8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe

Analysis

max time kernel
62s
max time network
124s
platform
windows10_x64
resource
win10v20210410
submitted
26-07-2021 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe
Size

325KB
MD5

8e243f0d912015e58b3a8e936ba9f2be
SHA1

91edd256caa08d5a641ef78684720427a77c6e78
SHA256

8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe
SHA512

c845d94b2b2a4e90970165438870c5da842dc94ef59e24e80377eff5d3593bb5cab3e1f2c549883965940aa49a91aa0519fb33c3116112e05b6751d0e2f8ec36

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

setup-stub.exe

pid process

1900 setup-stub.exe

Loads dropped DLL 12 IoCs

Processes:

setup-stub.exe

pid	process
1900	setup-stub.exe
1900	setup-stub.exe
1900	setup-stub.exe
1900	setup-stub.exe
1900	setup-stub.exe
1900	setup-stub.exe
1900	setup-stub.exe
1900	setup-stub.exe
1900	setup-stub.exe
1900	setup-stub.exe
1900	setup-stub.exe
1900	setup-stub.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 6 IoCs

Processes:

setup-stub.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\nsl23DD.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsl23DE.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsl23DD.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsl23DB.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsl23DC.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsl23DB.tmp\	setup-stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

setup-stub.exe

pid process

1900 setup-stub.exe
1900 setup-stub.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe

description	pid	process	target process
PID 4012 wrote to memory of 1900	4012	8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe	setup-stub.exe
PID 4012 wrote to memory of 1900	4012	8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe	setup-stub.exe
PID 4012 wrote to memory of 1900	4012	8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe	setup-stub.exe

C:\Users\Admin\AppData\Local\Temp\8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe
"C:\Users\Admin\AppData\Local\Temp\8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\AppData\Local\Temp\7zSCAFA8F14\setup-stub.exe
.\setup-stub.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCAFA8F14\setup-stub.exe
MD5
70db8c3ea5cc700f3ed6b0c116cd89bb

SHA1
da504ff87fe32060f7319040449b4fdeff914280

SHA256
8f53fcf56d310d1a5d6ee22093231187ab9a12e1d76a04a99202adf233f675b3

SHA512
9c59085fbcccd8da3615b7f54e18341357d1e0dd05c5807da3390987ce5391b1d0234857bca108827a438d93b9297e1c4812ca26771a5ee3634beed257cba4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCAFA8F14\setup-stub.exe
MD5
70db8c3ea5cc700f3ed6b0c116cd89bb

SHA1
da504ff87fe32060f7319040449b4fdeff914280

SHA256
8f53fcf56d310d1a5d6ee22093231187ab9a12e1d76a04a99202adf233f675b3

SHA512
9c59085fbcccd8da3615b7f54e18341357d1e0dd05c5807da3390987ce5391b1d0234857bca108827a438d93b9297e1c4812ca26771a5ee3634beed257cba4f9

Download Submit
\Users\Admin\AppData\Local\Temp\nsg23BB.tmp\CityHash.dll
MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsg23BB.tmp\CityHash.dll
MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsg23BB.tmp\InetBgDL.dll
MD5
d4f7b4f9c296308e03a55cb0896a92fc

SHA1
63065bed300926a5b39eabf6efdf9296ed46e0cc

SHA256
6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83

SHA512
d4acc719ae29c53845ccf4778e1d7ed67f30358af30545fc744facdb9f4e3b05d8cb7dc5e72c93895259e9882471c056395ab2e6f238310841b767d6acbcd6c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsg23BB.tmp\System.dll
MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsg23BB.tmp\UAC.dll
MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
\Users\Admin\AppData\Local\Temp\nsg23BB.tmp\UAC.dll
MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
\Users\Admin\AppData\Local\Temp\nsg23BB.tmp\UserInfo.dll
MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsg23BB.tmp\UserInfo.dll
MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsg23BB.tmp\UserInfo.dll
MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsg23BB.tmp\UserInfo.dll
MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsg23BB.tmp\WebBrowser.dll
MD5
dfe24aa39f009e9d98b20b7c9cc070b1

SHA1
f48e4923c95466f689e8c5408265b52437ed2701

SHA256
8ec65a3d8ae8a290a6066773e49387fd368f5697392dfb58eac1b63640e30444

SHA512
665ce32d3776b1b41f95ed685054a796d0c1938dbc237619fa6309d1b52ae3bd44e3cf0a1f53ebf88556f7603111cca6dff1bfc917a911e0a9ce04affd0d5261

Download Submit
\Users\Admin\AppData\Local\Temp\nsg23BB.tmp\nsJSON.dll
MD5
f4d89d9a2a3e2f164aea3e93864905c9

SHA1
4d4e05ee5e4e77a0631a3dd064c171ba2e227d4a

SHA256
64b3efdf3de54e338d4db96b549a7bdb7237bb88a82a0a63aef570327a78a6fb

SHA512
dbda3fe7ca22c23d2d0f2a5d9d415a96112e2965081582c7a42c139a55c5d861a27f0bd919504de4f82c59cf7d1b97f95ed5a55e87d574635afdb7eb2d8cadf2

Download Submit
memory/1900-114-0x0000000000000000-mapping.dmp

Download
memory/1900-127-0x0000000002160000-0x0000000002168000-memory.dmp

Filesize
32KB

Download
memory/1900-120-0x0000000002161000-0x0000000002165000-memory.dmp

Filesize
16KB

Download