Malware Analysis Report

2024-11-30 06:40

Sample ID 240612-wd91zaxfkq
Target 480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe
SHA256 480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e
Tags
spyware
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e

Threat Level: Shows suspicious behavior

The file 480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 17:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 17:49

Reported

2024-06-12 17:52

Platform

win7-20240611-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe"

Signatures

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2072 set thread context of 2488 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe

"C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
RU 5.42.65.67:48396 tcp

Files

memory/2072-0-0x000000007418E000-0x000000007418F000-memory.dmp

memory/2072-1-0x0000000000E50000-0x0000000001354000-memory.dmp

memory/2072-2-0x0000000074180000-0x000000007486E000-memory.dmp

memory/2072-3-0x00000000051A0000-0x0000000005376000-memory.dmp

memory/2072-4-0x0000000005380000-0x000000000550E000-memory.dmp

memory/2072-5-0x0000000000410000-0x000000000042C000-memory.dmp

memory/2072-19-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-27-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-35-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-6-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-45-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-7-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-9-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-65-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-64-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-61-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-59-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-57-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-55-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-53-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-51-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-49-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-66-0x0000000074180000-0x000000007486E000-memory.dmp

memory/2072-47-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-43-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-41-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-39-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-37-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-33-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-31-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-29-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-25-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-23-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-21-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-17-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-15-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-13-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2072-11-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2488-68-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2488-69-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2488-80-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2488-81-0x0000000074180000-0x000000007486E000-memory.dmp

memory/2072-82-0x0000000074180000-0x000000007486E000-memory.dmp

memory/2488-83-0x0000000074180000-0x000000007486E000-memory.dmp

memory/2488-84-0x0000000074180000-0x000000007486E000-memory.dmp

memory/2488-85-0x0000000074180000-0x000000007486E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 17:49

Reported

2024-06-12 17:52

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 596 set thread context of 1032 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe

"C:\Users\Admin\AppData\Local\Temp\480fef68aac3028269fc720cc506c17db33d95fa79c050fb127bfd777785d05e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 209.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp

Files

memory/596-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

memory/596-1-0x0000000000410000-0x0000000000914000-memory.dmp

memory/596-2-0x00000000053B0000-0x000000000544C000-memory.dmp

memory/596-3-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/596-4-0x0000000005580000-0x0000000005756000-memory.dmp

memory/596-5-0x0000000005760000-0x00000000058EE000-memory.dmp

memory/596-6-0x00000000052C0000-0x00000000052DC000-memory.dmp

memory/596-11-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-14-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-66-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/1032-68-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/596-41-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-70-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/596-67-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/596-64-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/1032-71-0x00000000749E0000-0x0000000074A8B000-memory.dmp

memory/596-62-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-60-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-58-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-57-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-54-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-52-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-50-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-48-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-46-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-45-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-42-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-38-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-37-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-34-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-33-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-30-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-28-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-26-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-24-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-22-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-18-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-16-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-12-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-20-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-8-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/596-7-0x00000000052C0000-0x00000000052D5000-memory.dmp

memory/1032-72-0x0000000005AD0000-0x0000000006074000-memory.dmp

memory/1032-73-0x00000000055C0000-0x0000000005652000-memory.dmp

memory/1032-74-0x0000000005690000-0x000000000569A000-memory.dmp

memory/1032-76-0x00000000749E0000-0x0000000074A8B000-memory.dmp