Overview

overview

8

Static

static

7

7f4eaff8a2...0d.exe

windows7-x64

8

7f4eaff8a2...0d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f4eaff8a219e74efeb7af786962fcd2d7b1beddf534ae0928b1b344a5ec0d0d.exe

  • Size

    1.3MB

  • MD5

    3ca4167a9198d863f2ec850fa696895b

  • SHA1

    a8c2f27e9bff77a4be4e95ece1e90813d686ac83

  • SHA256

    7f4eaff8a219e74efeb7af786962fcd2d7b1beddf534ae0928b1b344a5ec0d0d

  • SHA512

    185cc1a5ebaac1a51b00b12560a835ac7c0931ba38a2e2eaa6135a23f4a0961cf534989ed38e8690e6ddd65bd70327f159bf401c9d297bc8dc004a50f5fba8e2

  • SSDEEP

    24576:Qak/7Nk4RZArKZu0zoFmDcpii9iGn+66rLfJIgtEqPILWz8oDqE:Qak/VZu+k0WdEacJRIo+E

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f4eaff8a219e74efeb7af786962fcd2d7b1beddf534ae0928b1b344a5ec0d0d.exe
    "C:\Users\Admin\AppData\Local\Temp\7f4eaff8a219e74efeb7af786962fcd2d7b1beddf534ae0928b1b344a5ec0d0d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Users\Admin\AppData\Local\Temp\7f4eaff8a219e74efeb7af786962fcd2d7b1beddf534ae0928b1b344a5ec0d0d.exe
      "C:\Users\Admin\AppData\Local\Temp\7f4eaff8a219e74efeb7af786962fcd2d7b1beddf534ae0928b1b344a5ec0d0d.exe" Master
      2⤵
      • Drops file in Drivers directory
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4620
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcface46f8,0x7ffcface4708,0x7ffcface4718
          4⤵
            PID:4196
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:2
            4⤵
              PID:4648
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1988
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
              4⤵
                PID:4076
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
                4⤵
                  PID:1376
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
                  4⤵
                    PID:2100
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
                    4⤵
                      PID:2624
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1872
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
                      4⤵
                        PID:540
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
                        4⤵
                          PID:4824
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
                          4⤵
                            PID:1448
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
                            4⤵
                              PID:392
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
                              4⤵
                                PID:2908
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
                                4⤵
                                  PID:3504
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
                                  4⤵
                                    PID:3380
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
                                    4⤵
                                      PID:2532
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,13897405543738471843,7047358340268763305,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5480 /prefetch:2
                                      4⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:4396
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4580
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:540

                                  Network

                                  MITRE ATT&CK Matrix ATT&CK v13

                                  Initial Access

                                  Execution

                                  Persistence

                                  Privilege Escalation

                                  Defense Evasion

                                  Credential Access

                                  Unsecured Credentials

                                  1
                                  T1552

                                  Credentials In Files

                                  1
                                  T1552.001

                                  Discovery

                                  Query Registry

                                  4
                                  T1012

                                  System Information Discovery

                                  4
                                  T1082

                                  Peripheral Device Discovery

                                  1
                                  T1120

                                  Lateral Movement

                                  Collection

                                  Data from Local System

                                  1
                                  T1005

                                  Exfiltration

                                  Command and Control

                                  Impact

                                  Resource Development

                                  Reconnaissance

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    87f7abeb82600e1e640b843ad50fe0a1

                                    SHA1

                                    045bbada3f23fc59941bf7d0210fb160cb78ae87

                                    SHA256

                                    b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

                                    SHA512

                                    ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    f61fa5143fe872d1d8f1e9f8dc6544f9

                                    SHA1

                                    df44bab94d7388fb38c63085ec4db80cfc5eb009

                                    SHA256

                                    284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

                                    SHA512

                                    971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    e7d960a7a21dd5d007a9d19bc4771b13

                                    SHA1

                                    c579a992b21e76bb63b49c9f8a15e68ab1d6e4be

                                    SHA256

                                    c3645995f399c5c9f2540f6f26a7396b4f56ab1c6d8f2f383da6c08b6c5e0e6d

                                    SHA512

                                    73969287f35e5853d86a4250c4aea162e96f518d169139f6f178988064f16853aa748f981014531ecb6e1ab76579b74189bc8670de2f7e6600a7769cacd1a22b

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    3ac327a5f49d5b285b2974783933f2a3

                                    SHA1

                                    b4c27f92aac44c829351f88ebe795c029e7510e8

                                    SHA256

                                    843319fbb8b891bc8d7cf69257ec0dcc0eb8699ab078c186ec500d078c46a49f

                                    SHA512

                                    b9869de3967579421f263332134abf18c3273a2237e15bfe2ec7a39e86810c201b8e95ebae4635f8e46c39846896d76ad19346ce6af38dfb7273ac79091ba4cc

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    41be476424a8e734f677a23c139059d3

                                    SHA1

                                    ac392c7626ab18ed6c2fb915279ee7eab9278b21

                                    SHA256

                                    3385ec7ce343529bc0b64b4afe8e0e20096d799610ffc30c0254e658556ac7a3

                                    SHA512

                                    8deff6cd39857dd0518dcd329877f9354cacc03e739ce79e170fc921a7e58da43baaf50fcf5a3ea212915f4e1e4db5d474d80c4c9d8effb1e11bd8ffbf628ed3

                                    Download Submit
                                  • \??\pipe\LOCAL\crashpad_4620_SABQGJOTCKSZEAKC
                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    Download Submit
                                  • memory/2204-20-0x0000000000400000-0x00000000006A6000-memory.dmp
                                    Filesize

                                    2.6MB

                                    Download
                                  • memory/2204-17-0x0000000000400000-0x00000000006A6000-memory.dmp
                                    Filesize

                                    2.6MB

                                    Download
                                  • memory/2204-6-0x0000000000400000-0x00000000006A6000-memory.dmp
                                    Filesize

                                    2.6MB

                                    Download
                                  • memory/2204-10-0x0000000000400000-0x00000000006A6000-memory.dmp
                                    Filesize

                                    2.6MB

                                    Download
                                  • memory/2204-7-0x0000000000400000-0x00000000006A6000-memory.dmp
                                    Filesize

                                    2.6MB

                                    Download
                                  • memory/2204-13-0x0000000002340000-0x0000000002341000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/2204-16-0x0000000000400000-0x00000000006A6000-memory.dmp
                                    Filesize

                                    2.6MB

                                    Download
                                  • memory/2204-11-0x0000000000400000-0x00000000006A6000-memory.dmp
                                    Filesize

                                    2.6MB

                                    Download
                                  • memory/2204-9-0x0000000000400000-0x00000000006A6000-memory.dmp
                                    Filesize

                                    2.6MB

                                    Download
                                  • memory/2900-0-0x0000000000400000-0x00000000006A6000-memory.dmp
                                    Filesize

                                    2.6MB

                                    Download
                                  • memory/2900-12-0x0000000000400000-0x00000000006A6000-memory.dmp
                                    Filesize

                                    2.6MB

                                    Download
                                  • memory/2900-4-0x0000000000400000-0x00000000006A6000-memory.dmp
                                    Filesize

                                    2.6MB

                                    Download
                                  • memory/2900-5-0x0000000002310000-0x0000000002311000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/2900-3-0x0000000000400000-0x00000000006A6000-memory.dmp
                                    Filesize

                                    2.6MB

                                    Download
                                  • memory/2900-2-0x0000000000400000-0x00000000006A6000-memory.dmp
                                    Filesize

                                    2.6MB

                                    Download
                                  • memory/2900-1-0x0000000000400000-0x00000000006A6000-memory.dmp
                                    Filesize

                                    2.6MB

                                    Download