Overview

overview

8

Static

static

1

d86923504c...57.exe

windows7-x64

8

d86923504c...57.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-08-2024 11:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d86923504cf20d32c7cb99490c3b37000777d71f932f685f6be22e4bbafbf857.exe

  • Size

    85KB

  • MD5

    e1e788e36729db3bd1c754a160340021

  • SHA1

    fbf1072e91554603dbf86599ad2571a513b2c6db

  • SHA256

    d86923504cf20d32c7cb99490c3b37000777d71f932f685f6be22e4bbafbf857

  • SHA512

    7a442471d5d5451f2fb6005ae368bb6eba299b73dd37711b4136049fc53c067786b4cbe2a038a76a5458d068508dc2c34c3b14e106940e6f718a2f60a61f7535

  • SSDEEP

    1536:bWmBAmo4YsUvAMbRxQx+3KuKkcUoTfTH+k6dwymR:bHoOUvAMbRNKEo3HnpD

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Downloads MZ/PE file
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies system certificate store 2 TTPs 1 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d86923504cf20d32c7cb99490c3b37000777d71f932f685f6be22e4bbafbf857.exe
    "C:\Users\Admin\AppData\Local\Temp\d86923504cf20d32c7cb99490c3b37000777d71f932f685f6be22e4bbafbf857.exe"
    1⤵
    • Drops startup file
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4540
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MxWeb32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MxWeb32.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4732
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
    1⤵
      PID:704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MxWeb32.exe
      Filesize

      1.5MB

      MD5

      cb3696dc44680137c5e84838b3db3495

      SHA1

      9b14db1e4a9aea7779fa0af246ddfa96be418a55

      SHA256

      4e7315adeb47ff58e6dc86a73cfa11027c48e32f7a26fcf1e0460a9aed8c4583

      SHA512

      c57e6833bc2e12709b2e4225970de39acabca538ebb4f9a75a4570295d0115368b306da2616ed3cee3b73a26af8f5b3e3dc2eb4f03874ba924f99cfec87aca4e

      Download Submit

    • memory/4540-0-0x00000000005D0000-0x0000000000609000-memory.dmp

      Filesize

      228KB

      Download

    • memory/4540-1-0x0000000001060000-0x0000000001064000-memory.dmp

      Filesize

      16KB

      Download

    • memory/4540-8-0x00000000005D0000-0x0000000000609000-memory.dmp

      Filesize

      228KB

      Download

    • memory/4540-9-0x0000000001060000-0x0000000001064000-memory.dmp

      Filesize

      16KB

      Download

    • memory/4540-23-0x00000000005D0000-0x0000000000609000-memory.dmp

      Filesize

      228KB

      Download

    • memory/4540-24-0x00000000005D0000-0x0000000000609000-memory.dmp

      Filesize

      228KB

      Download