Overview

overview

10

Static

static

10

817a988946...8a.exe

windows10-2004-x64

8

817a988946...8a.exe

windows10-ltsc_2021-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2025, 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe

  • Size

    345KB

  • MD5

    fc01e536eb60eb27a3f954ccfb7cdc5a

  • SHA1

    7355be1ed9bf00067e84f8207345923325fd7d32

  • SHA256

    817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a

  • SHA512

    12ce88e18be740d705b2f4305252943322d0578194947bf1f595e3b5a22df708b9abfbe321d8a5422830f49b8692b003f78e85a5d0271a94bf4a74d8c63220e7

  • SSDEEP

    6144:+PtFqR7FDwaIJGIDHO4Il8Uc/IX9rER13dLeeWEXTFI1tEnnbGQVNXv9uOS9U:6jqRxJlsu4j2Ngtee/TFI1tEnnbGqNXF

Score
8/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Downloads MZ/PE file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe
    "C:\Users\Admin\AppData\Local\Temp\817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe"
    1⤵
    • Downloads MZ/PE file
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Users\Admin\AppData\Local\Temp\3TR0Q6H406B1O61NWY55D2I9I9.exe
      "C:\Users\Admin\AppData\Local\Temp\3TR0Q6H406B1O61NWY55D2I9I9.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1468
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 668
        3⤵
        • Program crash
        PID:3584
    • C:\Users\Admin\AppData\Local\Temp\51WRFA3GURKGRIV9CDL5Z7.exe
      "C:\Users\Admin\AppData\Local\Temp\51WRFA3GURKGRIV9CDL5Z7.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v atkexComSvc /t REG_SZ /d C:\ProgramData\atkexComSvc.exe /f"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v atkexComSvc /t REG_SZ /d C:\ProgramData\atkexComSvc.exe /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3532
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1468 -ip 1468
    1⤵
      PID:3248
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\atkexComSvc.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\ProgramData\atkexComSvc.exe
        C:\ProgramData\atkexComSvc.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2580

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3TR0Q6H406B1O61NWY55D2I9I9.exe
      Filesize

      10.8MB

      MD5

      b4f95c0def652145e9a081896c1ff0b3

      SHA1

      96e18c8e8e7d6548d4551038951a3231867f9ba3

      SHA256

      6f0c30497c42675d68a4dfcddbb8b4a4699a28bbd05fc0feea91dc3c537c4ed6

      SHA512

      200cc62bf1c9dcc48723b252e6c4abeab45e7e20346fa6da8b4aa58d47bfa1af3e47ac397df1ae96c8c6a6d4c2f3cbf856d583d275f4c06501c2961be8a32fb6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\51WRFA3GURKGRIV9CDL5Z7.exe
      Filesize

      10.5MB

      MD5

      957e7d44b235699be79351c274cd8b99

      SHA1

      e10f2b728fd02e49c80591241b239a96a029c6be

      SHA256

      2e0a299e318a9a6928bc24b228e976a09c5322343bf0449620d42d04b615c739

      SHA512

      baed1a2ea2d0476f61e5c10389998a5335ca18d790377c27330a91700078bb09b1f93d2e7457afa045c41b866ce732903f1b1a18038b72ca8579ab62a5bf5c35

      Download Submit

    • memory/1468-8-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1468-7-0x0000000000AC0000-0x000000000158D000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1468-12-0x0000000000AC0000-0x000000000158D000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1468-26-0x0000000000AC0000-0x000000000158D000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2428-24-0x0000000003B50000-0x0000000004100000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2428-27-0x0000000000400000-0x0000000000CA6000-memory.dmp

      Filesize

      8.6MB

      Download

    • memory/2428-18-0x0000000003B50000-0x0000000004100000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2428-23-0x0000000003B50000-0x0000000004100000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2428-15-0x0000000002C60000-0x0000000002F86000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2428-22-0x0000000003B50000-0x0000000004100000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2428-14-0x0000000002C60000-0x0000000002F86000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2428-17-0x0000000001300000-0x0000000001303000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2428-36-0x0000000003B50000-0x0000000004100000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2428-53-0x0000000003B50000-0x0000000004100000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2580-42-0x0000000003A30000-0x0000000003FE0000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2580-45-0x0000000003A30000-0x0000000003FE0000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2580-47-0x0000000003A30000-0x0000000003FE0000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2580-46-0x0000000003A30000-0x0000000003FE0000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2580-50-0x0000000000400000-0x0000000000CA6000-memory.dmp

      Filesize

      8.6MB

      Download

    • memory/2580-40-0x0000000000E30000-0x0000000000E33000-memory.dmp

      Filesize

      12KB

      Download