Overview

overview

9

Static

static

3

3dfa782678...b1.exe

windows7-x64

9

3dfa782678...b1.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 20:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe

  • Size

    493KB

  • MD5

    b5cb180e0403583889e7aae8297db9e4

  • SHA1

    a5bd6722dad912944c7e924c8efc0b047cba1ab6

  • SHA256

    3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1

  • SHA512

    5560d1acabd5d48ef8d123987537dc5321327f6ec96aac25417fb059c200846f46f9f074b13ae16cc6da3b14f072cf2ba31f4c7c4b1d434977e30ba88b129581

  • SSDEEP

    12288:S+qYt531sYtGVWpPz4IDlwLV1nWGYAZeAEdmSL6nju:Sdw5GVW54IBEV1jAmy6ju

Score
9/10
spywarestealer

Malware Config

Signatures

  • Detects executables containing SQL queries to confidential data stores. Observed in infostealers 6 IoCs
  • Detects executables containing base64 encoded User Agent 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
    "C:\Users\Admin\AppData\Local\Temp\3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:756
    • C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
      "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1244
    • C:\Users\Admin\AppData\Local\Temp\3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
      "C:\Users\Admin\AppData\Local\Temp\3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe" silent pause
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3272
      • C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2964
      • C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
        "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2828
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2444

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
      Filesize

      495KB

      MD5

      43ca5ec7cde76ccb6ba22d29ab6c7917

      SHA1

      c6e0206e1b9ced3722eff02637e2d0761a78275f

      SHA256

      c0dd5d37cba41b2169f34c5d99e67bd3341577d15cfc34d27f7e9575476699e8

      SHA512

      b7369db67d9105d965f8ad736dcdd15cf3acae2afbbc7aab35df60e6d903e01eae847e418e0391f71b3c616dd95ced8b66b2cb9c1a0f97303d35efa8a5a6d96b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
      Filesize

      495KB

      MD5

      ac06f1bbf165eac23edd8f33a6e783d1

      SHA1

      37e98b382aab02810bb40412e80c537397350c53

      SHA256

      9961ccb3e6fb1e425ef8e7ae0d7b12f8c1c47593ccaca54afbdeac35a179f271

      SHA512

      ea1e641ac0a50779926bbce8496b05a65f88f6a1ef74ebc13139f8ccfb9671c8c201877fc194b484debd7aee5be0959e44492af8aaf1ad9c598f832215d0a5e0

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat
      Filesize

      10B

      MD5

      2aced864e4b72d87a3aaaf5feb70b695

      SHA1

      d08d1b6e472865c84f1ac2b57c7c713580b3e77c

      SHA256

      9ab59bb9dcb000b5b532758a5942078ac45ba341fed56958dd41ae475046b0d8

      SHA512

      2885d725b000ae3bb2e6a719f3463f0701fef863dacc5cd0f4c2ab0407a61792174fb99679013968b4859f6bd09827523685e56d1bdfdf64c692ea321218578f

      Download Submit
    • memory/756-55-0x0000000000400000-0x0000000000468000-memory.dmp
      Filesize

      416KB

      Download
    • memory/756-17-0x0000000063080000-0x00000000631EC000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1244-34-0x0000000063080000-0x00000000631EC000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2828-68-0x0000000063080000-0x00000000631EC000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2828-78-0x0000000000400000-0x0000000000468000-memory.dmp
      Filesize

      416KB

      Download
    • memory/2964-58-0x0000000063080000-0x00000000631EC000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3272-45-0x0000000063080000-0x00000000631EC000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3932-12-0x0000000000400000-0x0000000000468000-memory.dmp
      Filesize

      416KB

      Download
    • memory/3932-44-0x0000000000400000-0x0000000000468000-memory.dmp
      Filesize

      416KB

      Download
    • memory/3932-0-0x0000000063080000-0x00000000631EC000-memory.dmp
      Filesize

      1.4MB

      Download