Overview

overview

10

Static

static

3

aafd354885...7a.exe

windows7-x64

7

aafd354885...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 03:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe

  • Size

    391KB

  • MD5

    43d30c776f593efdf5416ab4142442d6

  • SHA1

    3f7f251511aa918a3c221cb4d039e406e9449132

  • SHA256

    aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a

  • SHA512

    8b1b195775c3de13cc281fe9d92580230fcdb48a9dab001eaa442328aa88e1ec27ced4cdaaa941bb42141a269e7f844f4dd945d8a9a6df06bb05393271987238

  • SSDEEP

    6144:sSg0P0VgwhTfR4NATIVDHPfq1NRHR5/nQibDVDeFtJ9JDwzTE3GL0:+hLR4vq1N354iHQj1X3G

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe
    "C:\Users\Admin\AppData\Local\Temp\aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\aafd35488559a2ef64b3758eff767046369f540af491f9325d344c2ef214587a.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\system32\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:2980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1456-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1456-1-0x0000000000EF0000-0x0000000000F58000-memory.dmp

      Filesize

      416KB

      Download

    • memory/1456-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1456-3-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1456-4-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

      Filesize

      9.9MB

      Download