3a16c941223ae24e33b62e925575669a52f7993765aadf075a8bea5decd8a836

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-en-20211208
submitted
19-01-2022 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS850A099E/61e7502c4cff3_Tue232cba58c.exe
Size

666KB
MD5

81d975ad4ca267db5d3c50ea5875a563
SHA1

be11fb5a16735249000a48279cd1bd7aa8b06d90
SHA256

c724232309617b23a487c1713f4c90680354928f1d5f67200cdbe15e1421e43a
SHA512

ab822f7a07bbc124ea000afcd27c7c9981ce82d032e80369ba65959c5f83f28e15bec33cd9d5b740b41511bb7c7b15133739ace59f46cc13489d66d9e8e16df3

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe04138756-db15-4cb8-ac07-a11b119d4321.exe7a698f98-25cb-464f-81ee-bb172a51b45c.exe5462577.exe

pid	process
1124	2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe
1920	04138756-db15-4cb8-ac07-a11b119d4321.exe
1084	7a698f98-25cb-464f-81ee-bb172a51b45c.exe
1956	5462577.exe

Loads dropped DLL 5 IoCs

Processes:

61e7502c4cff3_Tue232cba58c.exe7a698f98-25cb-464f-81ee-bb172a51b45c.exemsiexec.exe

pid	process
1560	61e7502c4cff3_Tue232cba58c.exe
1560	61e7502c4cff3_Tue232cba58c.exe
1560	61e7502c4cff3_Tue232cba58c.exe
1084	7a698f98-25cb-464f-81ee-bb172a51b45c.exe
1912	msiexec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe

pid process

1124 2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

61e7502c4cff3_Tue232cba58c.exe7a698f98-25cb-464f-81ee-bb172a51b45c.exe2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe04138756-db15-4cb8-ac07-a11b119d4321.exe

description	pid	process
Token: SeDebugPrivilege	1560	61e7502c4cff3_Tue232cba58c.exe
Token: SeDebugPrivilege	1084	7a698f98-25cb-464f-81ee-bb172a51b45c.exe
Token: SeDebugPrivilege	1124	2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe
Token: SeDebugPrivilege	1920	04138756-db15-4cb8-ac07-a11b119d4321.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

61e7502c4cff3_Tue232cba58c.exe7a698f98-25cb-464f-81ee-bb172a51b45c.exe5462577.exe

description	pid	process	target process
PID 1560 wrote to memory of 1124	1560	61e7502c4cff3_Tue232cba58c.exe	2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe
PID 1560 wrote to memory of 1124	1560	61e7502c4cff3_Tue232cba58c.exe	2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe
PID 1560 wrote to memory of 1124	1560	61e7502c4cff3_Tue232cba58c.exe	2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe
PID 1560 wrote to memory of 1124	1560	61e7502c4cff3_Tue232cba58c.exe	2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe
PID 1560 wrote to memory of 1920	1560	61e7502c4cff3_Tue232cba58c.exe	04138756-db15-4cb8-ac07-a11b119d4321.exe
PID 1560 wrote to memory of 1920	1560	61e7502c4cff3_Tue232cba58c.exe	04138756-db15-4cb8-ac07-a11b119d4321.exe
PID 1560 wrote to memory of 1920	1560	61e7502c4cff3_Tue232cba58c.exe	04138756-db15-4cb8-ac07-a11b119d4321.exe
PID 1560 wrote to memory of 1920	1560	61e7502c4cff3_Tue232cba58c.exe	04138756-db15-4cb8-ac07-a11b119d4321.exe
PID 1560 wrote to memory of 1084	1560	61e7502c4cff3_Tue232cba58c.exe	7a698f98-25cb-464f-81ee-bb172a51b45c.exe
PID 1560 wrote to memory of 1084	1560	61e7502c4cff3_Tue232cba58c.exe	7a698f98-25cb-464f-81ee-bb172a51b45c.exe
PID 1560 wrote to memory of 1084	1560	61e7502c4cff3_Tue232cba58c.exe	7a698f98-25cb-464f-81ee-bb172a51b45c.exe
PID 1560 wrote to memory of 1084	1560	61e7502c4cff3_Tue232cba58c.exe	7a698f98-25cb-464f-81ee-bb172a51b45c.exe
PID 1084 wrote to memory of 1956	1084	7a698f98-25cb-464f-81ee-bb172a51b45c.exe	5462577.exe
PID 1084 wrote to memory of 1956	1084	7a698f98-25cb-464f-81ee-bb172a51b45c.exe	5462577.exe
PID 1084 wrote to memory of 1956	1084	7a698f98-25cb-464f-81ee-bb172a51b45c.exe	5462577.exe
PID 1084 wrote to memory of 1956	1084	7a698f98-25cb-464f-81ee-bb172a51b45c.exe	5462577.exe
PID 1956 wrote to memory of 1912	1956	5462577.exe	msiexec.exe
PID 1956 wrote to memory of 1912	1956	5462577.exe	msiexec.exe
PID 1956 wrote to memory of 1912	1956	5462577.exe	msiexec.exe
PID 1956 wrote to memory of 1912	1956	5462577.exe	msiexec.exe
PID 1956 wrote to memory of 1912	1956	5462577.exe	msiexec.exe
PID 1956 wrote to memory of 1912	1956	5462577.exe	msiexec.exe
PID 1956 wrote to memory of 1912	1956	5462577.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe
"C:\Users\Admin\AppData\Local\Temp\2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Users\Admin\AppData\Local\Temp\04138756-db15-4cb8-ac07-a11b119d4321.exe
"C:\Users\Admin\AppData\Local\Temp\04138756-db15-4cb8-ac07-a11b119d4321.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Users\Admin\AppData\Local\Temp\7a698f98-25cb-464f-81ee-bb172a51b45c.exe
"C:\Users\Admin\AppData\Local\Temp\7a698f98-25cb-464f-81ee-bb172a51b45c.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Roaming\5462577.exe
"C:\Users\Admin\AppData\Roaming\5462577.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" -y .\RHRU.w
4⤵
- Loads dropped DLL
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\04138756-db15-4cb8-ac07-a11b119d4321.exe
MD5
44c54d9df1aa839d87dc57ffb2e08e47

SHA1
207115f8b9bb1df11d1b303c2022022c989538e4

SHA256
89ce5d23a441abecd3998176b67575fde60681cb4b212d32bf15510c140c3edd

SHA512
a41965e06f72f1b45bd9848283863fa1b644fafd88ebd8f1e21b8598f77d8728a09d7eafce8ef7851f05d3ee4c1ca4f20cd4d15e7cf4c5dcf836d03e34152265

Download Submit
C:\Users\Admin\AppData\Local\Temp\04138756-db15-4cb8-ac07-a11b119d4321.exe
MD5
44c54d9df1aa839d87dc57ffb2e08e47

SHA1
207115f8b9bb1df11d1b303c2022022c989538e4

SHA256
89ce5d23a441abecd3998176b67575fde60681cb4b212d32bf15510c140c3edd

SHA512
a41965e06f72f1b45bd9848283863fa1b644fafd88ebd8f1e21b8598f77d8728a09d7eafce8ef7851f05d3ee4c1ca4f20cd4d15e7cf4c5dcf836d03e34152265

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe
MD5
d4b53988dafc780492879e7ff4a1fd59

SHA1
8621a87b1a44c5c1b1028c93dc1b086d3aa9c803

SHA256
4f9f250566dcef6c67a5d4d2c23063439ceec6c2f2e162f10f1f4c20a281ab2a

SHA512
6a9c3902af89ab873a7d34871fcf9e34a78924620d7835e387f051d183c764054ee809d2e9603e275224b3b252b95504b5475b16bb6735d63c4408c7cc3c458f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe
MD5
d4b53988dafc780492879e7ff4a1fd59

SHA1
8621a87b1a44c5c1b1028c93dc1b086d3aa9c803

SHA256
4f9f250566dcef6c67a5d4d2c23063439ceec6c2f2e162f10f1f4c20a281ab2a

SHA512
6a9c3902af89ab873a7d34871fcf9e34a78924620d7835e387f051d183c764054ee809d2e9603e275224b3b252b95504b5475b16bb6735d63c4408c7cc3c458f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a698f98-25cb-464f-81ee-bb172a51b45c.exe
MD5
5beda0d7ed8d3dd17469ff195a56dff1

SHA1
2804895ca0abdfb647f23dfe762a42e660dac859

SHA256
d403508d462db3db0bb3724ed1719df88153bf6812043d81fdf4c484bca5505c

SHA512
c7fdf61ce6d346df5373654342171190d2837e6d63e42880e6253b2563830258737fa69ff07b96c2752bf331c57a9d2727c172107e85a87d5f267b31e2eb9329

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a698f98-25cb-464f-81ee-bb172a51b45c.exe
MD5
5beda0d7ed8d3dd17469ff195a56dff1

SHA1
2804895ca0abdfb647f23dfe762a42e660dac859

SHA256
d403508d462db3db0bb3724ed1719df88153bf6812043d81fdf4c484bca5505c

SHA512
c7fdf61ce6d346df5373654342171190d2837e6d63e42880e6253b2563830258737fa69ff07b96c2752bf331c57a9d2727c172107e85a87d5f267b31e2eb9329

Download Submit
C:\Users\Admin\AppData\Local\Temp\RHRU.w
MD5
ba940b915b02966218763135172bd67e

SHA1
30ea0cb7ea7e80a5c2b0241ef7f0f88154cc2277

SHA256
00b8904b1d7b6a219d13078bf9ab623709e05396a51889dc9f7ca2c29d57fd64

SHA512
8a340b15a0f0f656eda57fbcf7fc692185b58ce71fe0999662bfcfc47daf98fe23b70ba17cdacdc89de2dd2074caae1aa86e7305bf374a2d4c2e1f5b63f79fc1

Download Submit
C:\Users\Admin\AppData\Roaming\5462577.exe
MD5
dc578f8fe0298c2c55c7e1f50f2e8f53

SHA1
93832f343096af506045ce9aba3e57aad64afc62

SHA256
6af6d9f36071d3f1ae3b1316237891aa14141c60710a5f7eb858b38ddef0812c

SHA512
2e2d2c86d9a3c57f4075640fc7f99c1ba1ded90e7438f0213550c2f501f40723b1bcef6f3ad43ee4e78e3b60880010b69056fe1c177f601d371ba3151b809011

Download Submit
C:\Users\Admin\AppData\Roaming\5462577.exe
MD5
dc578f8fe0298c2c55c7e1f50f2e8f53

SHA1
93832f343096af506045ce9aba3e57aad64afc62

SHA256
6af6d9f36071d3f1ae3b1316237891aa14141c60710a5f7eb858b38ddef0812c

SHA512
2e2d2c86d9a3c57f4075640fc7f99c1ba1ded90e7438f0213550c2f501f40723b1bcef6f3ad43ee4e78e3b60880010b69056fe1c177f601d371ba3151b809011

Download Submit
\Users\Admin\AppData\Local\Temp\04138756-db15-4cb8-ac07-a11b119d4321.exe
MD5
44c54d9df1aa839d87dc57ffb2e08e47

SHA1
207115f8b9bb1df11d1b303c2022022c989538e4

SHA256
89ce5d23a441abecd3998176b67575fde60681cb4b212d32bf15510c140c3edd

SHA512
a41965e06f72f1b45bd9848283863fa1b644fafd88ebd8f1e21b8598f77d8728a09d7eafce8ef7851f05d3ee4c1ca4f20cd4d15e7cf4c5dcf836d03e34152265

Download Submit
\Users\Admin\AppData\Local\Temp\2d7dd12a-3745-4f63-91ee-7dcb031a0969.exe
MD5
d4b53988dafc780492879e7ff4a1fd59

SHA1
8621a87b1a44c5c1b1028c93dc1b086d3aa9c803

SHA256
4f9f250566dcef6c67a5d4d2c23063439ceec6c2f2e162f10f1f4c20a281ab2a

SHA512
6a9c3902af89ab873a7d34871fcf9e34a78924620d7835e387f051d183c764054ee809d2e9603e275224b3b252b95504b5475b16bb6735d63c4408c7cc3c458f

Download Submit
\Users\Admin\AppData\Local\Temp\7a698f98-25cb-464f-81ee-bb172a51b45c.exe
MD5
5beda0d7ed8d3dd17469ff195a56dff1

SHA1
2804895ca0abdfb647f23dfe762a42e660dac859

SHA256
d403508d462db3db0bb3724ed1719df88153bf6812043d81fdf4c484bca5505c

SHA512
c7fdf61ce6d346df5373654342171190d2837e6d63e42880e6253b2563830258737fa69ff07b96c2752bf331c57a9d2727c172107e85a87d5f267b31e2eb9329

Download Submit
\Users\Admin\AppData\Local\Temp\rHRU.w
MD5
1409e60c2784d74e20389aff385ea74c

SHA1
a5c4c6d8c0c75764a14cc3445afa81267471ff1f

SHA256
4a42432e41eba4a68cb907cb7fb796400a835352642f7d3f6f612fbbb8e20777

SHA512
da534257157d8368fdeb10e16861ed4d01d06cb9430f6e3125fac830a43042a5aa909b47ed51ee3ac0ec5ecd21afdfd89396097e1f57286d43afb778bbe0f392

Download Submit
\Users\Admin\AppData\Roaming\5462577.exe
MD5
dc578f8fe0298c2c55c7e1f50f2e8f53

SHA1
93832f343096af506045ce9aba3e57aad64afc62

SHA256
6af6d9f36071d3f1ae3b1316237891aa14141c60710a5f7eb858b38ddef0812c

SHA512
2e2d2c86d9a3c57f4075640fc7f99c1ba1ded90e7438f0213550c2f501f40723b1bcef6f3ad43ee4e78e3b60880010b69056fe1c177f601d371ba3151b809011

Download Submit
memory/1084-119-0x0000000002310000-0x0000000002330000-memory.dmp

Filesize
128KB

Download
memory/1084-113-0x0000000000770000-0x00000000007A1000-memory.dmp

Filesize
196KB

Download
memory/1084-102-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1084-120-0x0000000002771000-0x0000000002772000-memory.dmp

Filesize
4KB

Download
memory/1084-99-0x0000000000600000-0x000000000063B000-memory.dmp

Filesize
236KB

Download
memory/1084-97-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download
memory/1084-121-0x0000000002772000-0x0000000002773000-memory.dmp

Filesize
4KB

Download
memory/1084-96-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1084-95-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download
memory/1084-122-0x0000000002774000-0x0000000002775000-memory.dmp

Filesize
4KB

Download
memory/1124-72-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1124-100-0x0000000004AE2000-0x0000000004AE3000-memory.dmp

Filesize
4KB

Download
memory/1124-73-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1124-81-0x0000000000520000-0x0000000000550000-memory.dmp

Filesize
192KB

Download
memory/1124-82-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/1124-93-0x0000000000250000-0x0000000000270000-memory.dmp

Filesize
128KB

Download
memory/1124-101-0x0000000004AE4000-0x0000000004AE5000-memory.dmp

Filesize
4KB

Download
memory/1124-98-0x0000000004AE1000-0x0000000004AE2000-memory.dmp

Filesize
4KB

Download
memory/1560-67-0x0000000004BD4000-0x0000000004BD5000-memory.dmp

Filesize
4KB

Download
memory/1560-54-0x0000000076911000-0x0000000076913000-memory.dmp

Filesize
8KB

Download
memory/1560-56-0x0000000000500000-0x000000000053B000-memory.dmp

Filesize
236KB

Download
memory/1560-55-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1560-57-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1560-58-0x0000000000670000-0x0000000000688000-memory.dmp

Filesize
96KB

Download
memory/1560-64-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/1560-66-0x0000000004BD2000-0x0000000004BD3000-memory.dmp

Filesize
4KB

Download
memory/1560-65-0x0000000004BD1000-0x0000000004BD2000-memory.dmp

Filesize
4KB

Download
memory/1920-109-0x00000000007E0000-0x0000000000800000-memory.dmp

Filesize
128KB

Download
memory/1920-84-0x00000000005F0000-0x000000000062B000-memory.dmp

Filesize
236KB

Download
memory/1920-85-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1920-112-0x0000000004D14000-0x0000000004D15000-memory.dmp

Filesize
4KB

Download
memory/1920-111-0x0000000004D12000-0x0000000004D13000-memory.dmp

Filesize
4KB

Download
memory/1920-110-0x0000000004D11000-0x0000000004D12000-memory.dmp

Filesize
4KB

Download
memory/1920-79-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1920-78-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/1920-103-0x0000000000380000-0x00000000003AF000-memory.dmp

Filesize
188KB

Download
memory/1920-80-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download