Malware Analysis Report

2025-03-15 04:28

Sample ID 241025-z9gwvaspds
Target SeedGen.exe
SHA256 3cfbcfba218eac5d9f083109d9266689d87199eda0471c5f2363a7350e153db9
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3cfbcfba218eac5d9f083109d9266689d87199eda0471c5f2363a7350e153db9

Threat Level: Shows suspicious behavior

The file SeedGen.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Reads user/profile data of web browsers

Looks up external IP address via web service

Browser Information Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 21:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 21:24

Reported

2024-10-25 21:27

Platform

win7-20240729-en

Max time kernel

23s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SeedGen.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeedGen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeedGen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\SeedGen.exe C:\Windows\system32\cmd.exe
PID 2528 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\SeedGen.exe C:\Windows\system32\cmd.exe
PID 2528 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\SeedGen.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SeedGen.exe

"C:\Users\Admin\AppData\Local\Temp\SeedGen.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

N/A

Files

memory/2528-0-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2528-1-0x00000000021A0000-0x0000000002304000-memory.dmp

memory/2528-2-0x00000000021A0000-0x0000000002304000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 21:24

Reported

2024-10-25 21:27

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SeedGen.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A

Browser Information Discovery

discovery

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\SeedGen.exe C:\Windows\system32\cmd.exe
PID 1952 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\SeedGen.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SeedGen.exe

"C:\Users\Admin\AppData\Local\Temp\SeedGen.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.myip.com udp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 59.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1952-0-0x000001E836BD0000-0x000001E836BD2000-memory.dmp

memory/1952-1-0x000001E836D80000-0x000001E836EE4000-memory.dmp

memory/1952-8-0x000001E836D80000-0x000001E836EE4000-memory.dmp

memory/1952-9-0x000001E836D80000-0x000001E836EE4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-25 21:24

Reported

2024-10-25 21:27

Platform

win11-20241007-en

Max time kernel

101s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SeedGen.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeedGen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeedGen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\SeedGen.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\SeedGen.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SeedGen.exe

"C:\Users\Admin\AppData\Local\Temp\SeedGen.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A