Overview

overview

10

Static

static

10

Files/0018...8a.exe

windows7-x64

10

Files/0018...8a.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Files/059c...6b.exe

windows7-x64

3

Files/059c...6b.exe

windows10-2004-x64

3

Files/0761...50.exe

windows7-x64

5

Files/0761...50.exe

windows10-2004-x64

5

Files/0b4a...e6.exe

windows7-x64

10

Files/0b4a...e6.exe

windows10-2004-x64

10

Files/0c10...54.rtf

windows7-x64

8

Files/0c10...54.rtf

windows10-2004-x64

1

Files/0dc6...d8.exe

windows7-x64

7

Files/0dc6...d8.exe

windows10-2004-x64

7

Files/0def...d1.exe

windows7-x64

5

Files/0def...d1.exe

windows10-2004-x64

7

Files/0f64...5d.exe

windows7-x64

10

Files/0f64...5d.exe

windows10-2004-x64

10

Files/0fe5...05.exe

windows7-x64

10

Files/0fe5...05.exe

windows10-2004-x64

10

Files/1150...16.exe

windows7-x64

8

Files/1150...16.exe

windows10-2004-x64

10

Files/11c8...ba.exe

windows7-x64

10

Files/11c8...ba.exe

windows10-2004-x64

10

Files/15e3...5e.exe

windows7-x64

8

Files/15e3...5e.exe

windows10-2004-x64

8

Files/1ca4...74.exe

windows7-x64

10

Files/1ca4...74.exe

windows10-2004-x64

10

Files/1dc7...d8.exe

windows7-x64

5

Files/1dc7...d8.exe

windows10-2004-x64

5

Files/1fb0...c1.exe

windows7-x64

3

Files/1fb0...c1.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    60s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 05:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Files/0def0868347c89485ceb5386573bce41ed3a83b343adc3308441f7822988c7d1.exe

  • Size

    567KB

  • MD5

    264c28f35244da45b779e4ead9c6c399

  • SHA1

    f57631c3bec9e05605dfdcf826a63657777d09f3

  • SHA256

    0def0868347c89485ceb5386573bce41ed3a83b343adc3308441f7822988c7d1

  • SHA512

    7d9a11453ea447fb36b20ae289135685468e415a520217f16b4c91cf55fa1afc378c4c3e0e1c0057de3f093dbf53baba5d0bc0e6549534f6e04d5da92d736b40

  • SSDEEP

    12288:XT5jLj8eLkXoW+zlyqPVrJ6TPoqy/j1cLLYCQ51mm4poOcmMp+FoyQZiVo:j5jLjSXoVpysVV6TPzy/jGLm51mm8ym8

Score
7/10
discoveryexecutionpersistencespywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Files\0def0868347c89485ceb5386573bce41ed3a83b343adc3308441f7822988c7d1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\0def0868347c89485ceb5386573bce41ed3a83b343adc3308441f7822988c7d1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Users\Admin\AppData\Local\Temp\Files\0def0868347c89485ceb5386573bce41ed3a83b343adc3308441f7822988c7d1.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\0def0868347c89485ceb5386573bce41ed3a83b343adc3308441f7822988c7d1.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dJ3H492fymd.exe" /tr '"C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4836
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "dJ3H492fymd.exe" /tr '"C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4992
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " $action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe' $trigger = New-ScheduledTaskTrigger -AtLogOn Register-ScheduledTask -Action $action -Trigger $trigger -TaskName 'dJ3H492fymd.exe-7204' -RunLevel Highest "
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1104
      • C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe
        "C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe"
        3⤵
        • Executes dropped EXE
        PID:5064
      • C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe
        "C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe"
        3⤵
        • Executes dropped EXE
        PID:1304
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 772
      2⤵
      • Program crash
      PID:4520
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 628 -ip 628
    1⤵
      PID:4812
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4652
      • C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe
        C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe
          "C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1620
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 788
          3⤵
          • Program crash
          PID:3416
    • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
      1⤵
        PID:5460
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1896 -ip 1896
        1⤵
          PID:668
        • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
          "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
          1⤵
            PID:3620

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          3
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe
            Filesize

            37KB

            MD5

            af69d667761ef87674be3d231a0ae0e6

            SHA1

            a938c72cfd162d097391d3f53f0097fda5a9543f

            SHA256

            55b2905b08f0715379db90291712363f16a80b3bfb33513012cb9ac7cbff4343

            SHA512

            32a1994162bb873da35f99816b8740b61e8f9b5a3e22e4aa19704848b4760208f23989f174822669a3105719647c3db9145ae0a227cf41d967d50935da66c4ab

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe
            Filesize

            567KB

            MD5

            264c28f35244da45b779e4ead9c6c399

            SHA1

            f57631c3bec9e05605dfdcf826a63657777d09f3

            SHA256

            0def0868347c89485ceb5386573bce41ed3a83b343adc3308441f7822988c7d1

            SHA512

            7d9a11453ea447fb36b20ae289135685468e415a520217f16b4c91cf55fa1afc378c4c3e0e1c0057de3f093dbf53baba5d0bc0e6549534f6e04d5da92d736b40

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uuxghgo3.nms.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Windows\Temp\Log_SystemCLS.txt
            Filesize

            44B

            MD5

            61fef5c3f0158a5fc21fd797a55ec0f5

            SHA1

            2af5af729a1b305e99bf8f435dfb316e7ebc39ba

            SHA256

            4a197c04ed431fb21e188883b75d7e88fd3bdf02ffd5efab6f7d8b42ed0f24bf

            SHA512

            411861addc2412f8afb00781a9bd68a303c817d6c043ad96730ecc3355eb633aafd4407439908fb4a6618a4b9dc82dcceaa6b215dc8a4ef0b485b912efa892ee

            Download Submit

          • memory/628-1-0x00000000006F0000-0x0000000000786000-memory.dmp

            Filesize

            600KB

            Download

          • memory/628-2-0x0000000005680000-0x0000000005C24000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/628-6-0x0000000075170000-0x0000000075920000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/628-0-0x000000007517E000-0x000000007517F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1104-62-0x0000000007190000-0x000000000719A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1104-48-0x000000006FD90000-0x000000006FDDC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1104-66-0x0000000007330000-0x0000000007341000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1104-22-0x0000000002820000-0x0000000002856000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1104-24-0x0000000004F20000-0x0000000005548000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/1104-63-0x00000000073C0000-0x0000000007456000-memory.dmp

            Filesize

            600KB

            Download

          • memory/1104-28-0x0000000004E10000-0x0000000004E32000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1104-30-0x00000000057C0000-0x0000000005826000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1104-29-0x0000000004EB0000-0x0000000004F16000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1104-60-0x0000000007770000-0x0000000007DEA000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/1104-40-0x0000000005830000-0x0000000005B84000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1104-45-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1104-46-0x0000000005E80000-0x0000000005ECC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1104-47-0x0000000006DA0000-0x0000000006DD2000-memory.dmp

            Filesize

            200KB

            Download

          • memory/1104-58-0x00000000063C0000-0x00000000063DE000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1104-61-0x0000000007130000-0x000000000714A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/1104-59-0x0000000006FE0000-0x0000000007083000-memory.dmp

            Filesize

            652KB

            Download

          • memory/2352-65-0x0000000006F40000-0x000000000746C000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/2352-8-0x0000000075170000-0x0000000075920000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2352-7-0x0000000075170000-0x0000000075920000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2352-5-0x0000000000400000-0x0000000000492000-memory.dmp

            Filesize

            584KB

            Download

          • memory/2352-11-0x00000000065F0000-0x0000000006666000-memory.dmp

            Filesize

            472KB

            Download

          • memory/2352-13-0x0000000006840000-0x0000000006A02000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2352-14-0x00000000067C0000-0x0000000006810000-memory.dmp

            Filesize

            320KB

            Download

          • memory/2352-79-0x0000000002A50000-0x0000000002A62000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2352-80-0x0000000006C70000-0x0000000006C8E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2352-81-0x0000000007510000-0x00000000075A2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/2352-82-0x0000000075170000-0x0000000075920000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2352-83-0x0000000075170000-0x0000000075920000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2352-85-0x0000000075170000-0x0000000075920000-memory.dmp

            Filesize

            7.7MB

            Download