Overview

overview

8

Static

static

3

0e926b28fc...14.exe

windows7-x64

8

0e926b28fc...14.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2024, 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e926b28fc49f6259a70c032ae83cd14.exe

  • Size

    26KB

  • MD5

    0e926b28fc49f6259a70c032ae83cd14

  • SHA1

    abb5856b3853cfe4ecc5e25ff1a7aa605afac007

  • SHA256

    3088b0302d4b38c63ef4fead57aa6049da2cc62bf9f4a5d9331552c84fe516e6

  • SHA512

    1f4306c38e6604f3945a4d1215576ee81514c34757318035d9220fb81da5bb4f39d23b8a22f404902fe3e67f0326a1f9ff45dc6ce8d3a41a69aab54de488fb77

  • SSDEEP

    384:BvV0KF7OERZOTPx3hd/N7az/bCKQIRB1F7M9ekamfrqEjDEFCFUa0gW71JBr:B9LZOTPxNG5z7uTqVCFUa0gWR

Score
8/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 64 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e926b28fc49f6259a70c032ae83cd14.exe
    "C:\Users\Admin\AppData\Local\Temp\0e926b28fc49f6259a70c032ae83cd14.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\UUSIService.exe
      "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\UUSIService.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\EdgeUpdaters.exe
        "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\EdgeUpdaters.exe" --checker
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4348
      • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\033db632e4dd4c9380f23732483f4bed.exe
        "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\033db632e4dd4c9380f23732483f4bed.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\033db632e4dd4c9380f23732483f4bed.exe
    Filesize

    8.6MB

    MD5

    54e6bcf9be550a5b8e5cd7b83318942d

    SHA1

    0c9084c04d5dd833867a60376c0809e8276fd869

    SHA256

    b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2

    SHA512

    afed87e898d00a146c42f4c81b86fe5c243c205fabb3296d757915bc427bfa8fe91d7cad48a4d36f427168b90011d8ce05e8b3003ccf47f0a3e3ab5151eefd1f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\UUSIService.exe
    Filesize

    26KB

    MD5

    0e926b28fc49f6259a70c032ae83cd14

    SHA1

    abb5856b3853cfe4ecc5e25ff1a7aa605afac007

    SHA256

    3088b0302d4b38c63ef4fead57aa6049da2cc62bf9f4a5d9331552c84fe516e6

    SHA512

    1f4306c38e6604f3945a4d1215576ee81514c34757318035d9220fb81da5bb4f39d23b8a22f404902fe3e67f0326a1f9ff45dc6ce8d3a41a69aab54de488fb77

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UUSIService_895263a02aaf4a82a78d0393e442bbd3.lnk
    Filesize

    1KB

    MD5

    a20526301a64efc40827c25e779c1061

    SHA1

    8324d06289ec931a26c024a891aaa8d61400562b

    SHA256

    f0bddbcbd6bc6d2a2e1bdd746426a20011b19e2abff938c9ee60c9027f4cd170

    SHA512

    99e7c3a217950bc2081b226985b361efd069ee34f81c972280e2fd473c7b2d97e7a5092a1d50e277f9d7166f3a620b7386ca2b00a98c40ad5986636f089f738a

    Download Submit

  • memory/2464-71-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2464-20-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2464-56-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2464-23-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2652-78-0x00000000038D0000-0x00000000038D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-76-0x00000000038B0000-0x00000000038B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-81-0x0000000000760000-0x0000000001746000-memory.dmp

    Filesize

    15.9MB

    Download

  • memory/2652-73-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-74-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-75-0x0000000003880000-0x0000000003881000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-77-0x00000000038C0000-0x00000000038C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-79-0x00000000038E0000-0x00000000038E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3672-0-0x000000007535E000-0x000000007535F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3672-1-0x0000000000A30000-0x0000000000A3C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3672-4-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3672-19-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4348-37-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4348-72-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4348-41-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4348-87-0x0000000075350000-0x0000000075B00000-memory.dmp

    Filesize

    7.7MB

    Download