Overview

overview

7

Static

static

3

5f5412a4e3...8c.exe

windows7-x64

7

5f5412a4e3...8c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03-08-2024 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f5412a4e301977774b903cadaa07e13731da5b190a8935abd180c7a62bcf58c.exe

  • Size

    17KB

  • MD5

    1ee1d826b005f3f1c0664dd8daa3ed08

  • SHA1

    62a43350d1091e5eae85beab209bd42043027fd7

  • SHA256

    5f5412a4e301977774b903cadaa07e13731da5b190a8935abd180c7a62bcf58c

  • SHA512

    72b6d9778758b406fb6ca5c607869715017afa709a61770c0097eced807aa9ddcf740d3e96ddf3d0151e6c9027d5c06a3eff5e45346b0220adb8f9388b5c0d4d

  • SSDEEP

    384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/Gm+:ljjAQ+BzWPEwnE+KHM2/J+

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f5412a4e301977774b903cadaa07e13731da5b190a8935abd180c7a62bcf58c.exe
    "C:\Users\Admin\AppData\Local\Temp\5f5412a4e301977774b903cadaa07e13731da5b190a8935abd180c7a62bcf58c.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\svhost.exe
      "C:\Windows\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HJzfqkvgPbrQSCH.exe
    Filesize

    17KB

    MD5

    bcf7570e9f7039bbb0d37c1e2ff45be0

    SHA1

    a8e2597189c32fbfc6c25d621cd2e80eaab49214

    SHA256

    62c82b927ee9fa99712d69f01e912820b6063c340aad338cae8d954afd52d937

    SHA512

    2d7ed1c902edde16976747e155a2c243fe3475b9d0aec1ebad4471eb5b966d1948e03682278c14d635f334523f040d1670153ef66efc6784142c322aa33aee6f

    Download Submit

  • C:\Windows\svhost.exe
    Filesize

    16KB

    MD5

    5e7c375139b7453abd0b91a8a220f8e5

    SHA1

    88a3d645fab0f4129c1e485c90b593ab60e469ae

    SHA256

    36ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8

    SHA512

    0805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2

    Download Submit