Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 19:15

General

  • Target

    e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe

  • Size

    13KB

  • MD5

    224c306b78a6e3fb7d042c3be3888790

  • SHA1

    048d839a99a4d8228a7fde54fe2b95e8c4e09999

  • SHA256

    e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fc

  • SHA512

    44d8de49fef4d9a95123b0c2ef4cf9529f133b142c8cf875a5cd2fd6e5137239ff6e6c6de45ea6a8872ed308243dbfd822f64937e38eeb94d4423fe09cd21541

  • SSDEEP

    384:tv+t/QgBssNSvNSV+EVeFuKk/RetkMHvLYYx3ppg:t2h/EEQ0VKkJedYH

Malware Config

Signatures

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe
    "C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3608
    • C:\Windows\videodrv.exe
      C:\Windows\videodrv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:3340

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\eml.tmp

          Filesize

          2KB

          MD5

          dd3d6f89a870a89599c3224ba2f77cde

          SHA1

          72471eabc5bd90688291e501d27faa58b8065d41

          SHA256

          446432d1f0b4d0c102745a09a5265f991053adc3edc28360f1f4882834938cc6

          SHA512

          21602bfa9da4e6632c0cbf97d08ffbeb5ce2415050d7c04ba8dbad5c4e72b30f0c225d563ad56d341580e04d64da24a551eb22af95d404a3790f19349e488d32

        • C:\Windows\eml.tmp

          Filesize

          2KB

          MD5

          03eaafad1ab97601f872c8cb20c9afce

          SHA1

          758d17d6924a87d16388f03b445bad4739d3603e

          SHA256

          0c8302216f046043fe7238ef1a00cba166a77fb85e9ab89dc1d7f9d178bcff6f

          SHA512

          72f1a2ac56bac36d92b6875ca5b195e19d387c6ce0d92cadd0c596daaf3c2e16d3d9e8faafc0f7c1d9538a39c0355fc997d6db80897fd421bfa72c4e8ec8f30d

        • C:\Windows\eml.tmp

          Filesize

          3KB

          MD5

          f4d0cfeae265e06a0de91365c9e73413

          SHA1

          4b651a48d37412c1849c181dea91feaa4c5f6a72

          SHA256

          b80e48ff761536872ea8c220967834066ece37a74eae3634d39856be0464cba4

          SHA512

          4be545394bb6284624405c759c5b7655161352d0e0a92a87b4178a57ae75de47c930c9499e662f98b4dcddb8371bfaa811c4bdb608bb37b994e17fb3e75b4571

        • C:\Windows\eml.tmp

          Filesize

          4KB

          MD5

          8a2ecd274bcc7ae885f6e8f2eab5a639

          SHA1

          5215b6dd17bb850fa19f73e1e01a72cdd012cb6d

          SHA256

          a1f719a8c3b6061a5fa0481fc21b9908ddad9ca9e60cbf5b7e45cd1bf89225fb

          SHA512

          c339c681561234c902503bf3040a3a84b4ebb99c754ecc682984acd11c9a9641f85ead5d599b7a958d3c68d5a330674c466cefa5d4ee88a1f77175dd1f1b1712

        • C:\Windows\eml.tmp

          Filesize

          635B

          MD5

          b3a1ace3f7691d3795f2d59405add79e

          SHA1

          7b0f0794a4fc2f3f7596ebec298cfbe7d333f773

          SHA256

          d814662cacb0d7bb84edd2f03713d1338303152d968f5bc9f31ea84f34fb2cb4

          SHA512

          fd54826424d3dab1c66846b718e8f3efe0984c4c984325e8c9082e3306fbfcd2c700a50045a0b609dd6eceeb41825e8b756f7e5a4887706a876d085dc0cf75cd

        • C:\Windows\videodrv.exe

          Filesize

          13KB

          MD5

          224c306b78a6e3fb7d042c3be3888790

          SHA1

          048d839a99a4d8228a7fde54fe2b95e8c4e09999

          SHA256

          e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fc

          SHA512

          44d8de49fef4d9a95123b0c2ef4cf9529f133b142c8cf875a5cd2fd6e5137239ff6e6c6de45ea6a8872ed308243dbfd822f64937e38eeb94d4423fe09cd21541

        • memory/3340-11-0x0000000000400000-0x0000000000479000-memory.dmp

          Filesize

          484KB

        • memory/3340-219-0x0000000000400000-0x0000000000479000-memory.dmp

          Filesize

          484KB

        • memory/3340-248-0x0000000000400000-0x0000000000479000-memory.dmp

          Filesize

          484KB

        • memory/3340-249-0x0000000000400000-0x0000000000479000-memory.dmp

          Filesize

          484KB

        • memory/3340-250-0x0000000000400000-0x0000000000479000-memory.dmp

          Filesize

          484KB

        • memory/3340-251-0x0000000000400000-0x0000000000479000-memory.dmp

          Filesize

          484KB

        • memory/3608-10-0x0000000000400000-0x0000000000479000-memory.dmp

          Filesize

          484KB

        • memory/3608-0-0x0000000000400000-0x0000000000479000-memory.dmp

          Filesize

          484KB