83f4a3ccd2ff76f530a25ccf552a258c1ab4b3af4c255c53b3d37a4c0eff66c6

Analysis

max time kernel
118s
max time network
152s
platform
windows10_x64
resource
win10-en-20210920
submitted
23-09-2021 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d3b5399_gSM6wMWtJ6.exe
Size

5.5MB
MD5

9d3b53993be0744802cccd1c3eb84c4c
SHA1

403ecb0209591be52ef3bc90fdb4125d00187d31
SHA256

83f4a3ccd2ff76f530a25ccf552a258c1ab4b3af4c255c53b3d37a4c0eff66c6
SHA512

e24f4ff242c406e2c507143dd87bdcbf46dacd96392be4cb33f4e62e8f964e99f94f3556539e4698a9d7baf414b769bb4a7f9d51cef3a3997dfaf664064fe011

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 10 IoCs

Processes:

9d3b5399_gSM6wMWtJ6.exe

pid	process
2480	9d3b5399_gSM6wMWtJ6.exe
2480	9d3b5399_gSM6wMWtJ6.exe
2480	9d3b5399_gSM6wMWtJ6.exe
2480	9d3b5399_gSM6wMWtJ6.exe
2480	9d3b5399_gSM6wMWtJ6.exe
2480	9d3b5399_gSM6wMWtJ6.exe
2480	9d3b5399_gSM6wMWtJ6.exe
2480	9d3b5399_gSM6wMWtJ6.exe
2480	9d3b5399_gSM6wMWtJ6.exe
2480	9d3b5399_gSM6wMWtJ6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9d3b5399_gSM6wMWtJ6.exe

description pid process

Token: 35 2480 9d3b5399_gSM6wMWtJ6.exe

description	pid	process
Token: 35	2480	9d3b5399_gSM6wMWtJ6.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9d3b5399_gSM6wMWtJ6.exe9d3b5399_gSM6wMWtJ6.exe

description	pid	process	target process
PID 2056 wrote to memory of 2480	2056	9d3b5399_gSM6wMWtJ6.exe	9d3b5399_gSM6wMWtJ6.exe
PID 2056 wrote to memory of 2480	2056	9d3b5399_gSM6wMWtJ6.exe	9d3b5399_gSM6wMWtJ6.exe
PID 2480 wrote to memory of 3392	2480	9d3b5399_gSM6wMWtJ6.exe	cmd.exe
PID 2480 wrote to memory of 3392	2480	9d3b5399_gSM6wMWtJ6.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9d3b5399_gSM6wMWtJ6.exe
"C:\Users\Admin\AppData\Local\Temp\9d3b5399_gSM6wMWtJ6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Local\Temp\9d3b5399_gSM6wMWtJ6.exe
"C:\Users\Admin\AppData\Local\Temp\9d3b5399_gSM6wMWtJ6.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3392

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI20562\VCRUNTIME140.dll
MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20562\_bz2.pyd
MD5
cf77513525fc652bad6c7f85e192e94b

SHA1
23ec3bb9cdc356500ec192cac16906864d5e9a81

SHA256
8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41

SHA512
dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20562\_hashlib.pyd
MD5
b32cb9615a9bada55e8f20dcea2fbf48

SHA1
a9c6e2d44b07b31c898a6d83b7093bf90915062d

SHA256
ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5

SHA512
5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20562\_lzma.pyd
MD5
5fbb728a3b3abbdd830033586183a206

SHA1
066fde2fa80485c4f22e0552a4d433584d672a54

SHA256
f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b

SHA512
31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20562\_socket.pyd
MD5
8ea18d0eeae9044c278d2ea7a1dbae36

SHA1
de210842da8cb1cb14318789575d65117d14e728

SHA256
9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2

SHA512
d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20562\_ssl.pyd
MD5
5a393bb4f3ae499541356e57a766eb6a

SHA1
908f68f4ea1a754fd31edb662332cf0df238cf9a

SHA256
b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047

SHA512
958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20562\base_library.zip
MD5
d0d7afd942e32fc9ed6416d3e0d2e87f

SHA1
944e64b98b80bb53f1562fe435e428708305742c

SHA256
a158860800f5d831891b169304e908d65d6a901cfef9b713ca3617533186caef

SHA512
14705adb6710c9ad159a5a5d3502ae4419737f2cff57a9247429ac26bcbaddc3171429a958af1d4930eb75acf000aab373a5b3532876b7823f75181ad12bf5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20562\libcrypto-1_1.dll
MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20562\libssl-1_1.dll
MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20562\python37.dll
MD5
c4709f84e6cf6e082b80c80b87abe551

SHA1
c0c55b229722f7f2010d34e26857df640182f796

SHA256
ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3

SHA512
e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20562\select.pyd
MD5
fb4a0d7abaeaa76676846ad0f08fefa5

SHA1
755fd998215511506edd2c5c52807b46ca9393b2

SHA256
65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429

SHA512
f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20562\VCRUNTIME140.dll
MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20562\_bz2.pyd
MD5
cf77513525fc652bad6c7f85e192e94b

SHA1
23ec3bb9cdc356500ec192cac16906864d5e9a81

SHA256
8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41

SHA512
dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20562\_hashlib.pyd
MD5
b32cb9615a9bada55e8f20dcea2fbf48

SHA1
a9c6e2d44b07b31c898a6d83b7093bf90915062d

SHA256
ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5

SHA512
5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20562\_lzma.pyd
MD5
5fbb728a3b3abbdd830033586183a206

SHA1
066fde2fa80485c4f22e0552a4d433584d672a54

SHA256
f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b

SHA512
31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20562\_socket.pyd
MD5
8ea18d0eeae9044c278d2ea7a1dbae36

SHA1
de210842da8cb1cb14318789575d65117d14e728

SHA256
9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2

SHA512
d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20562\_ssl.pyd
MD5
5a393bb4f3ae499541356e57a766eb6a

SHA1
908f68f4ea1a754fd31edb662332cf0df238cf9a

SHA256
b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047

SHA512
958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20562\libcrypto-1_1.dll
MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20562\libssl-1_1.dll
MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20562\python37.dll
MD5
c4709f84e6cf6e082b80c80b87abe551

SHA1
c0c55b229722f7f2010d34e26857df640182f796

SHA256
ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3

SHA512
e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20562\select.pyd
MD5
fb4a0d7abaeaa76676846ad0f08fefa5

SHA1
755fd998215511506edd2c5c52807b46ca9393b2

SHA256
65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429

SHA512
f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

Download Submit
memory/2480-115-0x0000000000000000-mapping.dmp

Download
memory/3392-137-0x0000000000000000-mapping.dmp

Download