Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 05:55
Static task
static1
Behavioral task
behavioral1
Sample
23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe
Resource
win7-20220414-en
General
-
Target
23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe
-
Size
5.4MB
-
MD5
be326ce4403d85537122c48c68344745
-
SHA1
75c4e1f9af7e930a4b28d798eecc50a439f01c35
-
SHA256
23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe
-
SHA512
bcfda9ea07bb20a66fa5481a2a4920c96ff077910fc7a0c16f8bd7759858d02833171bfbec2b1cbcd3f1af254c3c9de5730529bf6585f8e39d4e268584ba4d08
Malware Config
Signatures
-
Loads dropped DLL 12 IoCs
Processes:
23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exepid process 3272 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe 3272 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe 3272 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe 3272 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe 3272 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe 3272 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe 3272 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe 3272 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe 3272 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe 3272 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe 3272 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe 3272 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org 4 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exedescription pid process Token: 35 3272 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exedescription pid process target process PID 1792 wrote to memory of 3272 1792 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe PID 1792 wrote to memory of 3272 1792 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe 23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe"C:\Users\Admin\AppData\Local\Temp\23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe"C:\Users\Admin\AppData\Local\Temp\23e688569cd83f678cb34072356d0c6771823674cec068b39379835d6b80c4fe.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\DiscordAccountGenerator.exe.manifestFilesize
1KB
MD54dbdb2573a8117c62958734339b5eae6
SHA12332f8ff6a6ce05db8ac947c1904bf3279d6878f
SHA256679669a7588c6f8bc6f5055d3b6196b9b114a14c2415a876cea5df627ab6d663
SHA512be0ae4690d0863d4e8c32682f5ef94a5f35720afb9652cbe1311e4d37601b7b496ba4b08cdebb865f6d93e8245b47dd85fbe6b48e7b7958d5a2a2e724b144e7f
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\VCRUNTIME140.dllFilesize
87KB
MD50e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\VCRUNTIME140.dllFilesize
87KB
MD50e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_bz2.pydFilesize
87KB
MD5429ad9f0d7240a1eb9c108b2d7c1382f
SHA1f54e1c1d31f5dd6698e47750daf48b9291b9ea69
SHA256d2571d3a553ea586fb1e5695dd9745caef9f0e30ac5b876d1307678360674f38
SHA512bae51da3560e0a720d45f0741f9992fe0729ead0112a614dba961c50cd6f82ddbdcf7b47aeda4f1093f6654f6db77d767ccddd59d34d2143df54121e9d486760
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_bz2.pydFilesize
87KB
MD5429ad9f0d7240a1eb9c108b2d7c1382f
SHA1f54e1c1d31f5dd6698e47750daf48b9291b9ea69
SHA256d2571d3a553ea586fb1e5695dd9745caef9f0e30ac5b876d1307678360674f38
SHA512bae51da3560e0a720d45f0741f9992fe0729ead0112a614dba961c50cd6f82ddbdcf7b47aeda4f1093f6654f6db77d767ccddd59d34d2143df54121e9d486760
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_hashlib.pydFilesize
38KB
MD5d61618c28373d7bbdf1dec7ec2b2b1c1
SHA151f4bab84620752aedf7d71dcccb577ed518e9fd
SHA25633c4d06c91166db9ece6e6ad6b9fa1344316f995f7db268bf1b7f9c08ed3e6fb
SHA512ca7ca581c8d8d67f43e7858d7b4859fec1228fd1ba6e63711d508c1ab3477a071d40090fdae6ec0c8d1445e15fbb2fc60154e32e03f8398056388f1148f920de
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_hashlib.pydFilesize
38KB
MD5d61618c28373d7bbdf1dec7ec2b2b1c1
SHA151f4bab84620752aedf7d71dcccb577ed518e9fd
SHA25633c4d06c91166db9ece6e6ad6b9fa1344316f995f7db268bf1b7f9c08ed3e6fb
SHA512ca7ca581c8d8d67f43e7858d7b4859fec1228fd1ba6e63711d508c1ab3477a071d40090fdae6ec0c8d1445e15fbb2fc60154e32e03f8398056388f1148f920de
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_lzma.pydFilesize
251KB
MD55e7a6b749a05dd934ee4471411420053
SHA1fcd1e54011b98928edbb3820a5838568b9573453
SHA2564dcd803319e24ba8c8e3d5ce2e02c209bd14a9ab07a540d6e3ae52f69d01e742
SHA512ce4c5456308adbef0a9d44064aae67b2bb2a913881405ae2e69127eb7ab00a09882fa5304d80d5b3728942b0ab56d1c99132666b6c0ea8809a21396aeaadd8a2
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_lzma.pydFilesize
251KB
MD55e7a6b749a05dd934ee4471411420053
SHA1fcd1e54011b98928edbb3820a5838568b9573453
SHA2564dcd803319e24ba8c8e3d5ce2e02c209bd14a9ab07a540d6e3ae52f69d01e742
SHA512ce4c5456308adbef0a9d44064aae67b2bb2a913881405ae2e69127eb7ab00a09882fa5304d80d5b3728942b0ab56d1c99132666b6c0ea8809a21396aeaadd8a2
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_queue.pydFilesize
27KB
MD53f536949d0fcae286b08f6a90d4c5198
SHA104877dff7e8c994e4875a1b85b7388684b97da25
SHA256613c0fc66b1f2f8dccb47f24f1578137a99c5a62550719f0402f13337ad5c60a
SHA512cd59a4a2d839dec513b912e33bd92281a0fdfe0a210ae972cce8b77347e000bb87c8074d8b8cbfeba75158f2b8f3d0669f778fccec0dec936f055616cedbbb4c
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_queue.pydFilesize
27KB
MD53f536949d0fcae286b08f6a90d4c5198
SHA104877dff7e8c994e4875a1b85b7388684b97da25
SHA256613c0fc66b1f2f8dccb47f24f1578137a99c5a62550719f0402f13337ad5c60a
SHA512cd59a4a2d839dec513b912e33bd92281a0fdfe0a210ae972cce8b77347e000bb87c8074d8b8cbfeba75158f2b8f3d0669f778fccec0dec936f055616cedbbb4c
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_socket.pydFilesize
74KB
MD57c5c5e6e4ed888dd26c7aa063bb9f88e
SHA1a7a3694739b27c3d34beb1a9730fc3dcbae6744a
SHA2562bb4e5d711fe521e2c9a80f04d2f745f58561dc35f169e06ea17aabf27d334fe
SHA5129c49c3fe740464f649a0379bdc6bc474cce6a1331f87d2ba2ab489c4545ad7cb311c757af59e8174bb3c87af438a5d47621bd9b2b4750abe128d189d14d80065
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_socket.pydFilesize
74KB
MD57c5c5e6e4ed888dd26c7aa063bb9f88e
SHA1a7a3694739b27c3d34beb1a9730fc3dcbae6744a
SHA2562bb4e5d711fe521e2c9a80f04d2f745f58561dc35f169e06ea17aabf27d334fe
SHA5129c49c3fe740464f649a0379bdc6bc474cce6a1331f87d2ba2ab489c4545ad7cb311c757af59e8174bb3c87af438a5d47621bd9b2b4750abe128d189d14d80065
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_ssl.pydFilesize
120KB
MD5a3c9649e68206c25eff2d09a0bd323f0
SHA10f485f37ac3960da624b80667410061efe1f888d
SHA256b9100db5d225c4103f781a6ea4074ce76387467c3a4bba2ac5bfc65870ab6123
SHA512aeef27bf73cb7dd96b06c3403fc74c108a8a7d80aa25db35a4b1a96b8931aef63b3037a9a51075ead1e5ad1c001d6afe6f3c3e19af30344177fd562751b00d63
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\_ssl.pydFilesize
120KB
MD5a3c9649e68206c25eff2d09a0bd323f0
SHA10f485f37ac3960da624b80667410061efe1f888d
SHA256b9100db5d225c4103f781a6ea4074ce76387467c3a4bba2ac5bfc65870ab6123
SHA512aeef27bf73cb7dd96b06c3403fc74c108a8a7d80aa25db35a4b1a96b8931aef63b3037a9a51075ead1e5ad1c001d6afe6f3c3e19af30344177fd562751b00d63
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\base_library.zipFilesize
767KB
MD569d85e31e34a4120b19cfa374f27e063
SHA1fc338240a3ef835d7d10d42f9f19f6d47b6ef0f8
SHA2565a3b2c766ff27688376d57c100b42e1330cbd17869def720e1f009412e08f01d
SHA512ab78d949438b70c34487957bbbf1de7ecc1446cef23242fea440b353d08a3c2b1d7aec09d88fc94b3e3c5fe26447e12ba448d581e0dd07ddf0c71bbd2767c2b5
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\certifi\cacert.pemFilesize
275KB
MD5d79543631317645443cd8652746857e6
SHA1f50feb701f2e461d998dc857ac542fe8ada2830e
SHA2560dd74ebfba50c8c07cccd36089749216b3d59fb10df2a6deecfea1fc8632b9e9
SHA512ca4a92140a10310a3f7126a0d405c1f651f3ff2aa0ffaac5d7ba4bc3e83235abf3fd6814eb3b634c68e3ab830ec7690d13957e720a2f85ae63ff811c89c61692
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\libcrypto-1_1-x64.dllFilesize
2.4MB
MD58c75bca5ea3bea4d63f52369e3694d01
SHA1a0c0fd3d9e5688d75386094979171dbde2ce583a
SHA2568513e629cd85a984e4a30dfe4b3b7502ab87c8bc920825c11035718cb0211ea0
SHA5126d80d26d91b704d50ff3ad74f76d6b1afe98af3d7a18e43011dbe3809adc305b0e382c10868328eb82c9f8b4c77bca1522bdc023c7c8712057b65f6579c9dff5
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\libcrypto-1_1-x64.dllFilesize
2.4MB
MD58c75bca5ea3bea4d63f52369e3694d01
SHA1a0c0fd3d9e5688d75386094979171dbde2ce583a
SHA2568513e629cd85a984e4a30dfe4b3b7502ab87c8bc920825c11035718cb0211ea0
SHA5126d80d26d91b704d50ff3ad74f76d6b1afe98af3d7a18e43011dbe3809adc305b0e382c10868328eb82c9f8b4c77bca1522bdc023c7c8712057b65f6579c9dff5
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\libssl-1_1-x64.dllFilesize
511KB
MD50205c08024bf4bb892b9f31d751531a0
SHA160875676bc6f2494f052769aa7d644ef4a28c5e5
SHA256ebe7ffc7eb0b79e29bfc4e408ea27e9b633584dd7bc8e0b5ffc46af19263844b
SHA51245da0c128bfb706cb0340ad40fbc691696f3483a0235faaac864dea4580b57e36aa5b4b55a60322081d2d2e2df788c550fd43c317582a9b6a2d66712df215bd0
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\libssl-1_1-x64.dllFilesize
511KB
MD50205c08024bf4bb892b9f31d751531a0
SHA160875676bc6f2494f052769aa7d644ef4a28c5e5
SHA256ebe7ffc7eb0b79e29bfc4e408ea27e9b633584dd7bc8e0b5ffc46af19263844b
SHA51245da0c128bfb706cb0340ad40fbc691696f3483a0235faaac864dea4580b57e36aa5b4b55a60322081d2d2e2df788c550fd43c317582a9b6a2d66712df215bd0
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\python37.dllFilesize
3.6MB
MD528f9065753cc9436305485567ce894b0
SHA136ebb3188a787b63fb17bd01a847511c7b15e88e
SHA2566f2f87b74aea483a0636fc5c480b294a8103b427a3daf450c1e237c2a2271b1a
SHA512c3bbc50afb4a0b625aff28650befd126481018bd0b1b9a56c107e3792641679c7d1bfc8be6c9d0760fff6853f8f114b62490cd3567b06abc76ab7db3f244ab54
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\python37.dllFilesize
3.6MB
MD528f9065753cc9436305485567ce894b0
SHA136ebb3188a787b63fb17bd01a847511c7b15e88e
SHA2566f2f87b74aea483a0636fc5c480b294a8103b427a3daf450c1e237c2a2271b1a
SHA512c3bbc50afb4a0b625aff28650befd126481018bd0b1b9a56c107e3792641679c7d1bfc8be6c9d0760fff6853f8f114b62490cd3567b06abc76ab7db3f244ab54
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\select.pydFilesize
26KB
MD51650617f3378c5bd469906ae1256a54c
SHA1dd89ffd426b6820fd79631e4c99760cb485d3a67
SHA2565724cea789a2ebc148ce277ce042e27432603db2ec64e80b13d37bcb775aee98
SHA51289ecbbf156e2be066c7d4e3e0ecd08c2704b6a796079517c91cf4aa6682040ba07460596aaddc5550c6ec588979dfec010fed4b87e049000caceed26e8f86ffe
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\select.pydFilesize
26KB
MD51650617f3378c5bd469906ae1256a54c
SHA1dd89ffd426b6820fd79631e4c99760cb485d3a67
SHA2565724cea789a2ebc148ce277ce042e27432603db2ec64e80b13d37bcb775aee98
SHA51289ecbbf156e2be066c7d4e3e0ecd08c2704b6a796079517c91cf4aa6682040ba07460596aaddc5550c6ec588979dfec010fed4b87e049000caceed26e8f86ffe
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\unicodedata.pydFilesize
1.0MB
MD52b2156a32b7ef46906517ae49a599c16
SHA1892134a20f118d9326da6c1b98c01f31d771a5d1
SHA2562c5f5abf982e8b4bb5e28d217a5e437907acfb7a7e9ee96cd9fa64c4ba304418
SHA512d6aa25cdfca13db260110b3f34a3d731b325efcaccde5ec36b4f88406841b4ec9c9ab88ad54944eba476772bfd69c3975d9cb1a92994b0ae8e56278353214100
-
C:\Users\Admin\AppData\Local\Temp\_MEI17922\unicodedata.pydFilesize
1.0MB
MD52b2156a32b7ef46906517ae49a599c16
SHA1892134a20f118d9326da6c1b98c01f31d771a5d1
SHA2562c5f5abf982e8b4bb5e28d217a5e437907acfb7a7e9ee96cd9fa64c4ba304418
SHA512d6aa25cdfca13db260110b3f34a3d731b325efcaccde5ec36b4f88406841b4ec9c9ab88ad54944eba476772bfd69c3975d9cb1a92994b0ae8e56278353214100
-
memory/3272-130-0x0000000000000000-mapping.dmp