e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe
Size

5.0MB
MD5

c7d00e4d6319da479042c9f645a0377e
SHA1

cf9d94078ed2223116321d1641a9484160d616e8
SHA256

e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a
SHA512

a0b4dd89c1fdee826f997dab330ff3046c2c87a4924d64162358867b85ff9fb5018c602b0ed65db7ff4045e57d36fa732fa9665226216feebe7f6ca6c49d014b

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 9 IoCs

Processes:

e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe

pid	process
1356	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe
1356	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe
1356	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe
1356	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe
1356	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe
1356	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe
1356	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe
1356	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe
1356	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe

pid process

1356 e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe

description pid process

Token: 35 1356 e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe

description	pid	process
Token: 35	1356	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe

description	pid	process	target process
PID 1632 wrote to memory of 1356	1632	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe
PID 1632 wrote to memory of 1356	1632	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe
PID 1632 wrote to memory of 1356	1632	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe	e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe

C:\Users\Admin\AppData\Local\Temp\e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe
"C:\Users\Admin\AppData\Local\Temp\e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe
  "C:\Users\Admin\AppData\Local\Temp\e92326c48a471a0b60bdb277f993d6ed4be401aa4a1d73617e1e2a2e18d26d1a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI16322\VCRUNTIME140.dll

Filesize
85KB

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\_bz2.pyd

Filesize
92KB

MD5
c9bfb31afe7cce0b57e5bfbbfda5ae7a

SHA1
37a930d22a9651f7ae940f61a23467deaa1f59d0

SHA256
58563fb8798c878bbb19221d8c6c9a3cc243d6dbc9bf5d7f73ba62834c5e4614

SHA512
3775adb2750a8a7927f56b1bad853e405b21c678d2708ae1d0e7ddfb68e2228971636ccd88055a9d04e49f009d8ec1fb4e0f7cb6ad9b012b666e132d989668e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\_hashlib.pyd

Filesize
1.4MB

MD5
86db282b25244f420a5d7abd44abb098

SHA1
992445028220ac07b39e939824a4c6b1fda811dc

SHA256
ab3d09c879b395631d8a4f89f6855d98d315675e9607248eed7bc07317260168

SHA512
62e2919c4ba74fa69f25209db89f0652c5f8624867b3221aa3865e4dc2bab07e70880c63e4853051f1cc7464ff6478106ac4d6c9fc096172d85e523d8cbd069a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\_lzma.pyd

Filesize
248KB

MD5
857ba2d859502a76789b0cd090ef231a

SHA1
352378e0f9536154d698ecbb4c694aae8d416787

SHA256
42aafcd7e1050b3307c06874fa1e72eecfb5554bd631097e7af0506a3a200144

SHA512
ab70e4fde01bf0d1a2f4dbfe0b556ce3d83e57edf84c62262f0500b6b0295101a36e279f843cef6a08a4d4d3cde150ff76195ff417123eed64b661310fa759a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\_socket.pyd

Filesize
70KB

MD5
7e080d04a56cd48cf24219774ab0abe2

SHA1
b3caf5603ce8da3da728577aa6b06daa32118b57

SHA256
77b3597eef6eb044fbec7b2229772495cd632033bec03badad4e4d268748b760

SHA512
8bb475b62cb025823ef3eb54db58017b9fc394fe4a8a6d84aee13a4aaf9dd426e59860d3f15abcc218bd7cf4aefeee37d8fdf24dc272b6196b089b65cb584aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\_ssl.pyd

Filesize
1.7MB

MD5
61fb40f4c868059e3378c735d1888c14

SHA1
73423b0e17eb9a0c231f4d6bffb2541a08975ed2

SHA256
ea7cf863090d7f61daae9c6cc679608239e622f4485514dc705d09c1311657c2

SHA512
e40a1fcf528b9a0a4bd2161b71d86dacff82647d6895f8a945c0960310397f8ebdc2d3191d04cd262940866ff0d7ddc7e4f2c17b9ebf86f527c08c8179ff2e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\base_library.zip

Filesize
756KB

MD5
713be34d584be62d94b1067c7b156ec5

SHA1
a94a7f90d87b651342085c53c1f742a469e864c3

SHA256
2f4bcc354f6995e285e80844e03718ac880520f42e75114b099577cb30c0ef93

SHA512
f5394d8628ff93323a7ec42efa41218d0a917c96e4ff559bc9dbf736c3ca22787e82fbdaf95aaab5a4b08d49b5b00f30f5b2d731a67ebe8559ffd9f8b7ba4a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\python36.dll

Filesize
3.4MB

MD5
7e5ad98ee1fef48d50c2cb641f464181

SHA1
ba424106c46ab11be33f4954195d10382791677d

SHA256
dd4bba32bf57165371822f5966617f475198764a91f39dc6ef86552457ac795d

SHA512
7633730cc9672bc558f8f3391534f9a0f3627a98c5c9f5acefbfc2356eeb14cd10581dceceec2e2d20ed666bc121b28d2af63bd61ead48d34cbcec5861f8ef82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\select.pyd

Filesize
26KB

MD5
290242633745524a3fb673798faabbe1

SHA1
7a5df2949b75469242c9287ae529045d7a85fd4c

SHA256
df8acaf83e5c861f1d0ad694b087ff0a451f01191602617307a93c9dec893ecd

SHA512
a3aec08265e2ea4549df14f6c2683b7b53c553b45304e80ed27ca5b5df70f0e1a3b139608557230e2acbaad4f302b5e20631a9d82de75222a9cc4b2177ce2020

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\unicodedata.pyd

Filesize
884KB

MD5
1c35e860d07c30617326d5a7030961b2

SHA1
44f727f11b2a19b078a987ad4f4bf7b6ccb393c2

SHA256
7c115398f9975004b436c70cfa5d5d08e9f3f1d0f1c8a9e07eeeac96affe6625

SHA512
863ffa0d09c7e7fc00b3a5ec8101ed31b6794f8b1dab96501c11725f247dfc5315f9b20602d424e384fdc20031e5d59ae65be1ecc5b72976ac3e2813b0cd2276

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16322\VCRUNTIME140.dll

Filesize
85KB

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16322\_bz2.pyd

Filesize
92KB

MD5
c9bfb31afe7cce0b57e5bfbbfda5ae7a

SHA1
37a930d22a9651f7ae940f61a23467deaa1f59d0

SHA256
58563fb8798c878bbb19221d8c6c9a3cc243d6dbc9bf5d7f73ba62834c5e4614

SHA512
3775adb2750a8a7927f56b1bad853e405b21c678d2708ae1d0e7ddfb68e2228971636ccd88055a9d04e49f009d8ec1fb4e0f7cb6ad9b012b666e132d989668e6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16322\_hashlib.pyd

Filesize
1.4MB

MD5
86db282b25244f420a5d7abd44abb098

SHA1
992445028220ac07b39e939824a4c6b1fda811dc

SHA256
ab3d09c879b395631d8a4f89f6855d98d315675e9607248eed7bc07317260168

SHA512
62e2919c4ba74fa69f25209db89f0652c5f8624867b3221aa3865e4dc2bab07e70880c63e4853051f1cc7464ff6478106ac4d6c9fc096172d85e523d8cbd069a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16322\_lzma.pyd

Filesize
248KB

MD5
857ba2d859502a76789b0cd090ef231a

SHA1
352378e0f9536154d698ecbb4c694aae8d416787

SHA256
42aafcd7e1050b3307c06874fa1e72eecfb5554bd631097e7af0506a3a200144

SHA512
ab70e4fde01bf0d1a2f4dbfe0b556ce3d83e57edf84c62262f0500b6b0295101a36e279f843cef6a08a4d4d3cde150ff76195ff417123eed64b661310fa759a4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16322\_socket.pyd

Filesize
70KB

MD5
7e080d04a56cd48cf24219774ab0abe2

SHA1
b3caf5603ce8da3da728577aa6b06daa32118b57

SHA256
77b3597eef6eb044fbec7b2229772495cd632033bec03badad4e4d268748b760

SHA512
8bb475b62cb025823ef3eb54db58017b9fc394fe4a8a6d84aee13a4aaf9dd426e59860d3f15abcc218bd7cf4aefeee37d8fdf24dc272b6196b089b65cb584aae

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16322\_ssl.pyd

Filesize
1.7MB

MD5
61fb40f4c868059e3378c735d1888c14

SHA1
73423b0e17eb9a0c231f4d6bffb2541a08975ed2

SHA256
ea7cf863090d7f61daae9c6cc679608239e622f4485514dc705d09c1311657c2

SHA512
e40a1fcf528b9a0a4bd2161b71d86dacff82647d6895f8a945c0960310397f8ebdc2d3191d04cd262940866ff0d7ddc7e4f2c17b9ebf86f527c08c8179ff2e91

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16322\python36.dll

Filesize
3.4MB

MD5
7e5ad98ee1fef48d50c2cb641f464181

SHA1
ba424106c46ab11be33f4954195d10382791677d

SHA256
dd4bba32bf57165371822f5966617f475198764a91f39dc6ef86552457ac795d

SHA512
7633730cc9672bc558f8f3391534f9a0f3627a98c5c9f5acefbfc2356eeb14cd10581dceceec2e2d20ed666bc121b28d2af63bd61ead48d34cbcec5861f8ef82

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16322\select.pyd

Filesize
26KB

MD5
290242633745524a3fb673798faabbe1

SHA1
7a5df2949b75469242c9287ae529045d7a85fd4c

SHA256
df8acaf83e5c861f1d0ad694b087ff0a451f01191602617307a93c9dec893ecd

SHA512
a3aec08265e2ea4549df14f6c2683b7b53c553b45304e80ed27ca5b5df70f0e1a3b139608557230e2acbaad4f302b5e20631a9d82de75222a9cc4b2177ce2020

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16322\unicodedata.pyd

Filesize
884KB

MD5
1c35e860d07c30617326d5a7030961b2

SHA1
44f727f11b2a19b078a987ad4f4bf7b6ccb393c2

SHA256
7c115398f9975004b436c70cfa5d5d08e9f3f1d0f1c8a9e07eeeac96affe6625

SHA512
863ffa0d09c7e7fc00b3a5ec8101ed31b6794f8b1dab96501c11725f247dfc5315f9b20602d424e384fdc20031e5d59ae65be1ecc5b72976ac3e2813b0cd2276

Download Submit
memory/1356-54-0x0000000000000000-mapping.dmp

Download