Overview

overview

10

Static

static

3

9e4904f325...0N.exe

windows7-x64

10

9e4904f325...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21/07/2024, 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e4904f3254b61e2846de012c3098950N.exe

  • Size

    134KB

  • MD5

    9e4904f3254b61e2846de012c3098950

  • SHA1

    d0f222b628953b8884b5c1b11a80caacfeb6d7ed

  • SHA256

    716d25821990cbfb9c7c906961e9f9ac7c8549ceb1066f753ff8c13fa799e1f8

  • SHA512

    235fdc5c839545284952319c6a7f371fc3fca32695cdd6777b4e7127975e5336c4f2bb8bac4609e45ecda91734985ef35cda829be1019ca771c10cf837528d6a

  • SSDEEP

    1536:iPQc0IiI+7vAIIzuQ8Tr15WUkTdIOzq0ZDYnJvx/45YssAe8d2wNmlFIhF9Vt:MQc01zAf6QGkBIO20Z2vQYeo7Ihf3

Score
10/10
evasionpersistencespywarestealer

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 49 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 42 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e4904f3254b61e2846de012c3098950N.exe
    "C:\Users\Admin\AppData\Local\Temp\9e4904f3254b61e2846de012c3098950N.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Temp\9e4904f3254b61e2846de012c3098950N.exe
      "C:\Users\Admin\AppData\Local\Temp\9e4904f3254b61e2846de012c3098950N.exe" rg
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Adds Run key to start application
      PID:908
    • C:\programdata\dvm.exe
      "C:\programdata\dvm.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\programdata\dvm.exe
        "C:\programdata\dvm.exe" rg
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        PID:936
      • C:\Users\Admin\Documents\dvm.exe
        "C:\Users\Admin\Documents\dvm.exe" wm 2336
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1804
  • C:\programdata\dvm.exe
    "C:\programdata\dvm.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\programdata\dvm.exe
      "C:\programdata\dvm.exe" rg
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies data under HKEY_USERS
      PID:2104
    • C:\Windows\System32\winvsp.exe
      "C:\Windows\System32\winvsp.exe" ws 1852 winvsp
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
    Filesize

    29B

    MD5

    07d4c0c3bd4031c325814063946ddfd9

    SHA1

    12c200bb85943ef2d3e602f8c6ee890c0d01aea5

    SHA256

    4b49d4c40e59c8f82ae9a1bc6ed8c83b3df58167c4d2786650ef6323464ddf0a

    SHA512

    16f6f6819208fbe09ffa51592f2da284b602c45b421eadd823c0214efe9273b656bd81d37cb4dd537e8a76b0ef63f7a86d971b370f0eb020bf8d11d811fa3c0e

    Download Submit

  • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCX13E9.tmp
    Filesize

    134KB

    MD5

    2d4abf17bd2e2cf5e20aba26c45498b3

    SHA1

    26fb90c1a1ef4b9ab80d2a010ffd4781f3350b8b

    SHA256

    92bde6d53cff254b11a6cbbdec28f20bd70d4b60a437c789a99b3c4e1f389cc1

    SHA512

    cea862e1a210f27fc137bdc7f9c3c81cf92e24e3e407e7b0eb8990edae06b0ce94a6fa492f2c3a9f4e153d26cd31d2b7f888329130a36bf763f1eb3b6628498a

    Download Submit

  • C:\Windows\System32\RCXA1EC.tmp
    Filesize

    134KB

    MD5

    8c128fdb021798d913e685cb2a6a37dd

    SHA1

    9211b2ccea07c7688e69e0be4eadf5b83c76d4fd

    SHA256

    1009e0f39eec98af2308bb9762804f332286a01917011cba0147696a984f02b2

    SHA512

    1e3255b23163b50902068b53722e53ef96ffc620deb8211c77894fa7d248b6352b49558c13d8a5045393a34ccbdfc8bafdc4920d1cff2e16bd3734ebf0b41556

    Download Submit

  • C:\Windows\System32\winvsp.exe
    Filesize

    134KB

    MD5

    9e4904f3254b61e2846de012c3098950

    SHA1

    d0f222b628953b8884b5c1b11a80caacfeb6d7ed

    SHA256

    716d25821990cbfb9c7c906961e9f9ac7c8549ceb1066f753ff8c13fa799e1f8

    SHA512

    235fdc5c839545284952319c6a7f371fc3fca32695cdd6777b4e7127975e5336c4f2bb8bac4609e45ecda91734985ef35cda829be1019ca771c10cf837528d6a

    Download Submit

  • memory/2296-209-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2296-208-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2296-87-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2296-201-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2296-206-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2296-202-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2296-0-0x000007FEF5B7E000-0x000007FEF5B7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2296-4-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2296-3-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2296-5-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2296-211-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2336-213-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2336-212-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2336-846-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2336-210-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2336-940-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

    Filesize

    9.6MB

    Download