Overview

overview

8

Static

static

3

0e926b28fc...14.exe

windows7-x64

8

0e926b28fc...14.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2024, 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e926b28fc49f6259a70c032ae83cd14.exe

  • Size

    26KB

  • MD5

    0e926b28fc49f6259a70c032ae83cd14

  • SHA1

    abb5856b3853cfe4ecc5e25ff1a7aa605afac007

  • SHA256

    3088b0302d4b38c63ef4fead57aa6049da2cc62bf9f4a5d9331552c84fe516e6

  • SHA512

    1f4306c38e6604f3945a4d1215576ee81514c34757318035d9220fb81da5bb4f39d23b8a22f404902fe3e67f0326a1f9ff45dc6ce8d3a41a69aab54de488fb77

  • SSDEEP

    384:BvV0KF7OERZOTPx3hd/N7az/bCKQIRB1F7M9ekamfrqEjDEFCFUa0gW71JBr:B9LZOTPxNG5z7uTqVCFUa0gWR

Score
8/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Downloads MZ/PE file
  • Drops startup file 64 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e926b28fc49f6259a70c032ae83cd14.exe
    "C:\Users\Admin\AppData\Local\Temp\0e926b28fc49f6259a70c032ae83cd14.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\UUSIService.exe
      "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\UUSIService.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\EdgeUpdaters.exe
        "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\EdgeUpdaters.exe" --checker
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2548
      • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\92c0875335b444c192f85a3c4580cbf7.exe
        "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\92c0875335b444c192f85a3c4580cbf7.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\92c0875335b444c192f85a3c4580cbf7.exe
    Filesize

    8.6MB

    MD5

    54e6bcf9be550a5b8e5cd7b83318942d

    SHA1

    0c9084c04d5dd833867a60376c0809e8276fd869

    SHA256

    b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2

    SHA512

    afed87e898d00a146c42f4c81b86fe5c243c205fabb3296d757915bc427bfa8fe91d7cad48a4d36f427168b90011d8ce05e8b3003ccf47f0a3e3ab5151eefd1f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UUSIService_3aa6f54166c04b069cfd7c01e0cf0b4c.lnk
    Filesize

    1KB

    MD5

    4c817f2e7eba17c23698501443f40e5e

    SHA1

    6ee935fd6fb11ff4fb5c331d4b29eadfaf28c5ee

    SHA256

    dcb2dedeab97c99eac0ea67610b93aeb0c4e510f2981b551bc0a8c3b7cc0774a

    SHA512

    ec8b8155531ad3d684e75aef17d7ad0908cbb800451904ed104bf39029135cb5d8d9a4766c99f9c345b2d5e5df1a578ff057443e68543e5299c43044832adc5b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UUSIService_7f4e58bfa2194e9f8f9a7f13bfcf35bd.lnk
    Filesize

    1KB

    MD5

    f0bfaaa8d19936e6bdc7217997c14e86

    SHA1

    ed9a5635c78333348828ef5ad64167e3d2ce3623

    SHA256

    dba27a330eb5eb6b62457616329e62ed3e52f95dd78c5e319571962f163e404a

    SHA512

    e4f2489dc19aced133ec5a505cbb36b963ebf812c90ea8e78843f9f061276ffe88543bfc6fe26738181dfa3c711f98f6c7fcc1b402372003e0792002705f9b57

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UUSIService_8a6eda1d14044a8c855e6a6dcfaee828.lnk
    Filesize

    1KB

    MD5

    59294d4c4bf5d49c9491995c189de78b

    SHA1

    b7e626aed0e756b6031907722448965d2534aad5

    SHA256

    a301387320a4648f859f028f01a207c00f67d9d2c309b5fbf50f15cc250e4f2c

    SHA512

    1fc24c796bef530401b02a86a05a2ba86d8a826f4e28e1d35aed521da0c0d0f3e4e7ea14e7a20dd8cbbc17aba96064f80c073dd7ba9a19bc89ea09653b30296a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\EdgeUpdater\UUSIService.exe
    Filesize

    26KB

    MD5

    0e926b28fc49f6259a70c032ae83cd14

    SHA1

    abb5856b3853cfe4ecc5e25ff1a7aa605afac007

    SHA256

    3088b0302d4b38c63ef4fead57aa6049da2cc62bf9f4a5d9331552c84fe516e6

    SHA512

    1f4306c38e6604f3945a4d1215576ee81514c34757318035d9220fb81da5bb4f39d23b8a22f404902fe3e67f0326a1f9ff45dc6ce8d3a41a69aab54de488fb77

    Download Submit

  • memory/1424-102-0x0000000000170000-0x0000000000171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-112-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-83-0x0000000000130000-0x0000000000131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-85-0x0000000000130000-0x0000000000131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-87-0x0000000000130000-0x0000000000131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-88-0x0000000000140000-0x0000000000141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-121-0x0000000000B90000-0x0000000001B76000-memory.dmp

    Filesize

    15.9MB

    Download

  • memory/1424-107-0x0000000000180000-0x0000000000181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-105-0x0000000000180000-0x0000000000181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-90-0x0000000000140000-0x0000000000141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-110-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-117-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-115-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-92-0x0000000000140000-0x0000000000141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-100-0x0000000000170000-0x0000000000171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-97-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-95-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1424-93-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2232-0-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2232-1-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2548-28-0x0000000000B30000-0x0000000000B3C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2780-29-0x0000000074E10000-0x00000000754FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2780-14-0x00000000011A0000-0x00000000011AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2780-62-0x0000000074E10000-0x00000000754FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2780-58-0x0000000074E10000-0x00000000754FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2780-17-0x0000000074E10000-0x00000000754FE000-memory.dmp

    Filesize

    6.9MB

    Download