Overview

overview

10

Static

static

5

lexis.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    32s
  • max time network
    31s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27/03/2025, 11:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lexis.exe

  • Size

    20.2MB

  • MD5

    f9bf9c1831d7f63d427cfbc979fd1e12

  • SHA1

    b7e92540d56c36d27c4ef77603d2b0d8dfdb72d1

  • SHA256

    63e776333c51e644d1b6ee76f26953596446544b335d19c46db9d75b18314830

  • SHA512

    b71e40ab4d1cb52a37eb70b48bd7af09a846e3f1e58b6be923d030007aa9de00f8c9a98de2f625d46653afc2e3713c0882522eeb92fcbd7d589a691c0c5273fe

  • SSDEEP

    98304:TuqoOcOigmHaaDl8cCbWF7zT2b9uXFiN+bJz+VuYwhG:TGOZmHaapvCbWlCuAIbJziuYJ

Score
10/10
salatstealercredential_accessdiscoveryspywarestealerupx

Malware Config

Signatures

  • Detect SalatStealer payload 10 IoCs
  • Salatstealer family
    salatstealer
  • salatstealer

    SalatStealer is a stealer that takes sceenshot written in Golang.

    stealersalatstealer
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lexis.exe
    "C:\Users\Admin\AppData\Local\Temp\lexis.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Program Files (x86)\MSBuild\SppExtComObj.Exe
      "C:\Program Files (x86)\MSBuild\SppExtComObj.Exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe
        3⤵
        • Drops file in Drivers directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2384
        • C:\Windows\SysWOW64\ReAgentc.exe
          "C:\Windows\system32\ReAgentc.exe" /disable
          4⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          PID:4012
      • C:\Program Files\Google\Chrome\Application\SppExtComObj.Exe
        "C:\Program Files\Google\Chrome\Application\SppExtComObj.Exe" -
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:5508
      • C:\Program Files (x86)\Microsoft\Edge\Application\SppExtComObj.Exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\SppExtComObj.Exe" -
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:5212
  • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
    1⤵
      PID:3908
    • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
      1⤵
        PID:4152
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:1308
        • C:\Users\Admin\AppData\Local\Temp\lexis.exe
          "C:\Users\Admin\AppData\Local\Temp\lexis.exe"
          1⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:6000
        • C:\Users\Admin\AppData\Local\Temp\lexis.exe
          "C:\Users\Admin\AppData\Local\Temp\lexis.exe"
          1⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:5088
        • C:\Users\Admin\AppData\Local\Temp\lexis.exe
          "C:\Users\Admin\AppData\Local\Temp\lexis.exe"
          1⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:5684

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\MSBuild\SppExtComObj.Exe
          Filesize

          20.2MB

          MD5

          f9bf9c1831d7f63d427cfbc979fd1e12

          SHA1

          b7e92540d56c36d27c4ef77603d2b0d8dfdb72d1

          SHA256

          63e776333c51e644d1b6ee76f26953596446544b335d19c46db9d75b18314830

          SHA512

          b71e40ab4d1cb52a37eb70b48bd7af09a846e3f1e58b6be923d030007aa9de00f8c9a98de2f625d46653afc2e3713c0882522eeb92fcbd7d589a691c0c5273fe

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m3eexcsc.zlj.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/808-0-0x0000000000140000-0x0000000000CBF000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/808-9-0x0000000000140000-0x0000000000CBF000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/2384-46-0x0000000007C10000-0x00000000081B6000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2384-12-0x0000000002930000-0x0000000002966000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2384-14-0x0000000074940000-0x00000000750F1000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2384-13-0x0000000005650000-0x0000000005C7A000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2384-18-0x0000000074940000-0x00000000750F1000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2384-75-0x0000000074940000-0x00000000750F1000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2384-20-0x0000000005270000-0x0000000005292000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2384-21-0x0000000005310000-0x0000000005376000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2384-22-0x00000000053F0000-0x0000000005456000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2384-28-0x0000000005C80000-0x0000000005FD7000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2384-11-0x000000007494E000-0x000000007494F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2384-33-0x0000000006160000-0x000000000617E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2384-74-0x000000007494E000-0x000000007494F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2384-35-0x00000000061A0000-0x00000000061EC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2384-36-0x0000000006720000-0x0000000006766000-memory.dmp

          Filesize

          280KB

          Download

        • memory/2384-72-0x0000000007A10000-0x0000000007A18000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2384-71-0x0000000007A20000-0x0000000007A3A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2384-44-0x0000000007520000-0x000000000753A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2384-45-0x0000000007630000-0x0000000007652000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2384-43-0x0000000007590000-0x0000000007626000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2384-53-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2384-70-0x00000000079C0000-0x00000000079D5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/2384-52-0x00000000077D0000-0x0000000007804000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2384-54-0x0000000070E20000-0x0000000071177000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2384-63-0x0000000007810000-0x000000000782E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2384-64-0x0000000007830000-0x00000000078D4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/2384-65-0x0000000008840000-0x0000000008EBA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2384-66-0x0000000007980000-0x000000000798A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2384-67-0x0000000007990000-0x00000000079A1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2384-69-0x00000000079B0000-0x00000000079BE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4524-76-0x0000000000BC0000-0x000000000173F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4524-7-0x0000000000BC0000-0x000000000173F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4524-73-0x0000000000BC0000-0x000000000173F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4524-68-0x0000000000BC0000-0x000000000173F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4524-86-0x0000000000BC0000-0x000000000173F000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5088-83-0x0000000000140000-0x0000000000CBF000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5088-80-0x0000000000140000-0x0000000000CBF000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5212-42-0x0000000000E60000-0x00000000019DF000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5212-41-0x0000000000E60000-0x00000000019DF000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5508-19-0x0000000000670000-0x00000000011EF000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5508-34-0x0000000000670000-0x00000000011EF000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5684-85-0x0000000000140000-0x0000000000CBF000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/6000-77-0x0000000000140000-0x0000000000CBF000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/6000-79-0x0000000000140000-0x0000000000CBF000-memory.dmp

          Filesize

          11.5MB

          Download