e0156d8531c4fd86b56bbce20506e5db54ef4f405ca97c257e4ebed5a85714d8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0156d8531c4fd86b56bbce20506e5db54ef4f405ca97c257e4ebed5a85714d8.exe
Size

475KB
MD5

d22ee46f56ee3fe235ca87771c9da677
SHA1

330300f55b9043dddda18841b8e21b009534b5b8
SHA256

e0156d8531c4fd86b56bbce20506e5db54ef4f405ca97c257e4ebed5a85714d8
SHA512

5aead3ce8c7e7aa69a4f2290033457cb3bbdb6b5671880fef4ef467ae135f535971dc050caad55caff2d568fec0f8c6572bb5e927295300342aaf5e84e86c4d8
SSDEEP

12288:FfClqZ9nT3meDnC82gkCloYb77GjnkXzljwntHPy6L:FdZ9bDnuFwoYPi4jlD6L

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4412-0-0x0000000000400000-0x0000000000561200-memory.dmp	upx
behavioral2/memory/4412-32-0x0000000000400000-0x0000000000561200-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0156d8531c4fd86b56bbce20506e5db54ef4f405ca97c257e4ebed5a85714d8.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
748	msedge.exe
748	msedge.exe
4984	msedge.exe
4984	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4412	e0156d8531c4fd86b56bbce20506e5db54ef4f405ca97c257e4ebed5a85714d8.exe
4412	e0156d8531c4fd86b56bbce20506e5db54ef4f405ca97c257e4ebed5a85714d8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 4984	4412	e0156d8531c4fd86b56bbce20506e5db54ef4f405ca97c257e4ebed5a85714d8.exe	87
PID 4412 wrote to memory of 4984	4412	e0156d8531c4fd86b56bbce20506e5db54ef4f405ca97c257e4ebed5a85714d8.exe	87
PID 4984 wrote to memory of 3036	4984	msedge.exe	88
PID 4984 wrote to memory of 3036	4984	msedge.exe	88
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 3268	4984	msedge.exe	89
PID 4984 wrote to memory of 748	4984	msedge.exe	90
PID 4984 wrote to memory of 748	4984	msedge.exe	90
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91
PID 4984 wrote to memory of 5032	4984	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\e0156d8531c4fd86b56bbce20506e5db54ef4f405ca97c257e4ebed5a85714d8.exe
"C:\Users\Admin\AppData\Local\Temp\e0156d8531c4fd86b56bbce20506e5db54ef4f405ca97c257e4ebed5a85714d8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://share.weiyun.com/GkpDQq1A
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x8c,0x108,0x7fff536d46f8,0x7fff536d4708,0x7fff536d4718
    3⤵
    PID:3036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,18297043650379715241,7966530078406748558,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
    3⤵
    PID:3268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,18297043650379715241,7966530078406748558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,18297043650379715241,7966530078406748558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
    3⤵
    PID:5032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,18297043650379715241,7966530078406748558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:1264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,18297043650379715241,7966530078406748558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
    3⤵
    PID:4588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,18297043650379715241,7966530078406748558,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4000 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6bf8c7a3-a3c6-4851-9b01-fb53d444855d.tmp

Filesize
323B

MD5
3224dc19536a00f84006d8b7b91626d5

SHA1
e6882f1ef95db2d9254dbfe7a34666d38c43d548

SHA256
ccb4d57254cf05d436ddc338f02c02e1f2802654477f7de223a71e25cb750792

SHA512
db146b2cd463baaaaa2d82e358f8c7059dcfb42722d4cfe0b51616f50eb48542f1b249950d1a9501fafc50715ab0d16afd61f99769caacfa1e2edd6bd1dcad20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
21cc6186cb0329a8ca0b1240671699b4

SHA1
2ffd267ac745346c248539c708828eebdb8e2861

SHA256
6fa6566b49f0160074d9d20cad02c935b21beda1f9ae3bb3b632fdc774220e38

SHA512
3fe9a1a3504e5483b828ed22980db5262ce7450094eb25c98bc36a0112fd9b9b8bfde880fd16b34d1879264f15131108a09159b54296a3dd1f79688a41efc480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1da216828c2a3ddcd36884a9fd3203d

SHA1
9cd0839823e592126210d9a832d3b635ab01340c

SHA256
38d0323e238cecfe6c9f25060e383618d95b504d84d12c54d59b17b9b49785ee

SHA512
8348db9b5f8a8003d0047016d4120328cfa1379d08a2c4aadd4eb675637608f29d19629e11843781547cd6b43e22d1577b254940df85fff9ea1ab541a5c8a7f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
af4a4db542f48103e21289d05f0db938

SHA1
023ec22fd1c750f06b161d21155d936cb1980ba9

SHA256
3810a4b6aa6644eea2663ef1cf5ce88eab553baf146ab2b79f43c5f10e74d242

SHA512
868d015d823514237d9e15161ac5cf451380a0cd90f593aa46637d1a1826c2791633f0e2299508bec5c90bf49f6b814ca70d7e78465414939b1cf8c8ee7c9215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
01a6c860be943ca73b5c0dfe3b24c956

SHA1
4089ceacb19a5b2d9899743189d940cf9b98e0db

SHA256
10c2372675f4277819f6a83dc1523e8a06909a17f8eea8f7f105262ab337f223

SHA512
9c93e1d8b676870ba59f3619f72e862a86510a7c7540ed7bbed4625917db898ec1a620d22c0af00686f81e7081fe28c7dd827ca8dd03cb3782100180231042cb

Download Submit
memory/4412-0-0x0000000000400000-0x0000000000561200-memory.dmp

Filesize
1.4MB

Download
memory/4412-32-0x0000000000400000-0x0000000000561200-memory.dmp

Filesize
1.4MB

Download