Overview

overview

10

Static

static

3

9e4904f325...0N.exe

windows7-x64

10

9e4904f325...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/07/2024, 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e4904f3254b61e2846de012c3098950N.exe

  • Size

    134KB

  • MD5

    9e4904f3254b61e2846de012c3098950

  • SHA1

    d0f222b628953b8884b5c1b11a80caacfeb6d7ed

  • SHA256

    716d25821990cbfb9c7c906961e9f9ac7c8549ceb1066f753ff8c13fa799e1f8

  • SHA512

    235fdc5c839545284952319c6a7f371fc3fca32695cdd6777b4e7127975e5336c4f2bb8bac4609e45ecda91734985ef35cda829be1019ca771c10cf837528d6a

  • SSDEEP

    1536:iPQc0IiI+7vAIIzuQ8Tr15WUkTdIOzq0ZDYnJvx/45YssAe8d2wNmlFIhF9Vt:MQc01zAf6QGkBIO20Z2vQYeo7Ihf3

Score
10/10
evasionpersistencespywarestealer

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 44 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e4904f3254b61e2846de012c3098950N.exe
    "C:\Users\Admin\AppData\Local\Temp\9e4904f3254b61e2846de012c3098950N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Users\Admin\AppData\Local\Temp\9e4904f3254b61e2846de012c3098950N.exe
      "C:\Users\Admin\AppData\Local\Temp\9e4904f3254b61e2846de012c3098950N.exe" rg
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Adds Run key to start application
      PID:1504
    • C:\Users\Admin\Documents\dvm.exe
      "C:\Users\Admin\Documents\dvm.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Users\Admin\Documents\dvm.exe
        "C:\Users\Admin\Documents\dvm.exe" rg
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        PID:4592
      • C:\Users\Admin\Documents\vspconsole.exe
        "C:\Users\Admin\Documents\vspconsole.exe" wm 4404
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1812
  • C:\Users\Admin\Documents\dvm.exe
    "C:\Users\Admin\Documents\dvm.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Users\Admin\Documents\dvm.exe
      "C:\Users\Admin\Documents\dvm.exe" rg
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      PID:2164
    • C:\windows\system32\winvsp.exe
      "C:\windows\system32\winvsp.exe" ws 1532 winvsp
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab
    Filesize

    29B

    MD5

    07d4c0c3bd4031c325814063946ddfd9

    SHA1

    12c200bb85943ef2d3e602f8c6ee890c0d01aea5

    SHA256

    4b49d4c40e59c8f82ae9a1bc6ed8c83b3df58167c4d2786650ef6323464ddf0a

    SHA512

    16f6f6819208fbe09ffa51592f2da284b602c45b421eadd823c0214efe9273b656bd81d37cb4dd537e8a76b0ef63f7a86d971b370f0eb020bf8d11d811fa3c0e

    Download Submit

  • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCX17F6.tmp
    Filesize

    136KB

    MD5

    dd7ecbdebd9ce3121f32a61c6e4a50fc

    SHA1

    e8d1575a12918cd8fa58323d05dbdeace9a27a8c

    SHA256

    bf16b141f188528549c0ef51778cf123c5643de475cc6f76989eca3e3cae70c4

    SHA512

    bc9f69185f8bf77995d8347b42cea6ca531f299bd68a21739c1e636d033b58eac74ca56f8111c4f2f7dff100d07b65bfd69f9f3ce04eb10e3be6838b0f246843

    Download Submit

  • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\RCX256C.tmp
    Filesize

    134KB

    MD5

    65a0cd616ea0f5928f123c7bff964e23

    SHA1

    b663dd2a751eec7c9b69f55a47fcd670e2c8ba03

    SHA256

    dcdb83db7fd2a0e17de6fcb2bbc90abb80f55b09fcd280cc1a54dea3c6d95ce0

    SHA512

    fdbe891ffcef0a6018f071081465e524b64bcb72b9afcdd977b751fc712d90ff75cc6f2fd038849d317df5c0da9085d1f4e56ad9787a041f78b583afb1a74cd6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\9e4904f3254b61e2846de012c3098950N.exe.log
    Filesize

    115B

    MD5

    5f2253957958934a8b81921678832b72

    SHA1

    d9b030f94a9f3323fdcdb391192960d840b89723

    SHA256

    ab70783e426113082348a647ea0de73875931662f82b9f2ea4f3a44e5fac1000

    SHA512

    28310f23b744a03f81707d7fb77a9f5fce621bcfc56108b9ff76bbdb4ebc6014380715fef68c8b3c486c9aa4bfc1e66928caa7294bea4d263a18ab8557a96460

    Download Submit

  • C:\Windows\System32\RCXC17D.tmp
    Filesize

    134KB

    MD5

    8c128fdb021798d913e685cb2a6a37dd

    SHA1

    9211b2ccea07c7688e69e0be4eadf5b83c76d4fd

    SHA256

    1009e0f39eec98af2308bb9762804f332286a01917011cba0147696a984f02b2

    SHA512

    1e3255b23163b50902068b53722e53ef96ffc620deb8211c77894fa7d248b6352b49558c13d8a5045393a34ccbdfc8bafdc4920d1cff2e16bd3734ebf0b41556

    Download Submit

  • C:\Windows\System32\winvsp.exe
    Filesize

    134KB

    MD5

    9e4904f3254b61e2846de012c3098950

    SHA1

    d0f222b628953b8884b5c1b11a80caacfeb6d7ed

    SHA256

    716d25821990cbfb9c7c906961e9f9ac7c8549ceb1066f753ff8c13fa799e1f8

    SHA512

    235fdc5c839545284952319c6a7f371fc3fca32695cdd6777b4e7127975e5336c4f2bb8bac4609e45ecda91734985ef35cda829be1019ca771c10cf837528d6a

    Download Submit

  • memory/1532-420-0x00000000011B0000-0x00000000011B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1532-405-0x000000001C050000-0x000000001C0B2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/3080-70-0x00007FF846730000-0x00007FF8470D1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3080-2-0x00007FF846730000-0x00007FF8470D1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3080-202-0x00007FF846730000-0x00007FF8470D1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3080-217-0x00007FF846730000-0x00007FF8470D1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3080-1-0x000000001BBA0000-0x000000001C06E000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/3080-215-0x0000000001119000-0x000000000111F000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3080-3-0x000000001B570000-0x000000001B590000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3080-0-0x00007FF8469E5000-0x00007FF8469E6000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3080-201-0x00007FF846730000-0x00007FF8470D1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4404-221-0x000000001CE00000-0x000000001CE9C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4404-220-0x00007FF846730000-0x00007FF8470D1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4404-549-0x000000001ECC0000-0x000000001EFCE000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4404-219-0x000000001C620000-0x000000001C638000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4404-218-0x00007FF846730000-0x00007FF8470D1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4404-936-0x00000000215B0000-0x00000000215F9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4404-937-0x0000000021520000-0x000000002155E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4404-956-0x00007FF846730000-0x00007FF8470D1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4404-216-0x00007FF846730000-0x00007FF8470D1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4404-988-0x00007FF846730000-0x00007FF8470D1000-memory.dmp

    Filesize

    9.6MB

    Download