2ea9c58182188372eaef8e142bbebb1016cadb552bd2ac9307da940a97b21e1b

Analysis

max time kernel
154s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
Size

1.2MB
MD5

c3a7fb5e0fb80c3baf74c3dcdad6f45b
SHA1

73c0551396292b065851d44b59541b23affab955
SHA256

2ea9c58182188372eaef8e142bbebb1016cadb552bd2ac9307da940a97b21e1b
SHA512

403ec879be6f4dcc5a71ca7c223c4c7492a2ac983fec3175a8e042ad63705c9ccd2de7d29a5129b1169feedd7cb97815fa99ab9e53f805f798fb39830e65cf9e
SSDEEP

24576:yzd9Sm6s3SB4VbhzGcHb0bBhXxtyesOlU0YOTAXnA91IV7HExDaI/:yzTSmvdcwb0VhXHlrTKA91IV7HExOI/

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
3936	msedge.exe
3936	msedge.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4484	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 4484	2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe	96
PID 2232 wrote to memory of 4484	2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe	96
PID 2232 wrote to memory of 4484	2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe	96
PID 2232 wrote to memory of 4484	2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe	96
PID 2232 wrote to memory of 4484	2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe	96
PID 4484 wrote to memory of 3936	4484	svchost.exe	80
PID 4484 wrote to memory of 3936	4484	svchost.exe	80
PID 2232 wrote to memory of 4484	2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe	96
PID 2232 wrote to memory of 4484	2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe	96
PID 2232 wrote to memory of 4484	2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe	96
PID 2232 wrote to memory of 4484	2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe	96
PID 2232 wrote to memory of 4484	2232	c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe	96

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3248 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3936

C:\Users\Admin\AppData\Local\Temp\c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe
"C:\Users\Admin\AppData\Local\Temp\c3a7fb5e0fb80c3baf74c3dcdad6f45b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9d257cd000a1ccb3b9f93e2ec1846540

SHA1
28e6efe6ce3b2a23b8ce448ddad49c15645636a8

SHA256
96cfc3445e8031de83aa119cce28f8a459b7ae7892908d0f0408e5c79412b032

SHA512
24b2bd1782c2ce2c8a158a1cbf7754b9dc8bdce352b9a3b06c2e03ece09d9a58db49bc088c20783dfaf4473b48322d3f7a7ca2b456251ec6213dca6431e028ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e5e3c35.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC99C.tmp

Filesize
22B

MD5
55703897ae8ad983100e1747dc22d5ab

SHA1
641e9936907f88eddd5aab61ce602fa05747d376

SHA256
ca663c83333806977706fafbd336973e3ff3cb04b6aefb9bbc7b40c99ee77f25

SHA512
c4853cb2eb3fa22969541a0d77a16c5a6775014b9a1eb51dff25af25eb92de64460b7a4128fdcb61f6e8c09625d6d4561c232d6e16d9ca0b0f25db07d836b0bf

Download Submit
memory/2232-1-0x00007FFC5D0F0000-0x00007FFC5D2E5000-memory.dmp

Filesize
2.0MB

Download
memory/4484-7-0x0000000140000000-0x0000000140036000-memory.dmp

Filesize
216KB

Download
memory/4484-15-0x0000000140000000-0x0000000140036000-memory.dmp

Filesize
216KB

Download
memory/4484-20-0x0000000140000000-0x0000000140036000-memory.dmp

Filesize
216KB

Download