Overview

overview

7

Static

static

3

2024-05-22...rd.exe

windows7-x64

7

2024-05-22...rd.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    133s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 02:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-22_b600f711cfa8bddc0ed8943f7f97a55c_megazord.exe

  • Size

    5.4MB

  • MD5

    b600f711cfa8bddc0ed8943f7f97a55c

  • SHA1

    096a71bde0db52df2dc4598fbef760c60c5fdcc7

  • SHA256

    8017b039e14c0323a496ce2a865bf0760a25dffbb54d803fe98c2345b84aeb4f

  • SHA512

    7b129447f1db49fd66ab2ed40249c443d131928359560f92f0c4f44624bf5374a3892dab07ef58473da0490711428ec990fcc3b361a22e67070134a868e9cd4e

  • SSDEEP

    49152:FyaYC2+tw6s/3EmScKaOFVDWZLkQ8GOmQtWkccKJlD3/khr76f7HN0QBsCe7hA02:FyVSc3FLJoqfBSLFPq2vDWqgnj

Score
7/10
executionspywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-22_b600f711cfa8bddc0ed8943f7f97a55c_megazord.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-22_b600f711cfa8bddc0ed8943f7f97a55c_megazord.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CreditCardData
    Filesize

    116KB

    MD5

    f70aa3fa04f0536280f872ad17973c3d

    SHA1

    50a7b889329a92de1b272d0ecf5fce87395d3123

    SHA256

    8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

    SHA512

    30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\History
    Filesize

    124KB

    MD5

    9618e15b04a4ddb39ed6c496575f6f95

    SHA1

    1c28f8750e5555776b3c80b187c5d15a443a7412

    SHA256

    a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

    SHA512

    f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qtpt54q.v2m.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\i77LJJieL7puLXAWXV8E6SGwbKHq0X\screen1.png
    Filesize

    477KB

    MD5

    4f34b0aad52af848e502eea2acfac80d

    SHA1

    aeccc55d0c439d90da9f12f98900d4481d6bdd66

    SHA256

    7ee3b977816565b4bd7a37b40770fd4ca035486f52d87f8b345ca47b788dab76

    SHA512

    8a721b8cf69d97fc869a8d92b55a7bcab25ffe92a59e1f8119a0cda5cf739f1f6722b6698de5fcadeae7d23868fdd77861f0f77772521f9f6ad8a8521bb2b4dd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\i77LJJieL7puLXAWXV8E6SGwbKHq0X\sensitive-files.zip
    Filesize

    5.7MB

    MD5

    80c13bb52c76df9b77fdbfa5950f8bab

    SHA1

    a62de5523c972b40375cc3753debe28bd9688c7b

    SHA256

    eef9b6aadb42e015c2d57f73274ea7261c7b9d66ff8537f02451e8bcfd6a7ab0

    SHA512

    af27656bf0c15a1623137b83e3e73d1f11bfde6579c6c1c252c90ffc393ca0983fb3742feaa3298f8987c5695950d31490cf754835597d517ba329d5816a0ac5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\i77LJJieL7puLXAWXV8E6SGwbKHq0X\user_info.txt
    Filesize

    553B

    MD5

    a5d31ca120c6822f28c0213716d76fc5

    SHA1

    0f8ae342e776a30517a9020b7841ca802a656e22

    SHA256

    d5939f4ca455e209dc18c0211eba8d2b7351f33b52854852fd43519b07a0ddbb

    SHA512

    2324eed705db23c095cb2e2098d656cceb3d9fdcce21d6e2e4d3ff8e5a498af47b5028f87ca5dd7b3300bb27e5291c84d5649fdf2696477b4fbbbb5451e68073

    Download Submit
  • memory/2596-0-0x00007FFD7EC70000-0x00007FFD7EE65000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/2596-2-0x00007FFD7EC70000-0x00007FFD7EE65000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/2596-1-0x00007FFD7EC70000-0x00007FFD7EE65000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/2596-6-0x00000188EE140000-0x00000188EE162000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2596-16-0x00007FFD7EC70000-0x00007FFD7EE65000-memory.dmp
    Filesize

    2.0MB

    Download