Overview

overview

10

Static

static

10

de6ad3a7e0...e1.exe

windows7-x64

7

de6ad3a7e0...e1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    135s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-07-2024 12:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe

  • Size

    17.1MB

  • MD5

    505c82de0d88ad7024d2982e44d1d118

  • SHA1

    798cec05d8875d7afec0e78a1f2eefc30ea961de

  • SHA256

    de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1

  • SHA512

    536245a22ade94ed378b99ff5ea9fca234c1848f583b1c6db4b6916666d9b59ae538d2c3797b9f1972ff3e6fa4e15f4c3dc16e6934bebc984d89197331f7811e

  • SSDEEP

    98304:/VAj4+4BjIW9rqZdAgNnrYtt+TIGAAU+XeXM+J+JBiGSEX9cUh9iOiTUVtZBgx:/VAjxS6YtuIGlZOcprk

Score
7/10
executionspywarestealer

Malware Config

Signatures

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe
    "C:\Users\Admin\AppData\Local\Temp\de6ad3a7e011954f1a31e68d083aa35cfe0229ca980724334d3cd1cac2e804e1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tujztvrp.cuy.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2976-0-0x00007FF99FD03000-0x00007FF99FD05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2976-1-0x000002942A300000-0x000002942A322000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2976-11-0x00007FF99FD00000-0x00007FF9A07C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2976-12-0x00007FF99FD00000-0x00007FF9A07C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2976-16-0x00007FF99FD00000-0x00007FF9A07C1000-memory.dmp

    Filesize

    10.8MB

    Download