79cf69dfb121cfdd2652fc085ebbc4883d3c317e0af826655dfec2badc0d93e0

Analysis

max time kernel
4s
max time network
12s
platform
windows7_x64
resource
win7v20201028
submitted
23-02-2021 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12b7354905a6ed76882b313bfd5fd777.exe
Size

5.7MB
MD5

12b7354905a6ed76882b313bfd5fd777
SHA1

494125193a36326356b21bddff94ddeec8cf1748
SHA256

79cf69dfb121cfdd2652fc085ebbc4883d3c317e0af826655dfec2badc0d93e0
SHA512

2e044f05aef7c7cd2e137d20be8234cd730bace8f657ec5e59d4430b9094149068e312cb14602352e1bc724c8747ef970a3323c52927c08cf854ecadb35c399c

Score

7^/10

spyware

Malware Config

Signatures

Loads dropped DLL 14 IoCs

Processes:

12b7354905a6ed76882b313bfd5fd777.exe

pid	process
1444	12b7354905a6ed76882b313bfd5fd777.exe
1444	12b7354905a6ed76882b313bfd5fd777.exe
1444	12b7354905a6ed76882b313bfd5fd777.exe
1444	12b7354905a6ed76882b313bfd5fd777.exe
1444	12b7354905a6ed76882b313bfd5fd777.exe
1444	12b7354905a6ed76882b313bfd5fd777.exe
1444	12b7354905a6ed76882b313bfd5fd777.exe
1444	12b7354905a6ed76882b313bfd5fd777.exe
1444	12b7354905a6ed76882b313bfd5fd777.exe
1444	12b7354905a6ed76882b313bfd5fd777.exe
1444	12b7354905a6ed76882b313bfd5fd777.exe
1444	12b7354905a6ed76882b313bfd5fd777.exe
1444	12b7354905a6ed76882b313bfd5fd777.exe
1444	12b7354905a6ed76882b313bfd5fd777.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

12b7354905a6ed76882b313bfd5fd777.exe

description pid process

Token: 35 1444 12b7354905a6ed76882b313bfd5fd777.exe

flow	ioc
1	api.ipify.org
2	api.ipify.org

description	pid	process
Token: 35	1444	12b7354905a6ed76882b313bfd5fd777.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

12b7354905a6ed76882b313bfd5fd777.exe

description	pid	process	target process
PID 1684 wrote to memory of 1444	1684	12b7354905a6ed76882b313bfd5fd777.exe	12b7354905a6ed76882b313bfd5fd777.exe
PID 1684 wrote to memory of 1444	1684	12b7354905a6ed76882b313bfd5fd777.exe	12b7354905a6ed76882b313bfd5fd777.exe
PID 1684 wrote to memory of 1444	1684	12b7354905a6ed76882b313bfd5fd777.exe	12b7354905a6ed76882b313bfd5fd777.exe
PID 1684 wrote to memory of 1444	1684	12b7354905a6ed76882b313bfd5fd777.exe	12b7354905a6ed76882b313bfd5fd777.exe

C:\Users\Admin\AppData\Local\Temp\12b7354905a6ed76882b313bfd5fd777.exe
"C:\Users\Admin\AppData\Local\Temp\12b7354905a6ed76882b313bfd5fd777.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\12b7354905a6ed76882b313bfd5fd777.exe
"C:\Users\Admin\AppData\Local\Temp\12b7354905a6ed76882b313bfd5fd777.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI16842\VCRUNTIME140.dll
MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_bz2.pyd
MD5
055cfc5297933c338d8c04fd4e2462a2

SHA1
bf8f97ee8136bfe3f93485e946f2069b7ce504e0

SHA256
befc81440bbc001bd7647aca42962ee0b45b08435ee9f7140bf570af636b7dd5

SHA512
308ebb33c47b73ecd9c4e4e54ffd09aae5a96019559ef7b2a37a45bd89c42d0d5bdd21da1835fffd84a138b03662c3d68bd72725a22f1b0ddf0329438819ead7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_hashlib.pyd
MD5
1280a084744ef726a673b757b9364335

SHA1
203a83aee00f6dca7b5cf16f5d140ff5fb888bbe

SHA256
c2b3dc92abd96485032d1287941e405d56df05fb5ba68199497d8594400163e5

SHA512
637aa79bcfe2ac3f75319a4be3ee4e32769a52cf939a26564a73807b40e96328fd1e9b58e70abb0b4c204c77baeb61a5150f5ebc47a7262a9c520867f69f6075

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_lzma.pyd
MD5
d72665ea18965f103200ccc7ad072f85

SHA1
2b89543cd8bd1aa20e0d3150a3c394b90be0d204

SHA256
ab20e63d14259a7deca85a068796476c0efcc236a11d53b1816fc6f8956424a8

SHA512
aad0bcbeabaa50b1fdba4cf70fe281f58b62a81b680cc16ef7f238263625fc7bed9ae9321a7bf7010fe7b5bb28708bdfaa0138c4f35a52be6aaba71d03aaa3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_queue.pyd
MD5
2188964211b458221a65043820799ceb

SHA1
3155f1ade1556702eb7ffbc498b95d75f6b165c4

SHA256
cf8d872886f9c85d5705d40e9d602db33b66aa1d2d43f0e70482ecf91cf8610a

SHA512
943b42ed14fbfd91019f0c2c29ee149ef79efcdd710e68516afaff8387f98f5fa33e881f2f388c1acf0093c457826af226ad863fcce2324667b581068d589838

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_socket.pyd
MD5
51a38a6bf4c7e3d71b21a88b7a1dd555

SHA1
7c10b8dbe3972e1df92393b01523a9f843c24ed3

SHA256
b7829ec5c6de17b30037e1b50f43e26b40fcd9acdabce0011d623f5c0cebd70e

SHA512
6d068e2418da43581e0cd3cbed606b89d9a095fdddd348c72e9dbbd9f2dc580ea445c6c972616620ad444268e1e489efff6b528395e27c4a98ecca953258e7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_sqlite3.pyd
MD5
938a875ad7f42afc56384e2c170114d1

SHA1
868645bcb661e070a7d21721e034808e702af22a

SHA256
238210354447b6c75fb742851a566ad4fbe4269f93336e22b18e91749f631e89

SHA512
ad79478f801c531540698e0e32e254cef10525703f6e424ebcc13aa7c3faae3c4981c45e1675b1536311e356c08c26b652396054ebd732e63855cc923b75f518

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_ssl.pyd
MD5
e577403078daf63ce6ddc07f195c45ce

SHA1
b4f8c0a6466efe7f1919b6f9332ff8db55d6d6d1

SHA256
49559f96f659917c1c0e0d7ccb4fcf915bc1a00e51a5b25fe417262ef0f47774

SHA512
d4015b716516f9f24b913f6bab9d9826b25efa57576b377aded57dde9dd83d95e451aa05378b909723af4b2a3bfaf5af6d4bd2a06858dce582f002e917bccbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\base_library.zip
MD5
b4776dfcab7d6d0634086e4f8631b2c5

SHA1
424f7b45da60c8dce01d5f8a06639922dcb6f306

SHA256
e6d6c56c91aa2e81b8abecefab5da7c52b910380304c898edd9717fb5116f01b

SHA512
a9d907e215d548377c5326ea40c33f86d0417441e06517e73e68837194edd51d92672179f5f6f04560d6313a18b9ee96dc2a58384784cdbe43a460fd122e8081

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\certifi\cacert.pem
MD5
1ba3b44f73a6b25711063ea5232f4883

SHA1
1b1a84804f896b7085924f8bf0431721f3b5bdbe

SHA256
bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197

SHA512
0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\libcrypto-1_1.dll
MD5
25c9d6fa8bf1222e82a37ef982f418d2

SHA1
e4bed3d1e76a58fc0119b7a2e70a998ca9ea7202

SHA256
3f70a63aacc024c4cd599ff1e12bf5b685719cf2b92c4420fd20ab032c9c898c

SHA512
2d6daf0e16971f9a6c1153bd67ff7fe2b1dbdeb5d05ea743cae231b85c9a27c4ee365f9c2141ea30a1edc9ebb32aa8a103b4949b5a0d9d031ad30acb2e9c60e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\libssl-1_1.dll
MD5
d07120c4a7f7fa74d9c774d81663d685

SHA1
b5edb8821bd5b9184d55c8b16c805e4be966c7e5

SHA256
96fecbea2f57b69326eb2e0dcba7c32a8ae1d281d85f52c32fc39d5d4cca479b

SHA512
3b56595da7c83385266dd563275f44f0b3834c07ed268231043af1568dfdb5b370c4a76a880db7a203a727183bf867eb0ad2c792b5bf590ca42ca32c664dcea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\python37.dll
MD5
198dc945fa3a7215c2aa90bd296025b4

SHA1
ce991e920755d775d99ab91f40124f0aad92863d

SHA256
20cd780cf1e90778799e749812b00b1865938ef8990cd9bf2c1630787c6181c9

SHA512
a880aa55740e635e3fbd32b8128572b92f379913d405f3baf4e9ec67891ac3dd77dbed85074a958c89093ca378dac95733287a45ca89c75029a61ecde058c955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\select.pyd
MD5
cefff42d83a7dafe76d22589978aa085

SHA1
6cb9b60804a8b8fd19fe23612b4018cf1fd76854

SHA256
f8bf0c9909ee65038f5bfdb47c7ee037bf55c97d5be259aa904d4e53a9b5cd34

SHA512
1b2dbb98b543acc49db3647edabc32f5fba8880ee631b146a2078e1c7ebd867682245f4bf177252e92f0c297352b5ae734764154ed5e4c5878687b4f502cf35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\sqlite3.dll
MD5
373bc07173120b7839ad7da9c7971b16

SHA1
3794c46f6f4a7887b9bcca422a425689961d9802

SHA256
05901f8af79a8186ebc013d6f41f22e53fd43dcceead83265d74aef0e3078a9c

SHA512
130024a05c645188280a4514220866b1e408b88f76018d1bf47cfddb6f33297498ec29b362f37e530e182d9ba2c4456288b6936aee88eaff5beba6707203322c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\unicodedata.pyd
MD5
1d96ba2fc295ce9725e1949b266a980c

SHA1
1b7dd35c9d6b1046e04c70b49e40270901d1ed7f

SHA256
830359b3cf5719a5ee26a36b3968086aa21e46a067b8c2557ae8f433eef2c747

SHA512
7f501fe628773eff27e07bf85ef2bc3fa127fd653bbc54ee47e8ca59ce98a7cfc7ef4402c9e84c2433e5cc816656fd77d62a590fa5c57ae76066147140d619bb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\VCRUNTIME140.dll
MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\_bz2.pyd
MD5
055cfc5297933c338d8c04fd4e2462a2

SHA1
bf8f97ee8136bfe3f93485e946f2069b7ce504e0

SHA256
befc81440bbc001bd7647aca42962ee0b45b08435ee9f7140bf570af636b7dd5

SHA512
308ebb33c47b73ecd9c4e4e54ffd09aae5a96019559ef7b2a37a45bd89c42d0d5bdd21da1835fffd84a138b03662c3d68bd72725a22f1b0ddf0329438819ead7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\_hashlib.pyd
MD5
1280a084744ef726a673b757b9364335

SHA1
203a83aee00f6dca7b5cf16f5d140ff5fb888bbe

SHA256
c2b3dc92abd96485032d1287941e405d56df05fb5ba68199497d8594400163e5

SHA512
637aa79bcfe2ac3f75319a4be3ee4e32769a52cf939a26564a73807b40e96328fd1e9b58e70abb0b4c204c77baeb61a5150f5ebc47a7262a9c520867f69f6075

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\_lzma.pyd
MD5
d72665ea18965f103200ccc7ad072f85

SHA1
2b89543cd8bd1aa20e0d3150a3c394b90be0d204

SHA256
ab20e63d14259a7deca85a068796476c0efcc236a11d53b1816fc6f8956424a8

SHA512
aad0bcbeabaa50b1fdba4cf70fe281f58b62a81b680cc16ef7f238263625fc7bed9ae9321a7bf7010fe7b5bb28708bdfaa0138c4f35a52be6aaba71d03aaa3dc

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\_queue.pyd
MD5
2188964211b458221a65043820799ceb

SHA1
3155f1ade1556702eb7ffbc498b95d75f6b165c4

SHA256
cf8d872886f9c85d5705d40e9d602db33b66aa1d2d43f0e70482ecf91cf8610a

SHA512
943b42ed14fbfd91019f0c2c29ee149ef79efcdd710e68516afaff8387f98f5fa33e881f2f388c1acf0093c457826af226ad863fcce2324667b581068d589838

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\_socket.pyd
MD5
51a38a6bf4c7e3d71b21a88b7a1dd555

SHA1
7c10b8dbe3972e1df92393b01523a9f843c24ed3

SHA256
b7829ec5c6de17b30037e1b50f43e26b40fcd9acdabce0011d623f5c0cebd70e

SHA512
6d068e2418da43581e0cd3cbed606b89d9a095fdddd348c72e9dbbd9f2dc580ea445c6c972616620ad444268e1e489efff6b528395e27c4a98ecca953258e7a4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\_sqlite3.pyd
MD5
938a875ad7f42afc56384e2c170114d1

SHA1
868645bcb661e070a7d21721e034808e702af22a

SHA256
238210354447b6c75fb742851a566ad4fbe4269f93336e22b18e91749f631e89

SHA512
ad79478f801c531540698e0e32e254cef10525703f6e424ebcc13aa7c3faae3c4981c45e1675b1536311e356c08c26b652396054ebd732e63855cc923b75f518

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\_ssl.pyd
MD5
e577403078daf63ce6ddc07f195c45ce

SHA1
b4f8c0a6466efe7f1919b6f9332ff8db55d6d6d1

SHA256
49559f96f659917c1c0e0d7ccb4fcf915bc1a00e51a5b25fe417262ef0f47774

SHA512
d4015b716516f9f24b913f6bab9d9826b25efa57576b377aded57dde9dd83d95e451aa05378b909723af4b2a3bfaf5af6d4bd2a06858dce582f002e917bccbb2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\libcrypto-1_1.dll
MD5
25c9d6fa8bf1222e82a37ef982f418d2

SHA1
e4bed3d1e76a58fc0119b7a2e70a998ca9ea7202

SHA256
3f70a63aacc024c4cd599ff1e12bf5b685719cf2b92c4420fd20ab032c9c898c

SHA512
2d6daf0e16971f9a6c1153bd67ff7fe2b1dbdeb5d05ea743cae231b85c9a27c4ee365f9c2141ea30a1edc9ebb32aa8a103b4949b5a0d9d031ad30acb2e9c60e5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\libssl-1_1.dll
MD5
d07120c4a7f7fa74d9c774d81663d685

SHA1
b5edb8821bd5b9184d55c8b16c805e4be966c7e5

SHA256
96fecbea2f57b69326eb2e0dcba7c32a8ae1d281d85f52c32fc39d5d4cca479b

SHA512
3b56595da7c83385266dd563275f44f0b3834c07ed268231043af1568dfdb5b370c4a76a880db7a203a727183bf867eb0ad2c792b5bf590ca42ca32c664dcea0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\python37.dll
MD5
198dc945fa3a7215c2aa90bd296025b4

SHA1
ce991e920755d775d99ab91f40124f0aad92863d

SHA256
20cd780cf1e90778799e749812b00b1865938ef8990cd9bf2c1630787c6181c9

SHA512
a880aa55740e635e3fbd32b8128572b92f379913d405f3baf4e9ec67891ac3dd77dbed85074a958c89093ca378dac95733287a45ca89c75029a61ecde058c955

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\select.pyd
MD5
cefff42d83a7dafe76d22589978aa085

SHA1
6cb9b60804a8b8fd19fe23612b4018cf1fd76854

SHA256
f8bf0c9909ee65038f5bfdb47c7ee037bf55c97d5be259aa904d4e53a9b5cd34

SHA512
1b2dbb98b543acc49db3647edabc32f5fba8880ee631b146a2078e1c7ebd867682245f4bf177252e92f0c297352b5ae734764154ed5e4c5878687b4f502cf35b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\sqlite3.dll
MD5
373bc07173120b7839ad7da9c7971b16

SHA1
3794c46f6f4a7887b9bcca422a425689961d9802

SHA256
05901f8af79a8186ebc013d6f41f22e53fd43dcceead83265d74aef0e3078a9c

SHA512
130024a05c645188280a4514220866b1e408b88f76018d1bf47cfddb6f33297498ec29b362f37e530e182d9ba2c4456288b6936aee88eaff5beba6707203322c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16842\unicodedata.pyd
MD5
1d96ba2fc295ce9725e1949b266a980c

SHA1
1b7dd35c9d6b1046e04c70b49e40270901d1ed7f

SHA256
830359b3cf5719a5ee26a36b3968086aa21e46a067b8c2557ae8f433eef2c747

SHA512
7f501fe628773eff27e07bf85ef2bc3fa127fd653bbc54ee47e8ca59ce98a7cfc7ef4402c9e84c2433e5cc816656fd77d62a590fa5c57ae76066147140d619bb

Download Submit
memory/1444-2-0x0000000000000000-mapping.dmp

Download