Overview

overview

9

Static

static

3

file.exe

windows7-x64

9

file.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    135s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2024 10:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    3.1MB

  • MD5

    1c7ebcdade13eebb33b4efda3a9ee280

  • SHA1

    6dd022afc1ecdee926663cdf51942d197c38e6fb

  • SHA256

    9ae0469bb6518417e8cf3e431550f4ee21130757fbea543a639fff11c836e357

  • SHA512

    b24c3f7a7eb45f0ba810ea1bef07c456fec1cc7f2258ee19c9fece793797b2716ecbb00cbe47b6ff5eb647430fccbe139ed098170feb11918f4031c692760462

  • SSDEEP

    49152:DG4dSxsLyF855Tkt/cE7NIHrV/0YBNEwSeOZ7jYHYiepCLz4RTFAf6R1Mp:DG4dSxETQ/mLV/0AC5eOd3sLzkK+

Score
9/10
credential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1676
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 3000
        3⤵
        • Program crash
        PID:3564
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1676 -ip 1676
    1⤵
      PID:3196

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
      Filesize

      617B

      MD5

      99e770c0d4043aa84ef3d3cbc7723c25

      SHA1

      19829c5c413fccba750a3357f938dfa94486acad

      SHA256

      33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5

      SHA512

      ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

      Download Submit

    • memory/1640-1-0x0000000000B50000-0x0000000000E7C000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/1640-2-0x00000000058C0000-0x000000000595C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1640-3-0x0000000005A80000-0x0000000005BFA000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1640-4-0x00000000061B0000-0x0000000006754000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1640-5-0x0000000005790000-0x00000000057B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1640-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1676-11-0x0000000074D30000-0x00000000754E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1676-15-0x0000000008200000-0x0000000008212000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1676-10-0x0000000074D30000-0x00000000754E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1676-6-0x0000000000400000-0x000000000046E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/1676-12-0x00000000054B0000-0x00000000054BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1676-13-0x0000000008770000-0x0000000008D88000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1676-14-0x00000000082B0000-0x00000000083BA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1676-9-0x00000000053F0000-0x0000000005482000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1676-16-0x0000000008260000-0x000000000829C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1676-17-0x00000000083C0000-0x000000000840C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1676-20-0x0000000008660000-0x00000000086C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1676-21-0x0000000009810000-0x0000000009886000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1676-22-0x00000000097C0000-0x00000000097DE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1676-23-0x000000000A0D0000-0x000000000A292000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1676-24-0x000000000A7D0000-0x000000000ACFC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1676-25-0x0000000074D30000-0x00000000754E0000-memory.dmp

      Filesize

      7.7MB

      Download