Overview

overview

10

Static

static

10

e1dcb9ba72...29.exe

windows7-x64

3

e1dcb9ba72...29.exe

windows10-2004-x64

3

e2071b429e...5c.exe

windows7-x64

10

e2071b429e...5c.exe

windows10-2004-x64

10

e249dbf0ac...f4.exe

windows7-x64

8

e249dbf0ac...f4.exe

windows10-2004-x64

8

e277271cc7...e8.exe

windows7-x64

10

e277271cc7...e8.exe

windows10-2004-x64

10

e282def0d2...89.exe

windows7-x64

10

e282def0d2...89.exe

windows10-2004-x64

10

e29645b977...39.exe

windows7-x64

7

e29645b977...39.exe

windows10-2004-x64

7

e2bfb9c5da...0c.exe

windows7-x64

1

e2bfb9c5da...0c.exe

windows10-2004-x64

1

e316eea789...fa.exe

windows7-x64

1

e316eea789...fa.exe

windows10-2004-x64

1

e3250ba3e9...f9.exe

windows7-x64

10

e3250ba3e9...f9.exe

windows10-2004-x64

10

e34a914ca2...b1.exe

windows7-x64

10

e34a914ca2...b1.exe

windows10-2004-x64

10

e37b2913aa...c6.exe

windows7-x64

10

e37b2913aa...c6.exe

windows10-2004-x64

10

e37c63b72b...0d.exe

windows7-x64

10

e37c63b72b...0d.exe

windows10-2004-x64

10

e37cf80804...e0.exe

windows7-x64

10

e37cf80804...e0.exe

windows10-2004-x64

10

e3a2f6c598...82.exe

windows7-x64

1

e3a2f6c598...82.exe

windows10-2004-x64

1

e3a86fc42d...62.exe

windows7-x64

9

e3a86fc42d...62.exe

windows10-2004-x64

9

e3e3053d34...10.exe

windows7-x64

10

e3e3053d34...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e34a914ca2b4fd7d490bd7fa0893c9b1.exe

  • Size

    222KB

  • MD5

    e34a914ca2b4fd7d490bd7fa0893c9b1

  • SHA1

    e55c2dcfb6dccf9e84664af5932e9ab2eff2f2c9

  • SHA256

    047f813c24a57883f2c6b15706b6695dd0497bc51d8b13bf74f213fdb6772d30

  • SHA512

    0a67a20afd1f5e03799d8e88a842998dace89cbcbce34b8cbc339c9fc73d9784c8dd2899ff416955f51e6eea9c4637eeef610e6b360bac57915e46a0777b9cab

  • SSDEEP

    3072:YsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRmLY:ZR5IuMQoseGk7RZBGxAycKpSPX2D

Score
10/10
defense_evasiondiscoverypersistencespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e34a914ca2b4fd7d490bd7fa0893c9b1.exe
    "C:\Users\Admin\AppData\Local\Temp\e34a914ca2b4fd7d490bd7fa0893c9b1.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\mlang32.exe
      "C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\mlang32.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4568
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /tn Admin /tr "\"C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\mlang32.exe\" arguments" /sc MINUTE /mo 1
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5156
      • \??\c:\windows\microsoft.net\framework\v2.0.50727\InstallUtil.exe
        "c:\windows\microsoft.net\framework\v2.0.50727\\InstallUtil.exe" C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\mlang32.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1928
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      2⤵
        PID:4736
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 5 && del "C:\Users\Admin\AppData\Local\Temp\e34a914ca2b4fd7d490bd7fa0893c9b1.exe" && del "C:\Users\Admin\AppData\Local\Temp\e34a914ca2b4fd7d490bd7fa0893c9b1.exe.config"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4632
        • C:\Windows\system32\timeout.exe
          timeout /t 5
          3⤵
          • Delays execution with timeout.exe
          PID:4636
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:4136
      • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\mlang32.exe
        C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\mlang32.exe arguments
        1⤵
        • Executes dropped EXE
        PID:6056
      • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\mlang32.exe
        C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\mlang32.exe arguments
        1⤵
        • Executes dropped EXE
        PID:4500

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Hide Artifacts

      1
      T1564

      Hidden Files and Directories

      1
      T1564.001

      Modify Registry

      3
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\mlang32.exe.log
        Filesize

        595B

        MD5

        5446caf843683ea0aab610c729c40ab1

        SHA1

        6df96e9c6c90843766b0fde8cec5e3a955291e74

        SHA256

        f7dbd089564c22c13483b867392a7bd1f9b49f8e0b089e2cc7bd7bfbf62c6329

        SHA512

        488e2b8750ff820e3fbdcbb9201abddfc6c8ccc3e7cc29962a05c2313ea862eddbf4e0a49ab6a5029aa4d9c137daf2623f1b34e4dcb896269e6edae8276148ff

        Download Submit

      • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\mlang32.exe
        Filesize

        222KB

        MD5

        a4ed99e7c06c842aefc16b52a784be41

        SHA1

        11fda6b4afbfbe7afc1ca1b892e4f80b92c02c33

        SHA256

        3afc1227f967ad587e8a942f411a2e2f354064173920c58b691e9f10c623db8f

        SHA512

        d80e63ea1fe401abe5e73cc96dc79dffd5d224331dd89a1caffb4a853816020eb00b57c27bbe51d5f801bd267f94f0d3d9de9192800e47961fe76d451a422351

        Download Submit

      • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\mlang32.exe.config
        Filesize

        1KB

        MD5

        dd3d04c365984b4ec57a80503f81fddf

        SHA1

        c55fbcb61818e47dac9aae465faff91f0805bd7c

        SHA256

        40a59ca9744dc3d4647f246b2dc553f37f8095418c1b48a9bd94cdb5c03dbc5c

        SHA512

        0dd459def2abe9e3f0d1251049a0755c63f7dd3d85e91dba272c3f479f2578e3f3f2379e1cd6913190f7f596af721201eb5d9423ab28aed72bde5cd3cac7f785

        Download Submit

      • memory/1928-32-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2528-9-0x000000001BF10000-0x000000001BF32000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2528-3-0x000000001BE60000-0x000000001BEFC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2528-6-0x000000001C040000-0x000000001C0A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2528-7-0x00007FFB5E380000-0x00007FFB5ED21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2528-8-0x00007FFB5E380000-0x00007FFB5ED21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2528-10-0x000000001EAC0000-0x000000001EB66000-memory.dmp

        Filesize

        664KB

        Download

      • memory/2528-0-0x00007FFB5E635000-0x00007FFB5E636000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2528-11-0x00007FFB5E380000-0x00007FFB5ED21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2528-4-0x00007FFB5E380000-0x00007FFB5ED21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2528-5-0x0000000000D00000-0x0000000000D08000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2528-1-0x00007FFB5E380000-0x00007FFB5ED21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2528-2-0x000000001B990000-0x000000001BE5E000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2528-30-0x00007FFB5E380000-0x00007FFB5ED21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/4568-28-0x00007FFB5E380000-0x00007FFB5ED21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/4568-31-0x000000001CBE0000-0x000000001CC02000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4568-27-0x00007FFB5E380000-0x00007FFB5ED21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/4568-33-0x000000001FB10000-0x000000001FB72000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4568-34-0x00007FFB5E380000-0x00007FFB5ED21000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/4568-26-0x00007FFB5E380000-0x00007FFB5ED21000-memory.dmp

        Filesize

        9.6MB

        Download