Analysis
-
max time kernel
121s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
28-04-2024 10:15
General
-
Target
ec4a55497498ef265c9ec209666bdc98f6fd81edb311c7f091831456f7d54d3b.exe
-
Size
2.6MB
-
MD5
43eabc0816bf440573942cd0de5854cd
-
SHA1
1981b5cc46e40d05d170941121b306694c50b790
-
SHA256
ec4a55497498ef265c9ec209666bdc98f6fd81edb311c7f091831456f7d54d3b
-
SHA512
89686643a7f3d20987e7c30985f0120c2160e7f1514f4b0376b3071a60c759ee5b0caefcfaf6e07643906eaebe3d6f8d76200d7f0f0de718cef720d5ebf286f4
-
SSDEEP
24576:9A8vyrepIND/0bfSPdaYsi5YYR+h+8fEvdDrGnrdEROGHOhXBo7FC/hRJHOh:9A81IJPLmEvdDqnroHO9HO
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec4a55497498ef265c9ec209666bdc98f6fd81edb311c7f091831456f7d54d3b.exe"C:\Users\Admin\AppData\Local\Temp\ec4a55497498ef265c9ec209666bdc98f6fd81edb311c7f091831456f7d54d3b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ec4a55497498ef265c9ec209666bdc98f6fd81edb311c7f091831456f7d54d3b.exe"C:\Users\Admin\AppData\Local\Temp\ec4a55497498ef265c9ec209666bdc98f6fd81edb311c7f091831456f7d54d3b.exe" Master2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.178stu.com/my.htm3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3056 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD59eb9a54e054a1cedf1e7cd71c34d3e43
SHA1f375451dbf638e0add06acfee5cba2c9ae9dc9fd
SHA25661c6777a4c12f2fb9d64bcbd63a686ce7b42e0a1b286c140bd212b2b8043ad79
SHA512d5ac50c2a31edf7f371e39d0addf6d32172778a6f4dd391ccfaf88a39c479b409e7f77bda2aec42f440204cd18227f15ae57676322986d645825eca9b699c847
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5dabc68afe894245bdbf7fd89c94f4468
SHA1357c57e6c7a221bda6a4f877556cc430f3d85bf7
SHA256fff6db6cbddff3f009bf4fc85b47e16aa604699033bb0e5faf7bc3210e2d3295
SHA512996d9e3dc80f27a62c6f1a6933831758a91d65beaf4279072c06f07a8270e224749afe26ddac9bda38914a8beb9e4c524d9a8e5dc54cf0e0407ff370acd36165
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56f8dba4218bc70952985af1cfa894515
SHA1f09b3dbc7ae61aba80068ea13fa29913b16454cd
SHA256c1b094914c55dbc5ac8ffc18709cb247a36e0049e85ce1f45511f1b5ac8ca3ce
SHA5129ea5d8f6a464999c83df42db9a4da92bb0d2cfef424cd2688183cc8affcb31b154119b13c5aebb15e95f9aa3f3d9f79f6bdfc5770fd172ea393d2593a8aeb3e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5723c3adb2735bda60a9dfa94f017fc9f
SHA1c08af32b0d1fd085a070f5d330ce4e59fcac429d
SHA256a3a3041d14ba5b53146ab037ff8d3594b58fbd39eabc6bb6e7e45b85db19c01d
SHA5120e221c6cf8ddcff64d6d5202e72351415f260299c79c6bb7b7ef64359f0350af1f628b42e1b9eb57e96b9a5bc02a75bf949865e81d8c4a2bbf8ebf4a210b7712
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD55db7d7dcb417aa58dcfc7adb9799f130
SHA16c3a57ed1a3f23cef40955b5ec9a9d92b503a3d9
SHA256eaff5693b5c5c2fd2d560932fed57cb85b98e9b187a58a592b66d4ea9ce4d428
SHA512957b4c00228c29cfe8c350713c65e6dec8f78acaf505d37e61ca6edab4f5bc6b7e307aafd96e8fe2b36e45055ad28c940bb19e161f775454c58ac2d486fefd62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53c5fb4294ae35b80ca62cdb9f68017de
SHA1cded74e2d8668cd73abfcd1aac4720a00bf2fbe0
SHA25607568952b6b42ecfdcca0a257f49d1e1459d75a38b14e0c83192d3af9704162a
SHA512b78037875016ca29dd5fafc3fe80bab05d43fbc64f19c08e26a5a810e27f8aec0ca08368d5950ba8de62e2e27f5bf2a4c4e1af49844dfd168110614f95fbf0f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD50e2515a742b2bd479ce3a6030ce33ecd
SHA1ef702d802f52c15e946eb16f7eb7964aeb31b319
SHA25608998eb41106b813dcef97cf6590eda10c55f6f371992f1aaadfdbc67cdb0707
SHA5126897e6f867c59a8706c4a27313847a9ef0c7cbba3d0df2580e440d090a26298e8837c92fbd5031bb665214bdfbb7c72219e81657b50e6776f1a1592ce8f0b837
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5f202d9b374034a30323704df936c27e6
SHA1da9c725eef03efad386c6d7d92c36b51da3f0824
SHA256643b894e0a3897b6da43e12b5d5c3a210e643e1062e795de71baa3bfbd9473ce
SHA512a5118f18a9ccd86730d601d4bf3f2806c244b887737804e2a24e846b34d0093831ac2fb5407a6a595d44b9ea1167389331ec93ec019cc157dd7ce85db43fbac2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5b85a41de67a238a01fcefebe2bab7be6
SHA1fa5b4cba750b44791c91baa4da2d32ed3a60f132
SHA256b76403f1a2a1ce0fa64a8760714e1518f431ce965ddc7cedffaea92091d40111
SHA51224c5330a0d7f7dcbd3bfcf9d30db44578c5fa93baa4f3529c65f713da0056a636075218f18270bc93c6063c73f81b8ef599d1eec2de2f1d3b1df7f098a424d94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56d1d2b2035a2ac733b919af060f9eb0d
SHA18a4aeb3720e9cb9378663e848d87f368cb42652c
SHA256a95063a7f2f9f7d307eb06c87c9b5f138f9abbf339eea5afcc3521c6de4f154f
SHA5122af5597471e47114f158532a656f356341f32bcf62f881088ab591cd7224a5a10d876f440c370cfb4ada0ae3b14e3f85f7b9ee04c6ac6d64165400475a81b800
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5313a41678ebdef32010bb5fe85f6d3e2
SHA155396352eb74ba06bd1fa3809050eec87c505dfc
SHA256a2d3cd20ca87499d738f48dde2937fe53f4571adcace834e0284a2870f8ac9cf
SHA5129c71074b4661b5d3484df77d1dc4031d5c422276e7d88c059fc9b03f05986131728e69cb4993b502d7974ef1155ec733144619b1c211610152fe75f09987c2f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5e3b6b4183ae48f17ea1d31789d915141
SHA178d9b400ec6079a91b8e1bceea84c1e9c2901499
SHA256518136fcd086c4bea209f012c344320a38f3b103b1b58cdb37f00a40161a6848
SHA512d9b4047f7a50c0881d76af01fc9128476b315372f32b44973438507f28f12d973aac5ecfac2feef3338f11ee9148297e0db2719a68a12e2e9043bd069de4f767
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD569d8555644ce87b7af841d38811a5feb
SHA118af3445cd75c41b36d0e24d7f35cb9c36f02ee3
SHA2562a79acab89fe245e41b2c2b87d5623e1f6a563c88c3083fa25c0e4165270c2ef
SHA5129a4a3fc7860d699a19c05b4ea49f9f0673573f6fd55212630b02763e96365e63830aff0b35f94e86c764952b0eff07e4955a36e0712eb9fa76d7c8d76a94cb85
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56a4b29d82c243faecdee4decb4c1b997
SHA1549f635e01ae2ea06752e8ac27186fe4f63246c4
SHA256b56172580e70b798594a9f9eb505e30e3f39180222d99013db1ddaeecd35c1f7
SHA51241021424db84741739fe55aaf7f007131fb4b5f2c310e8e14ccd80680b141d1b780c3a88b9e2bba956e3585eba0ad7f64bb72c9a5be81bd71fa2a1783a47a301
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5c7301d8b21e87cebd6d0d90c9fc26103
SHA1e5dda27c001fad6bf7abe2f21eb391db364e65ce
SHA256ca39c95b9bf798fc8b19d4281ec20e97eb04b2f01b1a1471debf6695b26a8b3b
SHA512c7a227b51ced515819281e9f82fc6c2d9c311722a797b42d49f5cb72274d638083b91890646625f7d1470c614e6bd8605270b1044688583531c82d27c356a55a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56b4c85ed52169d1949d8e9a1e3a57e88
SHA1986f6e913f1674669f09e1e5efa69de45d8fd413
SHA256fabf48eda63f91dc4430c5c09a3f62a174b1cbaba663fd69e2c735d8082e9846
SHA512967ea1a56ebf8ea152dcf2319d39b0e2fe10b8f2979c33a104ff6634ecf011517078911efec0ee660b189a7e3064469ac1dd1a127ec1836b065cb26c88f3c4ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5c7a44e4693582710b9e8cb22a39ffa5a
SHA15654543d5898c0fb634823335ea5cf4f490edf68
SHA25684e67bf401616bb6acd77a0b6c2b09171468263c08b15a14d617cede4f437a97
SHA512f9a716c4f2aadb1027dfa4e38dda6370fa93b7424ad9c8277f0138796618479da4fa74b5f7f32973426aec641841437eed4854f205ec12721bdeb0f637c16d6a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD55d566102092337688d2366063a7c1aee
SHA183ca76274d0b07f4c69a7e120b888e550583e358
SHA2569810b9a9baf5ae6acb466247854aa197bb83105d81b7e0eab8d9def94e9ce59d
SHA5122b108d8c86be05b3b50c8315307a22fbc26132db68bfadd4129edc194c323076c035089fb54f14ecaed76ed1d51999a51e8172ff56cb2b48bae4f36eafeaa097
-
C:\Users\Admin\AppData\Local\Temp\Cab106A.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\CabFAD.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar108E.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
memory/300-2-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/300-5-0x0000000000400000-0x000000000069F000-memory.dmpFilesize
2.6MB
-
memory/300-8-0x0000000000400000-0x000000000069F000-memory.dmpFilesize
2.6MB
-
memory/2176-0-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/2176-1-0x0000000000400000-0x000000000069F000-memory.dmpFilesize
2.6MB