Overview

overview

7

Static

static

3

SoftWare.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    43s
  • max time network
    47s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 22:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SoftWare.exe

  • Size

    555KB

  • MD5

    79e417e6206b619482b6f30a015888ae

  • SHA1

    a89211d5480c7bb2e7bc884472bbfa98dbb27420

  • SHA256

    fe78a4de38c2bef424c48eb63ec9bec820dff11bf061644d949aad4486967da3

  • SHA512

    1630067568280a944cff4c28287b13d45485cef61ece1920b2e9ffd23239b0ea0ce6486b827a6021cb9d175911e576f51d9364081c4beaae0a44a283be6844a7

  • SSDEEP

    12288:qDTotCXVzhcuZENm5e6dg0ml29o2ds1k71kln3HyWVM:qDcklznEQ5hv9o2dsSkl3Hy

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SoftWare.exe
    "C:\Users\Admin\AppData\Local\Temp\SoftWare.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 300
      2⤵
      • Program crash
      PID:2008
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2912 -ip 2912
    1⤵
      PID:4976
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff991be46f8,0x7ff991be4708,0x7ff991be4718
        2⤵
          PID:3360
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,13677295030442904046,623404080887228591,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
          2⤵
            PID:4124
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,13677295030442904046,623404080887228591,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2508
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,13677295030442904046,623404080887228591,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:8
            2⤵
              PID:876
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13677295030442904046,623404080887228591,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
              2⤵
                PID:4568
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13677295030442904046,623404080887228591,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
                2⤵
                  PID:2264
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13677295030442904046,623404080887228591,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
                  2⤵
                    PID:4440
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13677295030442904046,623404080887228591,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
                    2⤵
                      PID:2132
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:1536
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:2384

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                        Filesize

                        152B

                        MD5

                        c39b3aa574c0c938c80eb263bb450311

                        SHA1

                        f4d11275b63f4f906be7a55ec6ca050c62c18c88

                        SHA256

                        66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

                        SHA512

                        eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                        Filesize

                        152B

                        MD5

                        dabfafd78687947a9de64dd5b776d25f

                        SHA1

                        16084c74980dbad713f9d332091985808b436dea

                        SHA256

                        c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

                        SHA512

                        dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                        Filesize

                        5KB

                        MD5

                        3cb3720536f6aebac96139a69883047e

                        SHA1

                        9c2a8642f27cc2506c69456ac89c0895fe1d4347

                        SHA256

                        51ad6b3d8560628060009766606ca7399cae65a7f4454abf753a0d4e748afd05

                        SHA512

                        c529ec962205daf7c36a7598859e2739e64241e48c5b87463ed21ec2be10de3d510fea39920b003a3c7644f17c2f1d9bd16f056fd6470b60e92630de1c0ffe80

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                        Filesize

                        6KB

                        MD5

                        d7212304385265cfd9410774bc698109

                        SHA1

                        0ac0b9e1b8d8d501a18d0064b7eaa1e515b2cf7f

                        SHA256

                        8a56c99ba908e366bc4de72ba6bf3a238e3b621b853b95aff6688ed183ec407e

                        SHA512

                        128655ed3db32dfd90d1743444f49edb9bd48d818426534ef2b2023efd00c38b165da788a8fe18a91ba7524f3d03da9d92e85b486850ba04ab39c4b559416687

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                        Filesize

                        8KB

                        MD5

                        d6e0f22fe9d50f202a5594d800c70851

                        SHA1

                        ae88d2fcc8e894f4507df5e6d78f6cef0dee467c

                        SHA256

                        87a509f200882958919a43ede7cf1cb4c47e15998c4facd481386a03bbb4012a

                        SHA512

                        c63e314ac7bb4cac76fff73ee564440cbfd6679f48b65ce6c0d557b433b3192fdba213fc3982416d77eff38be71c8fb19418bffdfc4004de81af0a55309b4875

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                        Filesize

                        264KB

                        MD5

                        f50f89a0a91564d0b8a211f8921aa7de

                        SHA1

                        112403a17dd69d5b9018b8cede023cb3b54eab7d

                        SHA256

                        b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                        SHA512

                        bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                        Download Submit

                      • memory/112-12-0x000000007490E000-0x000000007490F000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/112-6-0x0000000005600000-0x000000000560A000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/112-9-0x00000000083F0000-0x0000000008402000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/112-10-0x0000000008450000-0x000000000848C000-memory.dmp

                        Filesize

                        240KB

                        Download

                      • memory/112-11-0x00000000085E0000-0x000000000862C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/112-1-0x0000000000400000-0x000000000045A000-memory.dmp

                        Filesize

                        360KB

                        Download

                      • memory/112-13-0x0000000074900000-0x00000000750B0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/112-16-0x0000000008190000-0x00000000081F6000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/112-17-0x0000000009440000-0x00000000094B6000-memory.dmp

                        Filesize

                        472KB

                        Download

                      • memory/112-18-0x0000000008950000-0x000000000896E000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/112-19-0x000000000A3F0000-0x000000000A5B2000-memory.dmp

                        Filesize

                        1.8MB

                        Download

                      • memory/112-20-0x000000000AAF0000-0x000000000B01C000-memory.dmp

                        Filesize

                        5.2MB

                        Download

                      • memory/112-7-0x00000000089A0000-0x0000000008FB8000-memory.dmp

                        Filesize

                        6.1MB

                        Download

                      • memory/112-8-0x00000000084D0000-0x00000000085DA000-memory.dmp

                        Filesize

                        1.0MB

                        Download

                      • memory/112-5-0x0000000074900000-0x00000000750B0000-memory.dmp

                        Filesize

                        7.7MB

                        Download

                      • memory/112-4-0x0000000005620000-0x00000000056B2000-memory.dmp

                        Filesize

                        584KB

                        Download

                      • memory/112-3-0x0000000005AF0000-0x0000000006094000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/112-2-0x000000007490E000-0x000000007490F000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2912-0-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

                        Filesize

                        4KB

                        Download