Analysis

  • max time kernel
    28s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 18:13

General

  • Target

    63cb7def296c5d609d3cc8be545b79de02e385937c437e3b7d7b749cce828f49.exe

  • Size

    9.3MB

  • MD5

    0fbcb355e951c62f4120a03408b1f1c0

  • SHA1

    9a5ebc255d9aea0b3da86e10f58dfefb307a7e03

  • SHA256

    63cb7def296c5d609d3cc8be545b79de02e385937c437e3b7d7b749cce828f49

  • SHA512

    b589075924ff1b011597047bd3335b65944f65d5d91c575e26912e28e32184cbb28792a2da265fc5da5870ccf257daab1459ffc306fc3a7434e85d9e866136cb

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63cb7def296c5d609d3cc8be545b79de02e385937c437e3b7d7b749cce828f49.exe
    "C:\Users\Admin\AppData\Local\Temp\63cb7def296c5d609d3cc8be545b79de02e385937c437e3b7d7b749cce828f49.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Users\Admin\AppData\Local\Temp\63cb7def296c5d609d3cc8be545b79de02e385937c437e3b7d7b749cce828f49.exe
      "C:\Users\Admin\AppData\Local\Temp\63cb7def296c5d609d3cc8be545b79de02e385937c437e3b7d7b749cce828f49.exe"
      2⤵
      • Loads dropped DLL
      PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\Free Nitro Generator.exe.manifest
    Filesize

    1KB

    MD5

    8dad34ba631a4239369851b96bf52c8f

    SHA1

    3a90caab2a1f29cd6b5f00e76e10f2695e1fdc1e

    SHA256

    1c28bba18e41af8a84b5d862c74bff0886593b8429535f19a08f2b88bd2feaca

    SHA512

    09eca9d1d4c0ec6df11c91098f58d0355e63556612aa45d103969f60de18c2ab159cb3d3cc29ad1333a31014f91af24b533854c44eaab7a507975b37aa41c3ae

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\VCRUNTIME140.dll
    Filesize

    84KB

    MD5

    ae96651cfbd18991d186a029cbecb30c

    SHA1

    18df8af1022b5cb188e3ee98ac5b4da24ac9c526

    SHA256

    1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

    SHA512

    42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\_bz2.pyd
    Filesize

    72KB

    MD5

    1c7f3f37a067019b7926c0f92f3a3aa7

    SHA1

    ab6562aaa8cfa2dd49c1779a6374cecaf0e0d151

    SHA256

    bbc7f102b547180ea8ca5ff496f1bd419bfefd360be15610ae6b08837076f5dc

    SHA512

    840b095cdbb09b20f5d6db9962f4769734e0be425c9f094571df0df2d28888708072952792faded660c3e8f3db2513b6b42032e18cc681d909993fc6500b3e6e

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\_ctypes.pyd
    Filesize

    109KB

    MD5

    adad459a275b619f700d52a0f9470131

    SHA1

    632ef3a58fdfe15856a7102b3c3cf96ad9b17334

    SHA256

    2695a7635fa2bebb6bd720146916f21676e846ea5f39288886bbb27ce2af92f4

    SHA512

    3f87d84adf3caaf37df30ec4acbaa0b15d9693fe445d31164c81e423ffec51a6263c7a5801e718168be928ab5b1ee689b4932a83c1876ecd97e7544d08c07fa8

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\_hashlib.pyd
    Filesize

    36KB

    MD5

    aaa99ffb90ec5985be0face4f0a40892

    SHA1

    0ad00c83ff86d7cd4694f2786034282386a39c38

    SHA256

    b118b6ef5486a65c41fdf049ef3c30d90f39097b5ef4c0b9f61824acfde50b6a

    SHA512

    e9df4a5480910172ec18e6de2f09eb83152db968dd974bf2e552de2349caa8e66f82110fdf511c7f3dd8436c03212f66d6720bb71306bb811392baed92c78b7d

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\_lzma.pyd
    Filesize

    181KB

    MD5

    280c3a7c8c5e5282ec8e746ae685ff54

    SHA1

    5d25f3bb03fa434d35b7b047892f4849e0596542

    SHA256

    c6e30f1139d4f2b1ec7a5aca8563d6f946ee6ffa6a90a4eb066cd867d3384c39

    SHA512

    f4185ec91a2e51b703263a6c9796ad589349434a82170370efacef55fde8a885c0c7cf10eff20b61910c569583887ac2e0384847cd724aabc052be2861fafb69

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\_queue.pyd
    Filesize

    24KB

    MD5

    8a21a5ccb136e6c265975ce1e91cb870

    SHA1

    c6b1ec3deac2e8e091679beda44f896e9fabea06

    SHA256

    7f43dfb5ba9f4afa82630cd3e234ede0596abe3584f107b9855747ef1cde9acc

    SHA512

    a215f1674a0ce89324e82e88245201ce5c0bb56193b732527a8f8ca72377dce8b2f1dead380fcab070182eb58c43cf55c2b4c26588e856c1f390a953dbc9de0b

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\_socket.pyd
    Filesize

    67KB

    MD5

    e55a5618e14a01bac452b8399e281d0d

    SHA1

    feb071df789f02cdfc0059dfbea1e2394bfd08ef

    SHA256

    04e286e59facf3f1ddd54d92b45d7662044c0b17d370eb20eb9ca0c8c8e3cb9c

    SHA512

    1b2e57e681ea889aac680a9ae3b6c9f76ccf82cff3fc91f3c1b678851152282199172fd1900997163ae8db2a18ee385f1ecfe8230fcbc7bf1a3a896a869b2a9c

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\_sqlite3.pyd
    Filesize

    66KB

    MD5

    52f6573b375929635fa819d706a593f1

    SHA1

    b9b7c1342d7a807af9b4b3d07b6987ddc2311df2

    SHA256

    cb64c605efecf4f788a23ad9da756fac3467ee320ff6b40369f731e95faca0da

    SHA512

    149e4d7ce9c8067fd40088c12ede5bc7f4d6f34304410ea7806e375ecd2dc1c2a3a16691d7a1154513f0119bd61d8d510ac0fed113c32c441eeb66a298aba048

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\_ssl.pyd
    Filesize

    108KB

    MD5

    8a2eb91cbd839da8813bb6dc5bd48178

    SHA1

    f4a2aabcd226385e92ee78db753544bb9287556e

    SHA256

    5ad15dbc726d002d356bfd7e6a077f8568fee463b7ce5f71c33a04b2e11558f1

    SHA512

    dce0c6cf347516f989d3292d9f9541f585b6f04e04fb8a83bef6b6195310033c01588c129db006677ed2f0971634c84d79a5627db51b21de4e1b6e4f75a32a41

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\base_library.zip
    Filesize

    767KB

    MD5

    36d449c2bd60be0b3cd66c146f7ff27c

    SHA1

    c7ea5f5911ebb3524254aa6b530b208fef253d5e

    SHA256

    d40c4ed1cfb7b246ef165c91d443929d9a2d5f05166a8018ab88590db807ed02

    SHA512

    6871587de7cbbec2aefd9e9a149fe6aa2b0526ee51d8f3f45cfe2cdf0c3b687a8fe759327862539c89509ac3aab4926eaa8afabb9273afc06229d7c33991140b

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\certifi\cacert.pem
    Filesize

    274KB

    MD5

    77eef70800962694031e78c7352738d7

    SHA1

    b767d89e989477beb79ba2d5b340b0b4f7ae2192

    SHA256

    732befe49c758070023448f619a3abb088f44e4f05992bc7478dae873be56ad8

    SHA512

    0b3984f7bf9d37648a26ef5d3a93e15d5c2e8a443df123121ba43ca858939346cca0d613f04f2d9aba5420b1291ef429fea84e60920220086b153aac61a20f2f

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\libcrypto-1_1.dll
    Filesize

    2.1MB

    MD5

    67c1ea1b655dbb8989a55e146761c202

    SHA1

    aecc6573b0e28f59ea8fdd01191621dda6f228ed

    SHA256

    541adbc9654d967491d11359a0e4ad4972d2bd25f260476dd7576c576478698a

    SHA512

    1c7612c03df85b596dc360c1a94e367d8bfba51f651b49c598e4a066a693d9aa74195a40cc849ef787eac9b6e1e1fc079b389c03fc539e53abf4aa729bef5893

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\libffi-7.dll
    Filesize

    28KB

    MD5

    bc20614744ebf4c2b8acd28d1fe54174

    SHA1

    665c0acc404e13a69800fae94efd69a41bdda901

    SHA256

    0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

    SHA512

    0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\libssl-1_1.dll
    Filesize

    524KB

    MD5

    9417e0d677e0f8b08398fcd57dccbafd

    SHA1

    569e82788ff8206e3a43c8653d6421d456ff2a68

    SHA256

    db16853dbc64f045ae2a972f7605a6f192d09b79cae86fd93b8434fa7d9e031f

    SHA512

    b7dfd0b265c19d97518e638e4fcc19db3031382cda05c2cbb8965651ceadaa0f68f9d4dd62d542b2c9ef33d9703d50f4d74eb8b9f4918130895ef17feff2f6cb

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\python38.dll
    Filesize

    3.7MB

    MD5

    d375b654850fa100d4a8d98401c1407f

    SHA1

    ed10c825535e8605b67bacd48f3fcecf978a3fee

    SHA256

    527819a45446a7729e04a70aee587ec7e46d787c159d0f9d4e824e54c1653f4d

    SHA512

    fb3faadc801cbeb0697849cf539e471f7362212935607237b26293976aa65ec454ac601a013eec930a5910bafac8a3863e7d668fc7767dc53a98e84286f582b3

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\select.pyd
    Filesize

    23KB

    MD5

    39f61824d4e3d4be2d938a827bae18eb

    SHA1

    b7614cfbcdbd55ef1e4e8266722088d51ae102b8

    SHA256

    c86c229e97b11cb74cc87bc595d4d936171c5d334e367f55b2ee3f9bcfbc6c92

    SHA512

    9a5926eafba32a2260521e3d11a4faf8701d3963454cfedf7046765ebbc62baf675944fe3fff3ecb70c80c47ffb1d2c9e2adcd385b8c291908ca3cb4d18a3caa

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\sqlite3.dll
    Filesize

    978KB

    MD5

    75439fc9f00c51df0f919e25184bb416

    SHA1

    9f49c7f3366c15f270f85bbb4c3c209755c37c0b

    SHA256

    244787faa7e91d2539c9b151c261b4663abb09bcfbba959abe008920567e9617

    SHA512

    a1db645e7f404687721d896cf655fc9d5289a3e40108cdbd426ee235481dd3085b06dc41f2c7ce466f0351df7fe4b03cb31f1afe68f32b9f07a82cda4ad632b2

  • C:\Users\Admin\AppData\Local\Temp\_MEI15522\unicodedata.pyd
    Filesize

    1.0MB

    MD5

    02f62469bbfcb93a8448f39beac21bbc

    SHA1

    e9dba509aac97f51916fe705af33a88a821f841a

    SHA256

    336b4ef6f59b5dba7ecf9348d9c1c67eb2897a76f21e31795f72035c1c96a1f5

    SHA512

    54c4f54614116f16dbf3437bdbdb01fbad45fda38b7dbc32bb15fc7c35ac2dd44d09a9a6d883769fd2b7f194a9578c94890167987312b1c20c0912dae1a01a9b

  • \Users\Admin\AppData\Local\Temp\_MEI15522\VCRUNTIME140.dll
    Filesize

    84KB

    MD5

    ae96651cfbd18991d186a029cbecb30c

    SHA1

    18df8af1022b5cb188e3ee98ac5b4da24ac9c526

    SHA256

    1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

    SHA512

    42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

  • \Users\Admin\AppData\Local\Temp\_MEI15522\_bz2.pyd
    Filesize

    72KB

    MD5

    1c7f3f37a067019b7926c0f92f3a3aa7

    SHA1

    ab6562aaa8cfa2dd49c1779a6374cecaf0e0d151

    SHA256

    bbc7f102b547180ea8ca5ff496f1bd419bfefd360be15610ae6b08837076f5dc

    SHA512

    840b095cdbb09b20f5d6db9962f4769734e0be425c9f094571df0df2d28888708072952792faded660c3e8f3db2513b6b42032e18cc681d909993fc6500b3e6e

  • \Users\Admin\AppData\Local\Temp\_MEI15522\_ctypes.pyd
    Filesize

    109KB

    MD5

    adad459a275b619f700d52a0f9470131

    SHA1

    632ef3a58fdfe15856a7102b3c3cf96ad9b17334

    SHA256

    2695a7635fa2bebb6bd720146916f21676e846ea5f39288886bbb27ce2af92f4

    SHA512

    3f87d84adf3caaf37df30ec4acbaa0b15d9693fe445d31164c81e423ffec51a6263c7a5801e718168be928ab5b1ee689b4932a83c1876ecd97e7544d08c07fa8

  • \Users\Admin\AppData\Local\Temp\_MEI15522\_hashlib.pyd
    Filesize

    36KB

    MD5

    aaa99ffb90ec5985be0face4f0a40892

    SHA1

    0ad00c83ff86d7cd4694f2786034282386a39c38

    SHA256

    b118b6ef5486a65c41fdf049ef3c30d90f39097b5ef4c0b9f61824acfde50b6a

    SHA512

    e9df4a5480910172ec18e6de2f09eb83152db968dd974bf2e552de2349caa8e66f82110fdf511c7f3dd8436c03212f66d6720bb71306bb811392baed92c78b7d

  • \Users\Admin\AppData\Local\Temp\_MEI15522\_lzma.pyd
    Filesize

    181KB

    MD5

    280c3a7c8c5e5282ec8e746ae685ff54

    SHA1

    5d25f3bb03fa434d35b7b047892f4849e0596542

    SHA256

    c6e30f1139d4f2b1ec7a5aca8563d6f946ee6ffa6a90a4eb066cd867d3384c39

    SHA512

    f4185ec91a2e51b703263a6c9796ad589349434a82170370efacef55fde8a885c0c7cf10eff20b61910c569583887ac2e0384847cd724aabc052be2861fafb69

  • \Users\Admin\AppData\Local\Temp\_MEI15522\_queue.pyd
    Filesize

    24KB

    MD5

    8a21a5ccb136e6c265975ce1e91cb870

    SHA1

    c6b1ec3deac2e8e091679beda44f896e9fabea06

    SHA256

    7f43dfb5ba9f4afa82630cd3e234ede0596abe3584f107b9855747ef1cde9acc

    SHA512

    a215f1674a0ce89324e82e88245201ce5c0bb56193b732527a8f8ca72377dce8b2f1dead380fcab070182eb58c43cf55c2b4c26588e856c1f390a953dbc9de0b

  • \Users\Admin\AppData\Local\Temp\_MEI15522\_socket.pyd
    Filesize

    67KB

    MD5

    e55a5618e14a01bac452b8399e281d0d

    SHA1

    feb071df789f02cdfc0059dfbea1e2394bfd08ef

    SHA256

    04e286e59facf3f1ddd54d92b45d7662044c0b17d370eb20eb9ca0c8c8e3cb9c

    SHA512

    1b2e57e681ea889aac680a9ae3b6c9f76ccf82cff3fc91f3c1b678851152282199172fd1900997163ae8db2a18ee385f1ecfe8230fcbc7bf1a3a896a869b2a9c

  • \Users\Admin\AppData\Local\Temp\_MEI15522\_sqlite3.pyd
    Filesize

    66KB

    MD5

    52f6573b375929635fa819d706a593f1

    SHA1

    b9b7c1342d7a807af9b4b3d07b6987ddc2311df2

    SHA256

    cb64c605efecf4f788a23ad9da756fac3467ee320ff6b40369f731e95faca0da

    SHA512

    149e4d7ce9c8067fd40088c12ede5bc7f4d6f34304410ea7806e375ecd2dc1c2a3a16691d7a1154513f0119bd61d8d510ac0fed113c32c441eeb66a298aba048

  • \Users\Admin\AppData\Local\Temp\_MEI15522\_ssl.pyd
    Filesize

    108KB

    MD5

    8a2eb91cbd839da8813bb6dc5bd48178

    SHA1

    f4a2aabcd226385e92ee78db753544bb9287556e

    SHA256

    5ad15dbc726d002d356bfd7e6a077f8568fee463b7ce5f71c33a04b2e11558f1

    SHA512

    dce0c6cf347516f989d3292d9f9541f585b6f04e04fb8a83bef6b6195310033c01588c129db006677ed2f0971634c84d79a5627db51b21de4e1b6e4f75a32a41

  • \Users\Admin\AppData\Local\Temp\_MEI15522\libcrypto-1_1.dll
    Filesize

    2.1MB

    MD5

    67c1ea1b655dbb8989a55e146761c202

    SHA1

    aecc6573b0e28f59ea8fdd01191621dda6f228ed

    SHA256

    541adbc9654d967491d11359a0e4ad4972d2bd25f260476dd7576c576478698a

    SHA512

    1c7612c03df85b596dc360c1a94e367d8bfba51f651b49c598e4a066a693d9aa74195a40cc849ef787eac9b6e1e1fc079b389c03fc539e53abf4aa729bef5893

  • \Users\Admin\AppData\Local\Temp\_MEI15522\libffi-7.dll
    Filesize

    28KB

    MD5

    bc20614744ebf4c2b8acd28d1fe54174

    SHA1

    665c0acc404e13a69800fae94efd69a41bdda901

    SHA256

    0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

    SHA512

    0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

  • \Users\Admin\AppData\Local\Temp\_MEI15522\libssl-1_1.dll
    Filesize

    524KB

    MD5

    9417e0d677e0f8b08398fcd57dccbafd

    SHA1

    569e82788ff8206e3a43c8653d6421d456ff2a68

    SHA256

    db16853dbc64f045ae2a972f7605a6f192d09b79cae86fd93b8434fa7d9e031f

    SHA512

    b7dfd0b265c19d97518e638e4fcc19db3031382cda05c2cbb8965651ceadaa0f68f9d4dd62d542b2c9ef33d9703d50f4d74eb8b9f4918130895ef17feff2f6cb

  • \Users\Admin\AppData\Local\Temp\_MEI15522\python38.dll
    Filesize

    3.7MB

    MD5

    d375b654850fa100d4a8d98401c1407f

    SHA1

    ed10c825535e8605b67bacd48f3fcecf978a3fee

    SHA256

    527819a45446a7729e04a70aee587ec7e46d787c159d0f9d4e824e54c1653f4d

    SHA512

    fb3faadc801cbeb0697849cf539e471f7362212935607237b26293976aa65ec454ac601a013eec930a5910bafac8a3863e7d668fc7767dc53a98e84286f582b3

  • \Users\Admin\AppData\Local\Temp\_MEI15522\select.pyd
    Filesize

    23KB

    MD5

    39f61824d4e3d4be2d938a827bae18eb

    SHA1

    b7614cfbcdbd55ef1e4e8266722088d51ae102b8

    SHA256

    c86c229e97b11cb74cc87bc595d4d936171c5d334e367f55b2ee3f9bcfbc6c92

    SHA512

    9a5926eafba32a2260521e3d11a4faf8701d3963454cfedf7046765ebbc62baf675944fe3fff3ecb70c80c47ffb1d2c9e2adcd385b8c291908ca3cb4d18a3caa

  • \Users\Admin\AppData\Local\Temp\_MEI15522\sqlite3.dll
    Filesize

    978KB

    MD5

    75439fc9f00c51df0f919e25184bb416

    SHA1

    9f49c7f3366c15f270f85bbb4c3c209755c37c0b

    SHA256

    244787faa7e91d2539c9b151c261b4663abb09bcfbba959abe008920567e9617

    SHA512

    a1db645e7f404687721d896cf655fc9d5289a3e40108cdbd426ee235481dd3085b06dc41f2c7ce466f0351df7fe4b03cb31f1afe68f32b9f07a82cda4ad632b2

  • \Users\Admin\AppData\Local\Temp\_MEI15522\unicodedata.pyd
    Filesize

    1.0MB

    MD5

    02f62469bbfcb93a8448f39beac21bbc

    SHA1

    e9dba509aac97f51916fe705af33a88a821f841a

    SHA256

    336b4ef6f59b5dba7ecf9348d9c1c67eb2897a76f21e31795f72035c1c96a1f5

    SHA512

    54c4f54614116f16dbf3437bdbdb01fbad45fda38b7dbc32bb15fc7c35ac2dd44d09a9a6d883769fd2b7f194a9578c94890167987312b1c20c0912dae1a01a9b

  • memory/1516-54-0x0000000000000000-mapping.dmp