Analysis
-
max time kernel
118s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
23-09-2021 05:29
Static task
static1
Behavioral task
behavioral1
Sample
9d3b5399_gSM6wMWtJ6.exe
Resource
win7-en-20210920
General
-
Target
9d3b5399_gSM6wMWtJ6.exe
-
Size
5.5MB
-
MD5
9d3b53993be0744802cccd1c3eb84c4c
-
SHA1
403ecb0209591be52ef3bc90fdb4125d00187d31
-
SHA256
83f4a3ccd2ff76f530a25ccf552a258c1ab4b3af4c255c53b3d37a4c0eff66c6
-
SHA512
e24f4ff242c406e2c507143dd87bdcbf46dacd96392be4cb33f4e62e8f964e99f94f3556539e4698a9d7baf414b769bb4a7f9d51cef3a3997dfaf664064fe011
Malware Config
Signatures
-
Loads dropped DLL 10 IoCs
Processes:
9d3b5399_gSM6wMWtJ6.exepid process 2480 9d3b5399_gSM6wMWtJ6.exe 2480 9d3b5399_gSM6wMWtJ6.exe 2480 9d3b5399_gSM6wMWtJ6.exe 2480 9d3b5399_gSM6wMWtJ6.exe 2480 9d3b5399_gSM6wMWtJ6.exe 2480 9d3b5399_gSM6wMWtJ6.exe 2480 9d3b5399_gSM6wMWtJ6.exe 2480 9d3b5399_gSM6wMWtJ6.exe 2480 9d3b5399_gSM6wMWtJ6.exe 2480 9d3b5399_gSM6wMWtJ6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9d3b5399_gSM6wMWtJ6.exedescription pid process Token: 35 2480 9d3b5399_gSM6wMWtJ6.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9d3b5399_gSM6wMWtJ6.exe9d3b5399_gSM6wMWtJ6.exedescription pid process target process PID 2056 wrote to memory of 2480 2056 9d3b5399_gSM6wMWtJ6.exe 9d3b5399_gSM6wMWtJ6.exe PID 2056 wrote to memory of 2480 2056 9d3b5399_gSM6wMWtJ6.exe 9d3b5399_gSM6wMWtJ6.exe PID 2480 wrote to memory of 3392 2480 9d3b5399_gSM6wMWtJ6.exe cmd.exe PID 2480 wrote to memory of 3392 2480 9d3b5399_gSM6wMWtJ6.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d3b5399_gSM6wMWtJ6.exe"C:\Users\Admin\AppData\Local\Temp\9d3b5399_gSM6wMWtJ6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9d3b5399_gSM6wMWtJ6.exe"C:\Users\Admin\AppData\Local\Temp\9d3b5399_gSM6wMWtJ6.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI20562\VCRUNTIME140.dllMD5
89a24c66e7a522f1e0016b1d0b4316dc
SHA15340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA2563096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a
-
C:\Users\Admin\AppData\Local\Temp\_MEI20562\_bz2.pydMD5
cf77513525fc652bad6c7f85e192e94b
SHA123ec3bb9cdc356500ec192cac16906864d5e9a81
SHA2568bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41
SHA512dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9
-
C:\Users\Admin\AppData\Local\Temp\_MEI20562\_hashlib.pydMD5
b32cb9615a9bada55e8f20dcea2fbf48
SHA1a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA5125c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe
-
C:\Users\Admin\AppData\Local\Temp\_MEI20562\_lzma.pydMD5
5fbb728a3b3abbdd830033586183a206
SHA1066fde2fa80485c4f22e0552a4d433584d672a54
SHA256f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b
SHA51231e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb
-
C:\Users\Admin\AppData\Local\Temp\_MEI20562\_socket.pydMD5
8ea18d0eeae9044c278d2ea7a1dbae36
SHA1de210842da8cb1cb14318789575d65117d14e728
SHA2569822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0
-
C:\Users\Admin\AppData\Local\Temp\_MEI20562\_ssl.pydMD5
5a393bb4f3ae499541356e57a766eb6a
SHA1908f68f4ea1a754fd31edb662332cf0df238cf9a
SHA256b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047
SHA512958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f
-
C:\Users\Admin\AppData\Local\Temp\_MEI20562\base_library.zipMD5
d0d7afd942e32fc9ed6416d3e0d2e87f
SHA1944e64b98b80bb53f1562fe435e428708305742c
SHA256a158860800f5d831891b169304e908d65d6a901cfef9b713ca3617533186caef
SHA51214705adb6710c9ad159a5a5d3502ae4419737f2cff57a9247429ac26bcbaddc3171429a958af1d4930eb75acf000aab373a5b3532876b7823f75181ad12bf5cf
-
C:\Users\Admin\AppData\Local\Temp\_MEI20562\libcrypto-1_1.dllMD5
cc4cbf715966cdcad95a1e6c95592b3d
SHA1d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA5123b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477
-
C:\Users\Admin\AppData\Local\Temp\_MEI20562\libssl-1_1.dllMD5
bc778f33480148efa5d62b2ec85aaa7d
SHA1b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA2569d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA51280c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173
-
C:\Users\Admin\AppData\Local\Temp\_MEI20562\python37.dllMD5
c4709f84e6cf6e082b80c80b87abe551
SHA1c0c55b229722f7f2010d34e26857df640182f796
SHA256ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4
-
C:\Users\Admin\AppData\Local\Temp\_MEI20562\select.pydMD5
fb4a0d7abaeaa76676846ad0f08fefa5
SHA1755fd998215511506edd2c5c52807b46ca9393b2
SHA25665a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f
-
\Users\Admin\AppData\Local\Temp\_MEI20562\VCRUNTIME140.dllMD5
89a24c66e7a522f1e0016b1d0b4316dc
SHA15340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA2563096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a
-
\Users\Admin\AppData\Local\Temp\_MEI20562\_bz2.pydMD5
cf77513525fc652bad6c7f85e192e94b
SHA123ec3bb9cdc356500ec192cac16906864d5e9a81
SHA2568bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41
SHA512dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9
-
\Users\Admin\AppData\Local\Temp\_MEI20562\_hashlib.pydMD5
b32cb9615a9bada55e8f20dcea2fbf48
SHA1a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA5125c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe
-
\Users\Admin\AppData\Local\Temp\_MEI20562\_lzma.pydMD5
5fbb728a3b3abbdd830033586183a206
SHA1066fde2fa80485c4f22e0552a4d433584d672a54
SHA256f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b
SHA51231e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb
-
\Users\Admin\AppData\Local\Temp\_MEI20562\_socket.pydMD5
8ea18d0eeae9044c278d2ea7a1dbae36
SHA1de210842da8cb1cb14318789575d65117d14e728
SHA2569822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0
-
\Users\Admin\AppData\Local\Temp\_MEI20562\_ssl.pydMD5
5a393bb4f3ae499541356e57a766eb6a
SHA1908f68f4ea1a754fd31edb662332cf0df238cf9a
SHA256b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047
SHA512958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f
-
\Users\Admin\AppData\Local\Temp\_MEI20562\libcrypto-1_1.dllMD5
cc4cbf715966cdcad95a1e6c95592b3d
SHA1d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA5123b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477
-
\Users\Admin\AppData\Local\Temp\_MEI20562\libssl-1_1.dllMD5
bc778f33480148efa5d62b2ec85aaa7d
SHA1b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA2569d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA51280c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173
-
\Users\Admin\AppData\Local\Temp\_MEI20562\python37.dllMD5
c4709f84e6cf6e082b80c80b87abe551
SHA1c0c55b229722f7f2010d34e26857df640182f796
SHA256ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4
-
\Users\Admin\AppData\Local\Temp\_MEI20562\select.pydMD5
fb4a0d7abaeaa76676846ad0f08fefa5
SHA1755fd998215511506edd2c5c52807b46ca9393b2
SHA25665a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f
-
memory/2480-115-0x0000000000000000-mapping.dmp
-
memory/3392-137-0x0000000000000000-mapping.dmp