Analysis
-
max time kernel
43s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:47
Static task
static1
Behavioral task
behavioral1
Sample
d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe
Resource
win7-20220414-en
General
-
Target
d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe
-
Size
5.9MB
-
MD5
c2529e5adae819ad0c9285bae4d27a9a
-
SHA1
cc066793bd6167243bfd751be82567b150421ca4
-
SHA256
d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488
-
SHA512
dff6d2c871ba42fac7808ae3865b7972815c6d1c9520791c1b7d9412d8dc72dea1dc731d5547b1ee73768710a18f1a09b10ec6a5ea7772af9743ba5201046bbb
Malware Config
Signatures
-
Loads dropped DLL 12 IoCs
Processes:
d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exepid process 1676 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe 1676 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe 1676 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe 1676 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe 1676 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe 1676 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe 1676 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe 1676 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe 1676 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe 1676 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe 1676 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe 1676 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 api.ipify.org 2 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exedescription pid process Token: 35 1676 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exedescription pid process target process PID 1680 wrote to memory of 1676 1680 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe PID 1680 wrote to memory of 1676 1680 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe PID 1680 wrote to memory of 1676 1680 d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe"C:\Users\Admin\AppData\Local\Temp\d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe"C:\Users\Admin\AppData\Local\Temp\d2c7981831fb449e109e9f9787017a275bfe542203ae9eaf8b2e9d5eac5b9488.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\VCRUNTIME140.dllFilesize
87KB
MD50e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\_bz2.pydFilesize
92KB
MD5cde853b48405adc6bb2009553951cf4b
SHA11cd5ecb2a7c4ded3663b497bfe9b190e7304135e
SHA2569f3b2a39dd67f9c328dd0e021cae0fb9e60e78f451fc4071a529fde00db0c243
SHA5127448f6f63a83018c64b69a5f0535aac4287ca838fb122101d02449c34120db3047b967202068fdec60939c28317cfeb5cd7ac8a7732eea84e9358689ee777cd4
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\_hashlib.pydFilesize
38KB
MD5d2cd47354de38cc1edf86040e9661e6c
SHA1d228f223f2a26faf39fa9dae0d311bfd95ef17be
SHA25685c2fb612e92eb687dfa6ec0a65bbddccb7b49de507b093744587af07c575116
SHA512f221c5afd0cd71754f97b5554275bd059233e12c2e96513639dea353c2644ec2b3da3ff9773878c793e9fa10239581fddde41f543a080ad5fc0afda7ba130061
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\_lzma.pydFilesize
248KB
MD5a550f17aed5a5e6660fbfa406590af43
SHA1e23db31a9eadc90e9c5a1c8a3e55cc7aa677ff35
SHA2562d3acac7982b190333b16bfc4a1f5ccfc24f50b16994001aee6e32a22df8292a
SHA51240264569e3d73347e2a6148a6f9cc82896711ad5874d2b0bcdc3d33f59d96b22ca477fb083f44b7c753cfb11f8c511c9f475aa7d89a25e6f153bc2be7e7a7a3a
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\_queue.pydFilesize
27KB
MD5d8c551b3236fcbf8eddcec60d120cb37
SHA16daa6c0a870644710fc0ae43b24f91b31a1bc163
SHA256bc63eb39366f7de378e2dfebc8ba8a1f574cfa6c90c642b282f60c2d79c0e320
SHA5121a9245f44dc9c2f3d6e86e1c5650af10810d8ef9732c3304879dd1aac9ddf8bd132af1d4f870b713f3a9df618ef0ab12981d02a7012717ee2e9473f6dd64e051
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\_socket.pydFilesize
75KB
MD5d01862e4afe155cd62e69935e739ee51
SHA1ffa93f260bc82fd33fb3be0d958bf6262537a773
SHA2569506ef21605d443f1927089eacf0cd6c138bd88dcaef99cbe58960346113b67a
SHA5123d22dae047d285126c7d527bcafb34c022c6f4d916b7200be7b2154265a7acbd73ab862f6263f531d1f9cb9ff90dcad432fd9bbad59fb847383be21e57c354a9
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\_ssl.pydFilesize
118KB
MD5b07ab1b3fdb06fa7923fd48c8d0ebe3e
SHA1217ded2b45349d949848dd6f62b0df3ab8d8d3e4
SHA256aefcacf74e2c2b35d7aa2f15a00b32a00edb107fc3ec230cdad4fb7db23daea6
SHA512db815aa1341cae2ddba8087cc36abfc2d06fee5f8863f9a3fb23117a24394c21116fd6f46bf9a3f8925526037eb5ea29fb82bad88423fbe60a81e610f30e9964
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\base_library.zipFilesize
768KB
MD5931df1fab37cbc78e70e0167347936f9
SHA15b0fb3cece51b19c46dc601f3ab100b91e203e9f
SHA256ffad24e3c14de325c62d551b52c14507bb3ec4fe19f29bca5df714c64ef9fe28
SHA512f41930391271d9d6fdf6d55d328f20eb51a139e9751717fb2d2f66669b083ccce04677130755c51dd71d856dfd48b6bacbe4bc265823b85ebf4243c09a327ef6
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\certifi\cacert.pemFilesize
275KB
MD5c760591283d5a4a987ad646b35de3717
SHA15d10cbd25ac1c7ced5bfb3d6f185fa150f6ea134
SHA2561a14f6e1fd11efff72e1863f8645f090eec1b616614460c210c3b7e3c13d4b5e
SHA512c192ae381008eaf180782e6e40cd51834e0233e98942bd071768308e179f58f3530e6e883f245a2630c86923dbeb68b624c5ec2167040d749813fedc37a6d1e6
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\grabber.exe.manifestFilesize
1KB
MD51742b1860362ee839afff995eccd000b
SHA1d7926c65bae53a4174c5786f4ca426fe7b405ca4
SHA25677852f91ae6586125b5f489e78a623fba9c73095883fd7424fa4597aebe0dd38
SHA51228182af3534f13d21618fc94cbdd1764f5498c43012a5192f1e6f458085b152526810d0a4fdf90e0364c2d7aae33c36149fb38b7a7887e0fa8caf09fc3ba1d46
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\libcrypto-1_1.dllFilesize
3.2MB
MD5bf83f8ad60cb9db462ce62c73208a30d
SHA1f1bc7dbc1e5b00426a51878719196d78981674c4
SHA256012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d
SHA512ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\libssl-1_1.dllFilesize
670KB
MD5fe1f3632af98e7b7a2799e3973ba03cf
SHA1353c7382e2de3ccdd2a4911e9e158e7c78648496
SHA2561ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b
SHA512a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\python37.dllFilesize
3.6MB
MD5f8f12175880677bd010def8ba14208da
SHA1889e23b96d78135dc3294c84ab900b91fa9f7a0c
SHA25608686f0e6e3c54d455d4a4801d5deccadedbafd1e010b3d18ade81180853db27
SHA5127792f4a2005c2721b3fa848e2703bfb380670d6bd108599c5a98299f09197b44fb44adbb59da9c55bf064bb3c083a07fd82acdf29b7a09da07981c964eb11304
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\select.pydFilesize
26KB
MD5b394f7551ffd3f97386e48a71f99a702
SHA13edf2989b7985903a4987034fea468c38c3198c9
SHA256f219279eea9b8ec9e017fd59200c0aa49fa99e83eea18316fc1b3c8381e49f3f
SHA512890fe0b477ebc1d9d25a94ff3db1bf7b0c4eb6d34114e7416f88d7ed085a0bc65ff34e3c7c75db773d54a17fed0bf09825be68bfeae16ebae179c35440941641
-
C:\Users\Admin\AppData\Local\Temp\_MEI16802\unicodedata.pydFilesize
1.0MB
MD588ee2c01ae13210de752ec48daed4b45
SHA15b8792a27f22e8b81249689a7b1ebb136705a618
SHA256dc1dc90497aa73ff135acdcca8ac863aae5d774c45ece5a4d053d5c24624d0e5
SHA5124fd96ba6adbbfd9fa659a07ed5d44d548d940b7069a375cea7732dd40f9e7dc183eaf2c3363ac3be1a34ebfc26def4ebf001ff4c802fcd6d594ececddc8b6131
-
\Users\Admin\AppData\Local\Temp\_MEI16802\VCRUNTIME140.dllFilesize
87KB
MD50e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
\Users\Admin\AppData\Local\Temp\_MEI16802\_bz2.pydFilesize
92KB
MD5cde853b48405adc6bb2009553951cf4b
SHA11cd5ecb2a7c4ded3663b497bfe9b190e7304135e
SHA2569f3b2a39dd67f9c328dd0e021cae0fb9e60e78f451fc4071a529fde00db0c243
SHA5127448f6f63a83018c64b69a5f0535aac4287ca838fb122101d02449c34120db3047b967202068fdec60939c28317cfeb5cd7ac8a7732eea84e9358689ee777cd4
-
\Users\Admin\AppData\Local\Temp\_MEI16802\_hashlib.pydFilesize
38KB
MD5d2cd47354de38cc1edf86040e9661e6c
SHA1d228f223f2a26faf39fa9dae0d311bfd95ef17be
SHA25685c2fb612e92eb687dfa6ec0a65bbddccb7b49de507b093744587af07c575116
SHA512f221c5afd0cd71754f97b5554275bd059233e12c2e96513639dea353c2644ec2b3da3ff9773878c793e9fa10239581fddde41f543a080ad5fc0afda7ba130061
-
\Users\Admin\AppData\Local\Temp\_MEI16802\_lzma.pydFilesize
248KB
MD5a550f17aed5a5e6660fbfa406590af43
SHA1e23db31a9eadc90e9c5a1c8a3e55cc7aa677ff35
SHA2562d3acac7982b190333b16bfc4a1f5ccfc24f50b16994001aee6e32a22df8292a
SHA51240264569e3d73347e2a6148a6f9cc82896711ad5874d2b0bcdc3d33f59d96b22ca477fb083f44b7c753cfb11f8c511c9f475aa7d89a25e6f153bc2be7e7a7a3a
-
\Users\Admin\AppData\Local\Temp\_MEI16802\_queue.pydFilesize
27KB
MD5d8c551b3236fcbf8eddcec60d120cb37
SHA16daa6c0a870644710fc0ae43b24f91b31a1bc163
SHA256bc63eb39366f7de378e2dfebc8ba8a1f574cfa6c90c642b282f60c2d79c0e320
SHA5121a9245f44dc9c2f3d6e86e1c5650af10810d8ef9732c3304879dd1aac9ddf8bd132af1d4f870b713f3a9df618ef0ab12981d02a7012717ee2e9473f6dd64e051
-
\Users\Admin\AppData\Local\Temp\_MEI16802\_socket.pydFilesize
75KB
MD5d01862e4afe155cd62e69935e739ee51
SHA1ffa93f260bc82fd33fb3be0d958bf6262537a773
SHA2569506ef21605d443f1927089eacf0cd6c138bd88dcaef99cbe58960346113b67a
SHA5123d22dae047d285126c7d527bcafb34c022c6f4d916b7200be7b2154265a7acbd73ab862f6263f531d1f9cb9ff90dcad432fd9bbad59fb847383be21e57c354a9
-
\Users\Admin\AppData\Local\Temp\_MEI16802\_ssl.pydFilesize
118KB
MD5b07ab1b3fdb06fa7923fd48c8d0ebe3e
SHA1217ded2b45349d949848dd6f62b0df3ab8d8d3e4
SHA256aefcacf74e2c2b35d7aa2f15a00b32a00edb107fc3ec230cdad4fb7db23daea6
SHA512db815aa1341cae2ddba8087cc36abfc2d06fee5f8863f9a3fb23117a24394c21116fd6f46bf9a3f8925526037eb5ea29fb82bad88423fbe60a81e610f30e9964
-
\Users\Admin\AppData\Local\Temp\_MEI16802\libcrypto-1_1.dllFilesize
3.2MB
MD5bf83f8ad60cb9db462ce62c73208a30d
SHA1f1bc7dbc1e5b00426a51878719196d78981674c4
SHA256012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d
SHA512ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e
-
\Users\Admin\AppData\Local\Temp\_MEI16802\libssl-1_1.dllFilesize
670KB
MD5fe1f3632af98e7b7a2799e3973ba03cf
SHA1353c7382e2de3ccdd2a4911e9e158e7c78648496
SHA2561ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b
SHA512a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0
-
\Users\Admin\AppData\Local\Temp\_MEI16802\python37.dllFilesize
3.6MB
MD5f8f12175880677bd010def8ba14208da
SHA1889e23b96d78135dc3294c84ab900b91fa9f7a0c
SHA25608686f0e6e3c54d455d4a4801d5deccadedbafd1e010b3d18ade81180853db27
SHA5127792f4a2005c2721b3fa848e2703bfb380670d6bd108599c5a98299f09197b44fb44adbb59da9c55bf064bb3c083a07fd82acdf29b7a09da07981c964eb11304
-
\Users\Admin\AppData\Local\Temp\_MEI16802\select.pydFilesize
26KB
MD5b394f7551ffd3f97386e48a71f99a702
SHA13edf2989b7985903a4987034fea468c38c3198c9
SHA256f219279eea9b8ec9e017fd59200c0aa49fa99e83eea18316fc1b3c8381e49f3f
SHA512890fe0b477ebc1d9d25a94ff3db1bf7b0c4eb6d34114e7416f88d7ed085a0bc65ff34e3c7c75db773d54a17fed0bf09825be68bfeae16ebae179c35440941641
-
\Users\Admin\AppData\Local\Temp\_MEI16802\unicodedata.pydFilesize
1.0MB
MD588ee2c01ae13210de752ec48daed4b45
SHA15b8792a27f22e8b81249689a7b1ebb136705a618
SHA256dc1dc90497aa73ff135acdcca8ac863aae5d774c45ece5a4d053d5c24624d0e5
SHA5124fd96ba6adbbfd9fa659a07ed5d44d548d940b7069a375cea7732dd40f9e7dc183eaf2c3363ac3be1a34ebfc26def4ebf001ff4c802fcd6d594ececddc8b6131
-
memory/1676-54-0x0000000000000000-mapping.dmp