e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80

Analysis

max time kernel
38s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-05-2022 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
Size

6.0MB
MD5

c3b3253336dda75f4759cbb14709ebb7
SHA1

1d271952c9091a7de8e3021fb6f0d939c39aef13
SHA256

e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80
SHA512

d813a15e48dd1aa4c98bec9a75b52631de63781c34b2c41431e30c01cf9d577d7489ac711f0a54734d880dc05dda47652e7832987cfbe605291c54a28a389f3b

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 11 IoCs

Processes:

e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe

pid	process
968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe

pid process

968 e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe

pid process

968 e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe

description pid process

Token: 35 968 e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe

flow	ioc
1	api.ipify.org
2	api.ipify.org

description	pid	process
Token: 35	968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exee1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe

description	pid	process	target process
PID 1212 wrote to memory of 968	1212	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
PID 1212 wrote to memory of 968	1212	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
PID 1212 wrote to memory of 968	1212	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
PID 968 wrote to memory of 804	968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe	cmd.exe
PID 968 wrote to memory of 804	968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe	cmd.exe
PID 968 wrote to memory of 804	968	e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
"C:\Users\Admin\AppData\Local\Temp\e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe
"C:\Users\Admin\AppData\Local\Temp\e1e4d09e7f9fa0ea6222785a9752136ccf2675289c4e736e3713ebbfbf6deb80.exe"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI12122\VCRUNTIME140.dll
Filesize
85KB

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12122\_bz2.pyd
Filesize
92KB

MD5
c9bfb31afe7cce0b57e5bfbbfda5ae7a

SHA1
37a930d22a9651f7ae940f61a23467deaa1f59d0

SHA256
58563fb8798c878bbb19221d8c6c9a3cc243d6dbc9bf5d7f73ba62834c5e4614

SHA512
3775adb2750a8a7927f56b1bad853e405b21c678d2708ae1d0e7ddfb68e2228971636ccd88055a9d04e49f009d8ec1fb4e0f7cb6ad9b012b666e132d989668e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12122\_ctypes.pyd
Filesize
122KB

MD5
3e3785757daea4e4e05a1b24461a60e1

SHA1
6b114125c9f086602cbc1e0ce0723374c90884cb

SHA256
72b7108ab9167f4cf780bac0c074c9be62ebaa43a9f5327f803c2c20a5f33d14

SHA512
a686def1331d31d779e308a6621d838495687176592f7ff0b41682f07473498d4782308a172a59fd7ef40f2c81042e851f607821c378acc9ab16da01a1ad3a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12122\_hashlib.pyd
Filesize
1.4MB

MD5
86db282b25244f420a5d7abd44abb098

SHA1
992445028220ac07b39e939824a4c6b1fda811dc

SHA256
ab3d09c879b395631d8a4f89f6855d98d315675e9607248eed7bc07317260168

SHA512
62e2919c4ba74fa69f25209db89f0652c5f8624867b3221aa3865e4dc2bab07e70880c63e4853051f1cc7464ff6478106ac4d6c9fc096172d85e523d8cbd069a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12122\_lzma.pyd
Filesize
248KB

MD5
857ba2d859502a76789b0cd090ef231a

SHA1
352378e0f9536154d698ecbb4c694aae8d416787

SHA256
42aafcd7e1050b3307c06874fa1e72eecfb5554bd631097e7af0506a3a200144

SHA512
ab70e4fde01bf0d1a2f4dbfe0b556ce3d83e57edf84c62262f0500b6b0295101a36e279f843cef6a08a4d4d3cde150ff76195ff417123eed64b661310fa759a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12122\_pytransform.dll
Filesize
1.1MB

MD5
a8f9e170f1d9e6348e7a292b1d66deeb

SHA1
ce7650656a993367f45e388d652d4daaa326ca1e

SHA256
06b689eea4d1f2ba572c60de9f3d420a8dc7d8cdfb61a28c5e03c640721a31b4

SHA512
ecfde73773d67bbb2176da5d3afbad6c7f9a04a8457ecda919592d9c97bc1130bdeb34d8fe9079ce0ad65501c48ac40ef4a1f2f23b53b31fe3ac209e6b131eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12122\_socket.pyd
Filesize
70KB

MD5
7e080d04a56cd48cf24219774ab0abe2

SHA1
b3caf5603ce8da3da728577aa6b06daa32118b57

SHA256
77b3597eef6eb044fbec7b2229772495cd632033bec03badad4e4d268748b760

SHA512
8bb475b62cb025823ef3eb54db58017b9fc394fe4a8a6d84aee13a4aaf9dd426e59860d3f15abcc218bd7cf4aefeee37d8fdf24dc272b6196b089b65cb584aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12122\_ssl.pyd
Filesize
1.7MB

MD5
61fb40f4c868059e3378c735d1888c14

SHA1
73423b0e17eb9a0c231f4d6bffb2541a08975ed2

SHA256
ea7cf863090d7f61daae9c6cc679608239e622f4485514dc705d09c1311657c2

SHA512
e40a1fcf528b9a0a4bd2161b71d86dacff82647d6895f8a945c0960310397f8ebdc2d3191d04cd262940866ff0d7ddc7e4f2c17b9ebf86f527c08c8179ff2e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12122\base_library.zip
Filesize
756KB

MD5
b29fdc5dbfbe068e3e5807eccdb2565f

SHA1
280bd6ede7f4add3a28fa33fc5ccde29a66b8c7e

SHA256
72e2b512b24b20651e1299de0b1e71482808d98546a5efd665658d328b85ba2a

SHA512
dd362f167f0353bfa591c488268b8b5ecfb81a49df904a18f2b0ee44f2875d960091aa61aab78ce8ca215ccb4750e6027713b12924f3f2230f05e1874a3938d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12122\certifi\cacert.pem
Filesize
275KB

MD5
c760591283d5a4a987ad646b35de3717

SHA1
5d10cbd25ac1c7ced5bfb3d6f185fa150f6ea134

SHA256
1a14f6e1fd11efff72e1863f8645f090eec1b616614460c210c3b7e3c13d4b5e

SHA512
c192ae381008eaf180782e6e40cd51834e0233e98942bd071768308e179f58f3530e6e883f245a2630c86923dbeb68b624c5ec2167040d749813fedc37a6d1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12122\main.exe.manifest
Filesize
1KB

MD5
e0bf7f40423528a74e81a5a0c3940d95

SHA1
69018ec3d49e7d8ac2755aa22f623b75c18b3b0d

SHA256
18ae5b418f203ffc923bfeed20e5fef64b748d35c039adbeba096e8bf2b09ce0

SHA512
5b750d2c722b85fa279f8e6bed82f4547d3a33aaf0995a6d63492fd14c0ed12ecf59d5363fc7235aa601f97ff273e693f0d433eae04ca494379ec08aff6ed84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12122\python36.dll
Filesize
3.4MB

MD5
7e5ad98ee1fef48d50c2cb641f464181

SHA1
ba424106c46ab11be33f4954195d10382791677d

SHA256
dd4bba32bf57165371822f5966617f475198764a91f39dc6ef86552457ac795d

SHA512
7633730cc9672bc558f8f3391534f9a0f3627a98c5c9f5acefbfc2356eeb14cd10581dceceec2e2d20ed666bc121b28d2af63bd61ead48d34cbcec5861f8ef82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12122\select.pyd
Filesize
26KB

MD5
290242633745524a3fb673798faabbe1

SHA1
7a5df2949b75469242c9287ae529045d7a85fd4c

SHA256
df8acaf83e5c861f1d0ad694b087ff0a451f01191602617307a93c9dec893ecd

SHA512
a3aec08265e2ea4549df14f6c2683b7b53c553b45304e80ed27ca5b5df70f0e1a3b139608557230e2acbaad4f302b5e20631a9d82de75222a9cc4b2177ce2020

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12122\unicodedata.pyd
Filesize
884KB

MD5
1c35e860d07c30617326d5a7030961b2

SHA1
44f727f11b2a19b078a987ad4f4bf7b6ccb393c2

SHA256
7c115398f9975004b436c70cfa5d5d08e9f3f1d0f1c8a9e07eeeac96affe6625

SHA512
863ffa0d09c7e7fc00b3a5ec8101ed31b6794f8b1dab96501c11725f247dfc5315f9b20602d424e384fdc20031e5d59ae65be1ecc5b72976ac3e2813b0cd2276

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12122\VCRUNTIME140.dll
Filesize
85KB

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12122\_bz2.pyd
Filesize
92KB

MD5
c9bfb31afe7cce0b57e5bfbbfda5ae7a

SHA1
37a930d22a9651f7ae940f61a23467deaa1f59d0

SHA256
58563fb8798c878bbb19221d8c6c9a3cc243d6dbc9bf5d7f73ba62834c5e4614

SHA512
3775adb2750a8a7927f56b1bad853e405b21c678d2708ae1d0e7ddfb68e2228971636ccd88055a9d04e49f009d8ec1fb4e0f7cb6ad9b012b666e132d989668e6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12122\_ctypes.pyd
Filesize
122KB

MD5
3e3785757daea4e4e05a1b24461a60e1

SHA1
6b114125c9f086602cbc1e0ce0723374c90884cb

SHA256
72b7108ab9167f4cf780bac0c074c9be62ebaa43a9f5327f803c2c20a5f33d14

SHA512
a686def1331d31d779e308a6621d838495687176592f7ff0b41682f07473498d4782308a172a59fd7ef40f2c81042e851f607821c378acc9ab16da01a1ad3a3e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12122\_hashlib.pyd
Filesize
1.4MB

MD5
86db282b25244f420a5d7abd44abb098

SHA1
992445028220ac07b39e939824a4c6b1fda811dc

SHA256
ab3d09c879b395631d8a4f89f6855d98d315675e9607248eed7bc07317260168

SHA512
62e2919c4ba74fa69f25209db89f0652c5f8624867b3221aa3865e4dc2bab07e70880c63e4853051f1cc7464ff6478106ac4d6c9fc096172d85e523d8cbd069a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12122\_lzma.pyd
Filesize
248KB

MD5
857ba2d859502a76789b0cd090ef231a

SHA1
352378e0f9536154d698ecbb4c694aae8d416787

SHA256
42aafcd7e1050b3307c06874fa1e72eecfb5554bd631097e7af0506a3a200144

SHA512
ab70e4fde01bf0d1a2f4dbfe0b556ce3d83e57edf84c62262f0500b6b0295101a36e279f843cef6a08a4d4d3cde150ff76195ff417123eed64b661310fa759a4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12122\_pytransform.dll
Filesize
1.1MB

MD5
a8f9e170f1d9e6348e7a292b1d66deeb

SHA1
ce7650656a993367f45e388d652d4daaa326ca1e

SHA256
06b689eea4d1f2ba572c60de9f3d420a8dc7d8cdfb61a28c5e03c640721a31b4

SHA512
ecfde73773d67bbb2176da5d3afbad6c7f9a04a8457ecda919592d9c97bc1130bdeb34d8fe9079ce0ad65501c48ac40ef4a1f2f23b53b31fe3ac209e6b131eea

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12122\_socket.pyd
Filesize
70KB

MD5
7e080d04a56cd48cf24219774ab0abe2

SHA1
b3caf5603ce8da3da728577aa6b06daa32118b57

SHA256
77b3597eef6eb044fbec7b2229772495cd632033bec03badad4e4d268748b760

SHA512
8bb475b62cb025823ef3eb54db58017b9fc394fe4a8a6d84aee13a4aaf9dd426e59860d3f15abcc218bd7cf4aefeee37d8fdf24dc272b6196b089b65cb584aae

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12122\_ssl.pyd
Filesize
1.7MB

MD5
61fb40f4c868059e3378c735d1888c14

SHA1
73423b0e17eb9a0c231f4d6bffb2541a08975ed2

SHA256
ea7cf863090d7f61daae9c6cc679608239e622f4485514dc705d09c1311657c2

SHA512
e40a1fcf528b9a0a4bd2161b71d86dacff82647d6895f8a945c0960310397f8ebdc2d3191d04cd262940866ff0d7ddc7e4f2c17b9ebf86f527c08c8179ff2e91

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12122\python36.dll
Filesize
3.4MB

MD5
7e5ad98ee1fef48d50c2cb641f464181

SHA1
ba424106c46ab11be33f4954195d10382791677d

SHA256
dd4bba32bf57165371822f5966617f475198764a91f39dc6ef86552457ac795d

SHA512
7633730cc9672bc558f8f3391534f9a0f3627a98c5c9f5acefbfc2356eeb14cd10581dceceec2e2d20ed666bc121b28d2af63bd61ead48d34cbcec5861f8ef82

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12122\select.pyd
Filesize
26KB

MD5
290242633745524a3fb673798faabbe1

SHA1
7a5df2949b75469242c9287ae529045d7a85fd4c

SHA256
df8acaf83e5c861f1d0ad694b087ff0a451f01191602617307a93c9dec893ecd

SHA512
a3aec08265e2ea4549df14f6c2683b7b53c553b45304e80ed27ca5b5df70f0e1a3b139608557230e2acbaad4f302b5e20631a9d82de75222a9cc4b2177ce2020

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12122\unicodedata.pyd
Filesize
884KB

MD5
1c35e860d07c30617326d5a7030961b2

SHA1
44f727f11b2a19b078a987ad4f4bf7b6ccb393c2

SHA256
7c115398f9975004b436c70cfa5d5d08e9f3f1d0f1c8a9e07eeeac96affe6625

SHA512
863ffa0d09c7e7fc00b3a5ec8101ed31b6794f8b1dab96501c11725f247dfc5315f9b20602d424e384fdc20031e5d59ae65be1ecc5b72976ac3e2813b0cd2276

Download Submit
memory/804-80-0x0000000000000000-mapping.dmp

Download
memory/968-54-0x0000000000000000-mapping.dmp

Download