8017b039e14c0323a496ce2a865bf0760a25dffbb54d803fe98c2345b84aeb4f

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_b600f711cfa8bddc0ed8943f7f97a55c_megazord.exe
Size

5.4MB
MD5

b600f711cfa8bddc0ed8943f7f97a55c
SHA1

096a71bde0db52df2dc4598fbef760c60c5fdcc7
SHA256

8017b039e14c0323a496ce2a865bf0760a25dffbb54d803fe98c2345b84aeb4f
SHA512

7b129447f1db49fd66ab2ed40249c443d131928359560f92f0c4f44624bf5374a3892dab07ef58473da0490711428ec990fcc3b361a22e67070134a868e9cd4e
SSDEEP

49152:FyaYC2+tw6s/3EmScKaOFVDWZLkQ8GOmQtWkccKJlD3/khr76f7HN0QBsCe7hA02:FyVSc3FLJoqfBSLFPq2vDWqgnj

Score

7^/10

execution spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2868 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2868 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2868 powershell.exe

pid	process
2868	powershell.exe

pid	process
2868	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2868	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-05-22_b600f711cfa8bddc0ed8943f7f97a55c_megazord.exe

description	pid	process	target process
PID 2576 wrote to memory of 2868	2576	2024-05-22_b600f711cfa8bddc0ed8943f7f97a55c_megazord.exe	powershell.exe
PID 2576 wrote to memory of 2868	2576	2024-05-22_b600f711cfa8bddc0ed8943f7f97a55c_megazord.exe	powershell.exe
PID 2576 wrote to memory of 2868	2576	2024-05-22_b600f711cfa8bddc0ed8943f7f97a55c_megazord.exe	powershell.exe
PID 2576 wrote to memory of 2808	2576	2024-05-22_b600f711cfa8bddc0ed8943f7f97a55c_megazord.exe	WerFault.exe
PID 2576 wrote to memory of 2808	2576	2024-05-22_b600f711cfa8bddc0ed8943f7f97a55c_megazord.exe	WerFault.exe
PID 2576 wrote to memory of 2808	2576	2024-05-22_b600f711cfa8bddc0ed8943f7f97a55c_megazord.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_b600f711cfa8bddc0ed8943f7f97a55c_megazord.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_b600f711cfa8bddc0ed8943f7f97a55c_megazord.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2576 -s 604
2⤵
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6aoh8k58JsfmW9HhqB4ubEAbHCtYjI\screen1.png

Filesize
400KB

MD5
eac2ad1c501c34514896ce671dec2af6

SHA1
9ac4d326e6f9f3fc7c158e455b91d1284208d6f3

SHA256
a750831f2962d5454000fd2ef1220a40128059f79005d723ae283bad28bd5871

SHA512
0e99a575bba840813b2d1e4a0e197c5c07b7153284c7869938ec7c1aa842c0eb3bd8cbc8951cf6db5cf3b0b315ec5eeab34dda634c32ca4d39d19564d3a6177e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6aoh8k58JsfmW9HhqB4ubEAbHCtYjI\sensitive-files.zip

Filesize
5.5MB

MD5
f5d600ea14cdead0374114dc6fc595fa

SHA1
8e81660fbbd4415998cdacc5b48e9edb9fdfc243

SHA256
e4bf6a4e1891ce9bf601bb8d6262ee461347353cbb3192c754bb2e2241782834

SHA512
8f0ffa406d1f7a61280c8e9c492e0a54e17ec2b54b61bde9c4da2713b4fec454279fdb0f946bf75d92a90515d93e57166b79f2ed20d536f023ddb07b60f5be08

Download Submit
C:\Users\Admin\AppData\Local\Temp\6aoh8k58JsfmW9HhqB4ubEAbHCtYjI\user_info.txt

Filesize
759B

MD5
61b46c293e4461c59f60aa6ae742d364

SHA1
3528f9a52f9eca1d6439779d33c6d867bacf027e

SHA256
3b803cab307cdb251dcd55339aae81f32f8002aaf6722c1d51a3627a65321bec

SHA512
047b2ee0d871a2a5aa4d3a8993d9f820c78324bb5d813ce3ce8ab43c56b70bd28caab243a01ea03d5aea108abf6a37432a2eca3a4cc7cc1c849a3a5788a204f7

Download Submit
memory/2868-4-0x000007FEF585E000-0x000007FEF585F000-memory.dmp

Filesize
4KB

Download
memory/2868-5-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2868-6-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/2868-10-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-8-0x0000000002B6B000-0x0000000002BD2000-memory.dmp

Filesize
412KB

Download
memory/2868-7-0x0000000002B64000-0x0000000002B67000-memory.dmp

Filesize
12KB

Download
memory/2868-47-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download