KB

          MD5

          05a10d73496497b4480101faf7264f52

          SHA1

          19ff4e665c05c30ce75087ba11126fe70f8b70fa

          SHA256

          49617236fb37832796801bbc57fac1c98b79e139cfbf2d3e43db0e1b16cae0f7

          SHA512

          0afb8ceff15d366c2fa7a1d69bbae55e698ad829a6bb244ea451e69985c0ae616bba60bbb121c31727458a2016b6b150358aab2572986647bb8a9b7c9e9a54c9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\icsys.ico.exe
          Filesize

          152KB

          MD5

          9b7027d671fe11683be24326feb32d8d

          SHA1

          acc4ba2feacbbdc0dc596967cc7f03f2d5b1877a

          SHA256

          866da6d84d42fadc62a82ffc144e513dd6ff3a2f439b6a0068101c7601ed15da

          SHA512

          2ef4f37661699793dd9a0ee477b44069f1da4401a3648372ed4ff4d04c0abdb9b11a3667bd72431131f063475b3b34c6b843b0a224b3da603e356c2cf3f897e6

          Download Submit

        • C:\Users\Admin\AppData\Local\svchost.exe
          Filesize

          2.4MB

          MD5

          cb965a01b90f5aba913bf6eb3a9fc642

          SHA1

          f85abea33bbf8fb7d9d9ec57e973bed4d34d4537

          SHA256

          8d5966a59804d77a50c0da0cdab6cb84b015b92d916ba9c6fc693a488dc2dea8

          SHA512

          771c7673cd719a9d73095e9ce705951c8e67f5412eaab03c27579f27adf63ab01ecf45abfd1c4f6ab2097c24b549baa1f5a21c7b558358848e2d0f4e97627443

          Download Submit

        • C:\Windows\wininit.exe
          Filesize

          2.2MB

          MD5

          b41bf7d5510e00e741b70b7969d0d595

          SHA1

          675f1d8f2cdca7cddc759bf0e500430660653fe3

          SHA256

          d9b0dcfc710303af0d54e5a70993f7e02a0e5727210f870ac373c45f988a0022

          SHA512

          4c470d780dbc67575c8bc4373176c3869f16e58cff40cdf8cb04ab1d366554093f686eb088a7fb68cc1a194664c9b783ba63c2f3ae8bbc8f64feab8851086e8f

          Download Submit

        • C:\Windows\wininit.exe
          Filesize

          2.1MB

          MD5

          8d570ae2d498c6cec1174dee477dd461

          SHA1

          67647a234ec534486c5d49ed25828126cb7db8ac

          SHA256

          25b93d9f664f3bcf5c5439a9c14ad83edc2b7dbe7bec8ef62009b7f61a52eea8

          SHA512

          8c61833d4806809d994f588e41a316bd5b9b0e442c9cac9a573a2aac2126c18e14960caa5a4d1b6124755087516d0682a374c7e22d1f9f5a0cb800752141e2ff

          Download Submit

        • \??\c:\users\admin\appdata\local\svchost.exe
          Filesize

          1.9MB

          MD5

          5e6d8bc6a9215bf1c4d0cbc606795e9a

          SHA1

          d88b7efe00c49061ca97f048ea76a5f8f7e4b912

          SHA256

          2d4d6298f936a4b2e0862f3f4995c1bf424381f87a86eb8f3a6d040636cce69c

          SHA512

          e6fb298f29037c118beca7574c457f7da271c0eb57d51f3f6ef6e10b88ccb5cff2c453c164f16e7f3fd7d36d92ae92a5baa71daf3ed4e5b613bcecd7f699be5d

          Download Submit

        • \??\c:\windows\wininit.exe
          Filesize

          1.8MB

          MD5

          5d8da1e5d8b114683502bb8999189680

          SHA1

          0ce7bbb37074b69c9198c413d6ca4d9d2d787aa8

          SHA256

          07cdc83378c5a877dcd0395914fa8502a4995ad8becae01a428e0ca780ce0f80

          SHA512

          718fee8bf6303faeb8ee5d2f473b0eb7950c5cb0df03e902668f312fbe12f62d4904b96c65fdda940e2041ad931e46b19f45fb43a53dee1710601f5293b024af

          Download Submit

        • memory/1992-46-0x0000000000970000-0x0000000000971000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1992-53-0x0000000000400000-0x00000000007B5000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/1992-77-0x0000000000400000-0x00000000007B5000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/1992-65-0x0000000000400000-0x00000000007B5000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/1992-57-0x0000000000970000-0x0000000000971000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2172-50-0x0000000000400000-0x00000000007B5000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/2172-10-0x00000000009B0000-0x00000000009B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3136-54-0x0000000000400000-0x00000000007B5000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/3136-58-0x0000000002750000-0x0000000002751000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3136-49-0x0000000002750000-0x0000000002751000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3136-66-0x0000000000400000-0x00000000007B5000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/3136-76-0x0000000000400000-0x00000000007B5000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/4964-51-0x0000000000400000-0x00000000007B5000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/4964-0-0x00000000008E0000-0x00000000008E1000-memory.dmp

          Filesize

          4KB

          Download