Resubmissions
26-08-2024 06:08
240826-gvvv2syflc 726-08-2024 05:33
240826-f8z69axflf 726-08-2024 05:27
240826-f5sb8sxele 726-08-2024 04:43
240826-fcbh1swakb 705-07-2024 19:05
240705-xrx41atcmk 7Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-08-2024 04:43
Behavioral task
behavioral1
Sample
Scan wallet v6.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Scan wallet v6.exe
Resource
win10v2004-20240802-en
General
-
Target
Scan wallet v6.exe
-
Size
84.3MB
-
MD5
06ef13470b9a6625e3e4f56d6fc7137a
-
SHA1
36622e584db2295aa2d292e1f83def1a72c365dc
-
SHA256
66b43f3c5387c799f8e07a20508f38c8ee4ee9c0ac20c5454d3f75e36aa08440
-
SHA512
77bfe6b217fc6e85b4d36bc9b0df289da8074e31918929358d62ec973684709e69cdaf8f40136df30f07c35f64e7fa8572a0cf3b15934ace986dcfdd1c0e6ecb
-
SSDEEP
1572864:gnhP3z7OZjyNtRT+s+pDoKQYJFF2MpOXdDTK4QiIJ2qHWB75iVb6RWxNg:gnhfgjyxT+sIDN12xtD9yJ2qHO5iVb6i
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
Scan wallet v6.exepid Process 2024 Scan wallet v6.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid Process 1720 chrome.exe 1720 chrome.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe Token: SeShutdownPrivilege 1720 chrome.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
chrome.exepid Process 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid Process 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe 1720 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Scan wallet v6.exechrome.exedescription pid Process procid_target PID 2988 wrote to memory of 2024 2988 Scan wallet v6.exe 31 PID 2988 wrote to memory of 2024 2988 Scan wallet v6.exe 31 PID 2988 wrote to memory of 2024 2988 Scan wallet v6.exe 31 PID 1720 wrote to memory of 1044 1720 chrome.exe 36 PID 1720 wrote to memory of 1044 1720 chrome.exe 36 PID 1720 wrote to memory of 1044 1720 chrome.exe 36 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 2080 1720 chrome.exe 38 PID 1720 wrote to memory of 916 1720 chrome.exe 39 PID 1720 wrote to memory of 916 1720 chrome.exe 39 PID 1720 wrote to memory of 916 1720 chrome.exe 39 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40 PID 1720 wrote to memory of 1100 1720 chrome.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan wallet v6.exe"C:\Users\Admin\AppData\Local\Temp\Scan wallet v6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\Scan wallet v6.exe"C:\Users\Admin\AppData\Local\Temp\Scan wallet v6.exe"2⤵
- Loads dropped DLL
PID:2024
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2272
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6389758,0x7fef6389768,0x7fef63897782⤵PID:1044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1284,i,5579040939287070468,6523509529509989741,131072 /prefetch:22⤵PID:2080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1284,i,5579040939287070468,6523509529509989741,131072 /prefetch:82⤵PID:916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1284,i,5579040939287070468,6523509529509989741,131072 /prefetch:82⤵PID:1100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2016 --field-trial-handle=1284,i,5579040939287070468,6523509529509989741,131072 /prefetch:12⤵PID:1648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2152 --field-trial-handle=1284,i,5579040939287070468,6523509529509989741,131072 /prefetch:12⤵PID:2124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1140 --field-trial-handle=1284,i,5579040939287070468,6523509529509989741,131072 /prefetch:22⤵PID:3000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1412 --field-trial-handle=1284,i,5579040939287070468,6523509529509989741,131072 /prefetch:12⤵PID:2836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3592 --field-trial-handle=1284,i,5579040939287070468,6523509529509989741,131072 /prefetch:82⤵PID:2772
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
313KB
MD5e2e3a2f6c30dc9a3327562cdbee27871
SHA1cf95797288151a5980c75c889f48ef63588a3175
SHA256baf4609f8cde7d2bc0055f8a2c3c5452b994e84dfb9656b3c02deded7ba6d77c
SHA5128a7896b2dd65f884fad9f0d71e5b4bc633c47b7eaf91721da8eab6f3bd362530ce3365dc4a9fae4c29de32015c2b12b340cf41a2fe472119faf0eb343df6c44d
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD5816104f4c57b2db17fce6d805f8a9969
SHA1294e78ef798b02525d171da7923faead1bde3664
SHA25655f48798689471059fe48da932b19d7664c4b4c6c4b3883476d5116d5a45f6c0
SHA51260a4bc23828ff9fe7a5033efed396c58f86c74b561a63e9e609a36af307d6a03316e3ec6525cc43894944810378ce7a0a04be33da8c8a9a44aaf9c6b88a76735
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
313KB
MD5aab985d5c93c7d8812d6bd7a887d4a16
SHA1b2b394067e77a52f2350ce784eac9a7ce3614af0
SHA2566ecbbaf5d1e7a632e843ed4e71a01c24d3420f235fa2c95c68d279e9a4ce99a8
SHA512764891e1e067db64d28c0e08dd66dc7c3e183d30b8b06a554eae55a9b9d51a143e3c256e5c19c5130b9ce93e24380f7643ba31675e3405c39c0905ba73fd01f9
-
Filesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e