Malware Analysis Report

2025-08-05 14:55

Sample ID 250704-vzp29axk17
Target 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8
SHA256 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8
Tags
execution persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8

Threat Level: Shows suspicious behavior

The file 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8 was found to be: Shows suspicious behavior.

Malicious Activity Summary

execution persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Unsigned PE

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 17:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 17:25

Reported

2025-07-04 17:28

Platform

win10v2004-20250619-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\HiddenApp\TaskBar.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MAMP = "C:\\Users\\Public\\Documents\\HiddenApp\\TaskBar.exe" C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4220 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe C:\Windows\system32\cmd.exe
PID 4220 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe C:\Windows\system32\cmd.exe
PID 4184 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4184 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4220 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe C:\Windows\system32\cmd.exe
PID 4220 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe C:\Windows\system32\cmd.exe
PID 3840 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3840 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4648 wrote to memory of 924 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Documents\HiddenApp\TaskBar.exe
PID 4648 wrote to memory of 924 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Documents\HiddenApp\TaskBar.exe
PID 4220 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe C:\Windows\system32\cmd.exe
PID 4220 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe C:\Windows\system32\cmd.exe
PID 4604 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4604 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe

"C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk" && echo URL=file:///C:\Users\Public\Documents\HiddenApp\TaskBar.exe >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Public\Documents\HiddenApp\TaskBar.exe

C:\Windows\system32\cmd.exe

cmd /c echo [InternetShortcut]

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Create /SC ONLOGON /TN "MAMP id_xmpxqm49" /TR "C:\Users\Public\Documents\HiddenApp\TaskBar.exe" /id_yob72 id_pvure69 /F

C:\Windows\system32\schtasks.exe

schtasks /Create /SC ONLOGON /TN "MAMP id_xmpxqm49" /TR "C:\Users\Public\Documents\HiddenApp\TaskBar.exe" /id_yob72 id_pvure69 /F

C:\Users\Public\Documents\HiddenApp\TaskBar.exe

C:\Users\Public\Documents\HiddenApp\TaskBar.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Change /TN "MAMP id_xmpxqm49" /ENABLE

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "MAMP id_xmpxqm49" /ENABLE

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

C:\Users\Public\Documents\HiddenApp\TaskBar.exe

MD5 8c9908027dac44fcb913f1bd1a27f19b
SHA1 22a8909d8b4e507a442e38caaac2dbd77ff58899
SHA256 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8
SHA512 56bcc8f4d8a967031e9af2da00bb9cdcc0572e926ff12dc689f64c3a16aec5c1f20767a37aa4f790279cf6dbca692e2bc269c432433918b936707fa71a26f70f

C:\Users\Public\Documents\HiddenApp\log.txt

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 17:25

Reported

2025-07-04 17:28

Platform

win11-20250610-en

Max time kernel

128s

Max time network

60s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\HiddenApp\TaskBar.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-903960561-1545645218-4290906778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MAMP = "C:\\Users\\Public\\Documents\\HiddenApp\\TaskBar.exe" C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4496 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe C:\Windows\system32\cmd.exe
PID 4496 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 6020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 6020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4496 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe C:\Windows\system32\cmd.exe
PID 4496 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe C:\Windows\system32\cmd.exe
PID 6012 wrote to memory of 808 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Documents\HiddenApp\TaskBar.exe
PID 6012 wrote to memory of 808 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Documents\HiddenApp\TaskBar.exe
PID 4396 wrote to memory of 3420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4396 wrote to memory of 3420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4496 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe C:\Windows\system32\cmd.exe
PID 4496 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe C:\Windows\system32\cmd.exe
PID 3104 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3104 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe

"C:\Users\Admin\AppData\Local\Temp\4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk" && echo URL=file:///C:\Users\Public\Documents\HiddenApp\TaskBar.exe >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAMP.lnk"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Public\Documents\HiddenApp\TaskBar.exe

C:\Windows\system32\cmd.exe

cmd /c echo [InternetShortcut]

C:\Users\Public\Documents\HiddenApp\TaskBar.exe

C:\Users\Public\Documents\HiddenApp\TaskBar.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Create /SC ONLOGON /TN "MAMP id_xmpxqm49" /TR "C:\Users\Public\Documents\HiddenApp\TaskBar.exe" /id_yob72 id_pvure69 /F

C:\Windows\system32\schtasks.exe

schtasks /Create /SC ONLOGON /TN "MAMP id_xmpxqm49" /TR "C:\Users\Public\Documents\HiddenApp\TaskBar.exe" /id_yob72 id_pvure69 /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Change /TN "MAMP id_xmpxqm49" /ENABLE

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "MAMP id_xmpxqm49" /ENABLE

Network

Files

C:\Users\Public\Documents\HiddenApp\TaskBar.exe

MD5 8c9908027dac44fcb913f1bd1a27f19b
SHA1 22a8909d8b4e507a442e38caaac2dbd77ff58899
SHA256 4f3c004fb8e66cc34f44cafe6a3540724925cac754124999ba424797fd16e1b8
SHA512 56bcc8f4d8a967031e9af2da00bb9cdcc0572e926ff12dc689f64c3a16aec5c1f20767a37aa4f790279cf6dbca692e2bc269c432433918b936707fa71a26f70f

C:\Users\Public\Documents\HiddenApp\log.txt

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a