7b3f6ba3d8014a27e5d42a7bfee09fb5ba0320bd07aef90b7c7cf0162568c296

Analysis

max time kernel
62s
max time network
122s
platform
windows10_x64
resource
win10v20201028
submitted
03-03-2021 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

-.exe
Size

278KB
MD5

3f43374d0862425c4894da8a4ea9c7f2
SHA1

7b6fd6ad2a57578b2012108880bf89afd315ea9c
SHA256

5066020c9801057b9e6e6e5ced5ef8d35854cb58118e4aae55d7d3b532ebcecd
SHA512

e4765241eda5f1eb5d479e8c2c0497a8c59f70b815f864955846d68160aebcf165e15d52751dc7cf99d5ac203f15d493940daf478a2e5346b09f1beddefceec9

Score

8^/10

spyware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

setup-stub.exe

pid process

1244 setup-stub.exe

Loads dropped DLL 14 IoCs

Processes:

setup-stub.exe

pid	process
1244	setup-stub.exe
1244	setup-stub.exe
1244	setup-stub.exe
1244	setup-stub.exe
1244	setup-stub.exe
1244	setup-stub.exe
1244	setup-stub.exe
1244	setup-stub.exe
1244	setup-stub.exe
1244	setup-stub.exe
1244	setup-stub.exe
1244	setup-stub.exe
1244	setup-stub.exe
1244	setup-stub.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 6 IoCs

Processes:

setup-stub.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\nsi3467.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsi3466.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsi3468.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsi3469.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsi3468.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsi3466.tmp	setup-stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

-.exe

description	pid	process	target process
PID 3884 wrote to memory of 1244	3884	-.exe	setup-stub.exe
PID 3884 wrote to memory of 1244	3884	-.exe	setup-stub.exe
PID 3884 wrote to memory of 1244	3884	-.exe	setup-stub.exe

C:\Users\Admin\AppData\Local\Temp\-.exe
"C:\Users\Admin\AppData\Local\Temp\-.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Local\Temp\7zSC2F92814\setup-stub.exe
.\setup-stub.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC2F92814\setup-stub.exe
MD5
d6beab92d6f1a47ebc525d9931da9f62

SHA1
b5f39c15127b92065184fb1f77a8fd9613e0eb3f

SHA256
54fa27f858e1b23905ad776330a51cb8c27eaa14c31c767d18a104f521f25461

SHA512
b331a90c2431dc13e60baf948979b7b155f2b95d64d6101eb0de02d3e79cb53271da406afc7ca7d4f3f8dfa4f62e2f965e2a6b715e4fdb3786d268041f0f1811

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2F92814\setup-stub.exe
MD5
d6beab92d6f1a47ebc525d9931da9f62

SHA1
b5f39c15127b92065184fb1f77a8fd9613e0eb3f

SHA256
54fa27f858e1b23905ad776330a51cb8c27eaa14c31c767d18a104f521f25461

SHA512
b331a90c2431dc13e60baf948979b7b155f2b95d64d6101eb0de02d3e79cb53271da406afc7ca7d4f3f8dfa4f62e2f965e2a6b715e4fdb3786d268041f0f1811

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3426.tmp\CityHash.dll
MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3426.tmp\CityHash.dll
MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3426.tmp\InetBgDL.dll
MD5
73a0bec837004bc5ae5cd0a5b0d3bcf8

SHA1
92cb463841b6adeecb8cc9cc8eb5f39a61dc7edd

SHA256
0dd38281a824298100b2bc89ee5b8a5c9cd9ec7a3b051dff42037a891fa7c534

SHA512
f7aa18261fb4ef99b66e9a16e2df6323d34444de84a5bdabd3890154b0207f8509f34f2fe115b00e2396d33df778be6456a7fd754cc00271f8189e5a4420b6d2

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3426.tmp\InetBgDL.dll
MD5
73a0bec837004bc5ae5cd0a5b0d3bcf8

SHA1
92cb463841b6adeecb8cc9cc8eb5f39a61dc7edd

SHA256
0dd38281a824298100b2bc89ee5b8a5c9cd9ec7a3b051dff42037a891fa7c534

SHA512
f7aa18261fb4ef99b66e9a16e2df6323d34444de84a5bdabd3890154b0207f8509f34f2fe115b00e2396d33df778be6456a7fd754cc00271f8189e5a4420b6d2

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3426.tmp\System.dll
MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3426.tmp\UAC.dll
MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3426.tmp\UAC.dll
MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3426.tmp\UserInfo.dll
MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3426.tmp\UserInfo.dll
MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3426.tmp\UserInfo.dll
MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3426.tmp\UserInfo.dll
MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3426.tmp\nsDialogs.dll
MD5
42b064366f780c1f298fa3cb3aeae260

SHA1
5b0349db73c43f35227b252b9aa6555f5ede9015

SHA256
c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab

SHA512
50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3426.tmp\nsDialogs.dll
MD5
42b064366f780c1f298fa3cb3aeae260

SHA1
5b0349db73c43f35227b252b9aa6555f5ede9015

SHA256
c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab

SHA512
50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3426.tmp\nsJSON.dll
MD5
f4d89d9a2a3e2f164aea3e93864905c9

SHA1
4d4e05ee5e4e77a0631a3dd064c171ba2e227d4a

SHA256
64b3efdf3de54e338d4db96b549a7bdb7237bb88a82a0a63aef570327a78a6fb

SHA512
dbda3fe7ca22c23d2d0f2a5d9d415a96112e2965081582c7a42c139a55c5d861a27f0bd919504de4f82c59cf7d1b97f95ed5a55e87d574635afdb7eb2d8cadf2

Download Submit
memory/1244-15-0x00000000026C1000-0x00000000026C8000-memory.dmp

Filesize
28KB

Download
memory/1244-2-0x0000000000000000-mapping.dmp

Download
memory/1244-8-0x00000000026C1000-0x00000000026C5000-memory.dmp

Filesize
16KB

Download
memory/1244-21-0x0000000002851000-0x0000000002857000-memory.dmp

Filesize
24KB

Download