Overview

overview

10

Static

static

7

SoftWare(1).exe

windows7-x64

10

SoftWare(1).exe

windows10-2004-x64

10

SoftWare(2).exe

windows7-x64

8

SoftWare(2).exe

windows10-2004-x64

8

atom.dll

windows7-x64

10

atom.dll

windows10-2004-x64

10

brand.dll

windows7-x64

10

brand.dll

windows10-2004-x64

10

concrt140.dll

windows7-x64

1

concrt140.dll

windows10-2004-x64

8

encoding-c...on.dll

windows7-x64

1

encoding-c...on.dll

windows10-2004-x64

3

icudt68.dll

windows7-x64

1

icudt68.dll

windows10-2004-x64

6

icuuc68.dll

windows7-x64

1

icuuc68.dll

windows10-2004-x64

6

libcrypto-1_1-x64.dll

windows7-x64

1

libcrypto-1_1-x64.dll

windows10-2004-x64

3

libcurl.dll

windows7-x64

1

libcurl.dll

windows10-2004-x64

8

libssl-1_1-x64.dll

windows7-x64

1

libssl-1_1-x64.dll

windows10-2004-x64

1

msvcp140.dll

windows7-x64

1

msvcp140.dll

windows10-2004-x64

8

msvcp140_1.dll

windows7-x64

1

msvcp140_1.dll

windows10-2004-x64

8

msvcp140_2.dll

windows7-x64

1

msvcp140_2.dll

windows10-2004-x64

8

msvcp140_c...ds.dll

windows7-x64

1

msvcp140_c...ds.dll

windows10-2004-x64

8

root-servi...er.dll

windows7-x64

10

root-servi...er.dll

windows10-2004-x64

10

Resubmissions

10-02-2025 02:06

250210-cjg3laykgq 10

10-02-2025 02:04

250210-chg17syrby 10

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    10-02-2025 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SoftWare(2).exe

  • Size

    895KB

  • MD5

    a16e394f67d91eadb2f3b63feae0f6e6

  • SHA1

    37576b86112a7ba68d673483d752d92b53c3314d

  • SHA256

    63226615cf004ff25050875bd27eed6bcd095e9ada2c4e428496eab1fd2a5f2c

  • SHA512

    cb9d4b5a3ed1792c0bb1e1b69894e432bcd5df6234affb56d0c80ef4dd3bf06936982f3b80d99758dac910ccd5d5144b1d3d2ff9b450d24b3a827693290e5508

  • SSDEEP

    12288:Mx8+cf8nEU/ofJlKeNi16QksdziFwV++cf8nEU/ofJlKeNi16QksdziFwVTJ:w8Y/ofJlPG6XQ+Y/ofJlPG6XQTJ

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Downloads MZ/PE file 1 IoCs
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SoftWare(2).exe
    "C:\Users\Admin\AppData\Local\Temp\SoftWare(2).exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Local\Temp\SoftWare(2).exe
      "C:\Users\Admin\AppData\Local\Temp\SoftWare(2).exe"
      2⤵
        PID:1884
      • C:\Users\Admin\AppData\Local\Temp\SoftWare(2).exe
        "C:\Users\Admin\AppData\Local\Temp\SoftWare(2).exe"
        2⤵
        • Downloads MZ/PE file
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Users\Admin\AppData\Local\Temp\IDLW57COKKF92SQRNRB4.exe
          "C:\Users\Admin\AppData\Local\Temp\IDLW57COKKF92SQRNRB4.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:340
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 524
        2⤵
        • Program crash
        PID:1484

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\IDLW57COKKF92SQRNRB4.exe
      Filesize

      21KB

      MD5

      c11a82d699a06d9b8ba4296e0c562ae4

      SHA1

      e91963fe8def3ed151333a6a66d005237600ba30

      SHA256

      483b1d7dac70de82e9b22a0c1ed775cf7e10b0a3790c5aa1b9215dbcd1754302

      SHA512

      cc8644279ea2cebf70f594f6cc48d6ebbc10d036b7dcf1008fc05565da85cc36f7e8af7faa49b7c117c9a6ac94d7c007a99b53ec1dd668a7f8c28dc25b410a54

      Download Submit

    • memory/340-33-0x0000000073750000-0x0000000073E3E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/340-32-0x0000000073750000-0x0000000073E3E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/340-31-0x00000000003F0000-0x00000000003FC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/340-30-0x000000007375E000-0x000000007375F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2100-7-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2100-5-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2100-13-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2100-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2100-8-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2100-4-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2100-6-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2100-12-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2100-15-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2100-17-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2100-25-0x00000000001E0000-0x00000000001E5000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2100-24-0x00000000001E0000-0x00000000001E5000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2544-14-0x00000000745F0000-0x0000000074CDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2544-16-0x00000000745F0000-0x0000000074CDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2544-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2544-2-0x00000000745F0000-0x0000000074CDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2544-1-0x0000000000210000-0x00000000002F4000-memory.dmp

      Filesize

      912KB

      Download