076b9976d087477d38d647d2098fc24255cf637bbd406fef45a2b70380417cc8

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14-07-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe
Size

17.1MB
MD5

505c82de0d88ad7024d2982e44d1d118
SHA1

798cec05d8875d7afec0e78a1f2eefc30ea961de
SHA256

de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1
SHA512

536245a22ade94ed378b99ff5ea9fca234c1848f583b1c6db4b6916666d9b59ae538d2c3797b9f1972ff3e6fa4e15f4c3dc16e6934bebc984d89197331f7811e
SSDEEP

98304:/VAj4+4BjIW9rqZdAgNnrYtt+TIGAAU+XeXM+J+JBiGSEX9cUh9iOiTUVtZBgx:/VAjxS6YtuIGlZOcprk

Score

7^/10

execution spyware stealer

Malware Config

Signatures

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2808	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
2808	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	2808	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe

description	pid	Process	procid_target
PID 2076 wrote to memory of 2808	2076	de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe	33
PID 2076 wrote to memory of 2808	2076	de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe	33
PID 2076 wrote to memory of 2808	2076	de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe	33

C:\Users\Admin\AppData\Local\Temp\de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe
"C:\Users\Admin\AppData\Local\Temp\de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabD387.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XW3RrZlIU4ciKAdAWNO2fXvmS1zCOE\Files\SyncDisable.xlsx

Filesize
11KB

MD5
fe5452abecee54a1ef5ec53254c46eb5

SHA1
0c65123ae3f3f66e2c55ac7b2af72cc875b4523f

SHA256
c4c90c473beae30b433bc09652cab3a5b540c9feded11c342062dc5e3b964e2e

SHA512
39bbb3f07a397e0a957c96d8412a412cb5ec5d52a65675a0daa4ebae5f69fff57541aef44118eb33140fe0d972b0b24b1e9ef590b604f54639833807461adc3b

Download Submit
memory/2808-20-0x000007FEF5FFE000-0x000007FEF5FFF000-memory.dmp

Filesize
4KB

Download
memory/2808-21-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2808-22-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2808-24-0x0000000002C3B000-0x0000000002CA2000-memory.dmp

Filesize
412KB

Download
memory/2808-26-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

Filesize
9.6MB

Download
memory/2808-23-0x0000000002C34000-0x0000000002C37000-memory.dmp

Filesize
12KB

Download
memory/2808-49-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

Filesize
9.6MB

Download