35e26bdbdea45ece8f73ddac192c584868bc55018cd95fcf669695c0f68260d7

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbd98903f85840f90b218843df6be111339b24f98ff354743d374c8a359ca6bc.exe
Size

3.3MB
MD5

931086827557928414c989f9fe3e8026
SHA1

e2f7b5eaf7690965351425775bce2ac1dcff2991
SHA256

fbd98903f85840f90b218843df6be111339b24f98ff354743d374c8a359ca6bc
SHA512

a9397a2a8a09c4f7075cac8179291c745f9ef71e9ea0c11912ff26267acf17a9ec9f0867d561c790ef78de8fccb93fd8588a5b3b7cae94a7edc7efa9ac76f27e
SSDEEP

98304:mRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/vWd:mkj8NBFwxpNOuk24Wd

Score

8^/10

defense_evasion execution spyware stealer

Malware Config

Signatures

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
3012	93Q4oN8A7l.exe

Executes dropped EXE 2 IoCs

pid	Process
3012	93Q4oN8A7l.exe
1212	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
1628	fbd98903f85840f90b218843df6be111339b24f98ff354743d374c8a359ca6bc.exe
1212	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2548	sc.exe
2788	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	fbd98903f85840f90b218843df6be111339b24f98ff354743d374c8a359ca6bc.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe
3012	93Q4oN8A7l.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	fbd98903f85840f90b218843df6be111339b24f98ff354743d374c8a359ca6bc.exe
Token: SeDebugPrivilege	3012	93Q4oN8A7l.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 3012	1628	fbd98903f85840f90b218843df6be111339b24f98ff354743d374c8a359ca6bc.exe	30
PID 1628 wrote to memory of 3012	1628	fbd98903f85840f90b218843df6be111339b24f98ff354743d374c8a359ca6bc.exe	30
PID 1628 wrote to memory of 3012	1628	fbd98903f85840f90b218843df6be111339b24f98ff354743d374c8a359ca6bc.exe	30
PID 3012 wrote to memory of 2248	3012	93Q4oN8A7l.exe	31
PID 3012 wrote to memory of 2248	3012	93Q4oN8A7l.exe	31
PID 3012 wrote to memory of 2248	3012	93Q4oN8A7l.exe	31
PID 2248 wrote to memory of 2548	2248	cmd.exe	33
PID 2248 wrote to memory of 2548	2248	cmd.exe	33
PID 2248 wrote to memory of 2548	2248	cmd.exe	33
PID 2248 wrote to memory of 2788	2248	cmd.exe	34
PID 2248 wrote to memory of 2788	2248	cmd.exe	34
PID 2248 wrote to memory of 2788	2248	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\fbd98903f85840f90b218843df6be111339b24f98ff354743d374c8a359ca6bc.exe
"C:\Users\Admin\AppData\Local\Temp\fbd98903f85840f90b218843df6be111339b24f98ff354743d374c8a359ca6bc.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\93Q4oN8A7l.exe
  "C:\Users\Admin\AppData\Local\Temp\93Q4oN8A7l.exe" QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXGZiZDk4OTAzZjg1ODQwZjkwYjIxODg0M2RmNmJlMTExMzM5YjI0Zjk4ZmYzNTQ3NDNkMzc0YzhhMzU5Y2E2YmMuZXhl
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C sc stop "SysMain" & sc config "SysMain" start=disabled
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\system32\sc.exe
      sc stop "SysMain"
      4⤵
      Launches sc.exe
      PID:2548
  - - C:\Windows\system32\sc.exe
      sc config "SysMain" start=disabled
      4⤵
      Launches sc.exe
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\93Q4oN8A7l.exe

Filesize
3.4MB

MD5
4351635c5757b1dd41aa312ff64ef92b

SHA1
687e01ecfb43d272917c4ad66779bfdbe250946b

SHA256
901fef7b7142ccef21e74424115190b5063e812c505d588ba655a84b23baa823

SHA512
72e4abd55015f065f4d281470a22aa9d17681297ae549532c1dad6ce69f97b1271540d949980edfaeab05c32e88ba2198ed04de21e8e9017b25a8ac197aba75e

Download Submit
memory/1628-6-0x00000000007E0000-0x00000000007E4000-memory.dmp

Filesize
16KB

Download
memory/1628-8-0x0000000002390000-0x000000000242C000-memory.dmp

Filesize
624KB

Download
memory/1628-3-0x0000000000640000-0x0000000000670000-memory.dmp

Filesize
192KB

Download
memory/1628-4-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-5-0x000000001D1A0000-0x000000001D5D8000-memory.dmp

Filesize
4.2MB

Download
memory/1628-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/1628-7-0x0000000000910000-0x0000000000916000-memory.dmp

Filesize
24KB

Download
memory/1628-20-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/1628-9-0x0000000000920000-0x0000000000926000-memory.dmp

Filesize
24KB

Download
memory/1628-10-0x0000000000B00000-0x0000000000B32000-memory.dmp

Filesize
200KB

Download
memory/1628-11-0x0000000000B30000-0x0000000000B34000-memory.dmp

Filesize
16KB

Download
memory/1628-1-0x000000013FE50000-0x0000000140174000-memory.dmp

Filesize
3.1MB

Download
memory/1628-2-0x000000001C210000-0x000000001C500000-memory.dmp

Filesize
2.9MB

Download
memory/1628-23-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-29-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-22-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-24-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-25-0x000000001BA90000-0x000000001BB02000-memory.dmp

Filesize
456KB

Download
memory/3012-26-0x0000000000950000-0x0000000000956000-memory.dmp

Filesize
24KB

Download
memory/3012-27-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/3012-28-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/3012-21-0x000000013FED0000-0x00000001401F4000-memory.dmp

Filesize
3.1MB

Download
memory/3012-32-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-33-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/3012-34-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download