6a356e0fdfd98bdc75acdbe7761edb8be958be83387b7a8cc1a09a3be2ecb9bd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app.exe
Size

36.2MB
MD5

162cde9051852237c54f6ba5caf4d62a
SHA1

e88fd479322a27f9a2d4fc7514f4d4f85d248cd3
SHA256

6a356e0fdfd98bdc75acdbe7761edb8be958be83387b7a8cc1a09a3be2ecb9bd
SHA512

1e0152df595eb429b0258a45ed15c541caf0f8c0eb6e4c07e886b95632f03cd022c2bc54ade4494e764cdd286d3bf3a8c0166b56d16138e9128a321a2ed2438e
SSDEEP

393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgm96l+ZArYsFRlpPR:R3on1HvSzxAMNmFZArYsBPv67OZwjW

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	app.exe

Loads dropped DLL 1 IoCs

pid	Process
3080	app.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2520	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	tasklist.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 2612	3080	app.exe	88
PID 3080 wrote to memory of 2612	3080	app.exe	88
PID 3080 wrote to memory of 2244	3080	app.exe	89
PID 3080 wrote to memory of 2244	3080	app.exe	89
PID 2244 wrote to memory of 2520	2244	cmd.exe	90
PID 2244 wrote to memory of 2520	2244	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "${filePath}""
  2⤵
  PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit