9eed0266959ef508668bfba87de09ef6aa5d74dd19e91f0e74b6e3653d448b1a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eed0266959ef508668bfba87de09ef6aa5d74dd19e91f0e74b6e3653d448b1a.exe
Size

1.4MB
MD5

f483d3919a4f8b932b329195106ecfee
SHA1

1f2b52b938c5437772bbc0935d5425b69ba280ba
SHA256

9eed0266959ef508668bfba87de09ef6aa5d74dd19e91f0e74b6e3653d448b1a
SHA512

750fdc354f84369caccfc625a4ab4262482c30efc4930f1e37416dd1980daac15d872dcb4d57a42257f31572a616b60cba8d7327d7bb43c00a19dc2bf589b6fe
SSDEEP

24576:BNRdUdTL5Pe7YDHwviQ0whanJTy314OUcuwwzoG4+IPg/3tFVm2:vcdv5WUH0aJTylWcs5IP63tFZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4936	SaferWeb-installer.exe

Loads dropped DLL 1 IoCs

pid	Process
3620	9eed0266959ef508668bfba87de09ef6aa5d74dd19e91f0e74b6e3653d448b1a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4936	SaferWeb-installer.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 4936	3620	9eed0266959ef508668bfba87de09ef6aa5d74dd19e91f0e74b6e3653d448b1a.exe	84
PID 3620 wrote to memory of 4936	3620	9eed0266959ef508668bfba87de09ef6aa5d74dd19e91f0e74b6e3653d448b1a.exe	84

C:\Users\Admin\AppData\Local\Temp\9eed0266959ef508668bfba87de09ef6aa5d74dd19e91f0e74b6e3653d448b1a.exe
"C:\Users\Admin\AppData\Local\Temp\9eed0266959ef508668bfba87de09ef6aa5d74dd19e91f0e74b6e3653d448b1a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Users\Admin\AppData\Local\Temp\nswD718.tmp\SaferWeb-installer.exe
  "C:\Users\Admin\AppData\Local\Temp\nswD718.tmp\SaferWeb-installer.exe" "C:\Users\Admin\AppData\Local\Temp\9eed0266959ef508668bfba87de09ef6aa5d74dd19e91f0e74b6e3653d448b1a.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nshD708.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswD718.tmp\SaferWeb-installer.exe

Filesize
478KB

MD5
cd788cd014faf68e4880fcacc87d584e

SHA1
88939cf32a2c4550046304c36a830e89f8d53ae2

SHA256
c27bc42aaccb99060646cdac71f4afc363eba40197f53222e7c27613c289cf92

SHA512
57de1f077f5a3b6c12308c35c63c44b701a9239b2d22dc3a8a1f5b2392feb3082757523c5f0ae1942b3a3ff5064e3707524eaef15b68772f7c6003c613906a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswD718.tmp\rsAtom.dll

Filesize
156KB

MD5
9deba7281d8eceefd760874434bd4e91

SHA1
553e6c86efdda04beacee98bcee48a0b0dba6e75

SHA256
02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9

SHA512
7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswD718.tmp\rsJSON.dll

Filesize
218KB

MD5
f8978087767d0006680c2ec43bda6f34

SHA1
755f1357795cb833f0f271c7c87109e719aa4f32

SHA256
221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e

SHA512
54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswD718.tmp\rsLogger.dll

Filesize
177KB

MD5
83ad54079827e94479963ba4465a85d7

SHA1
d33efd0f5e59d1ef30c59d74772b4c43162dc6b7

SHA256
ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312

SHA512
c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswD718.tmp\rsStubLib.dll

Filesize
248KB

MD5
a16602aad0a611d228af718448ed7cbd

SHA1
ddd9b80306860ae0b126d3e834828091c3720ac5

SHA256
a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a

SHA512
305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511

Download Submit
memory/4936-30-0x00007FFA42510000-0x00007FFA42FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-35-0x000001F349EE0000-0x000001F349EE8000-memory.dmp

Filesize
32KB

Download
memory/4936-23-0x000001F347F40000-0x000001F347F80000-memory.dmp

Filesize
256KB

Download
memory/4936-28-0x00007FFA42510000-0x00007FFA42FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-27-0x000001F349690000-0x000001F3496CA000-memory.dmp

Filesize
232KB

Download
memory/4936-29-0x00007FFA42510000-0x00007FFA42FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-21-0x000001F32DAA0000-0x000001F32DB1A000-memory.dmp

Filesize
488KB

Download
memory/4936-20-0x00007FFA42513000-0x00007FFA42515000-memory.dmp

Filesize
8KB

Download
memory/4936-32-0x000001F349870000-0x000001F34989A000-memory.dmp

Filesize
168KB

Download
memory/4936-33-0x00007FFA42510000-0x00007FFA42FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-34-0x00007FFA42510000-0x00007FFA42FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-25-0x000001F32F6F0000-0x000001F32F720000-memory.dmp

Filesize
192KB

Download
memory/4936-37-0x000001F349F30000-0x000001F349F3E000-memory.dmp

Filesize
56KB

Download
memory/4936-36-0x000001F34B4D0000-0x000001F34B508000-memory.dmp

Filesize
224KB

Download
memory/4936-38-0x00007FFA42510000-0x00007FFA42FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-39-0x00007FFA42510000-0x00007FFA42FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-40-0x00007FFA42513000-0x00007FFA42515000-memory.dmp

Filesize
8KB

Download
memory/4936-41-0x00007FFA42510000-0x00007FFA42FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-42-0x00007FFA42510000-0x00007FFA42FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-43-0x00007FFA42510000-0x00007FFA42FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-44-0x00007FFA42510000-0x00007FFA42FD1000-memory.dmp

Filesize
10.8MB

Download