916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
Size

8.0MB
MD5

f6c13c919481028c05947079a5756bd6
SHA1

449dcab814192c2d056703de1b7f59e707d2c082
SHA256

916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9
SHA512

cc70058bc894bb27fa5be699955ec2c9c2bbca982f9ba61c29d68800abad71997dcc3e83a36de1a84ef3b20329ec69a89ca117bc6005daee24b237a32871ca6c

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 14 IoCs

Processes:

916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe

pid	process
560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe

description pid process

Token: 35 560 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe

flow	ioc
1	api.ipify.org
2	api.ipify.org

description	pid	process
Token: 35	560	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe

description	pid	process	target process
PID 968 wrote to memory of 560	968	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
PID 968 wrote to memory of 560	968	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
PID 968 wrote to memory of 560	968	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe	916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe

C:\Users\Admin\AppData\Local\Temp\916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
"C:\Users\Admin\AppData\Local\Temp\916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
"C:\Users\Admin\AppData\Local\Temp\916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI9682\12.exe.manifest
Filesize
1KB

MD5
e45afb59ae9011ce3074d4d0cf18b0e0

SHA1
06a3d099680d7c2a85e9363bfcd52b5f3b858742

SHA256
dfa76ea5a6a5494381c7b7d5ffc7b5a9032066250f312d4247723c0c47eaedc7

SHA512
e54d18fc3f19e57b25d2c4dd7c15c8a916d8f3d1ce1951adc1179f63de978a262310072b51680cee61801b9dd58ae1e65227ae30548e196ac17a888681452d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\VCRUNTIME140.dll
Filesize
85KB

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_bz2.pyd
Filesize
92KB

MD5
c9bfb31afe7cce0b57e5bfbbfda5ae7a

SHA1
37a930d22a9651f7ae940f61a23467deaa1f59d0

SHA256
58563fb8798c878bbb19221d8c6c9a3cc243d6dbc9bf5d7f73ba62834c5e4614

SHA512
3775adb2750a8a7927f56b1bad853e405b21c678d2708ae1d0e7ddfb68e2228971636ccd88055a9d04e49f009d8ec1fb4e0f7cb6ad9b012b666e132d989668e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_cffi_backend.cp36-win_amd64.pyd
Filesize
176KB

MD5
73f1df8dcc309fe0be69a7b5bbd6a5a6

SHA1
199a0355689536f3b1c7d6293d0bfa9d84132aa0

SHA256
165f5f342c5c560c1e647e8beb82f5044d5a91783754fc38baf9925ed52e290d

SHA512
e6c9be073983ab0fc6397e953fb42c61d1657d0b165738dcdd8a6d1606f06568d62a1d3023bba96bc4de7507669fe75e1f4677301967db7a7ae62c456264b974

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_hashlib.pyd
Filesize
1.4MB

MD5
86db282b25244f420a5d7abd44abb098

SHA1
992445028220ac07b39e939824a4c6b1fda811dc

SHA256
ab3d09c879b395631d8a4f89f6855d98d315675e9607248eed7bc07317260168

SHA512
62e2919c4ba74fa69f25209db89f0652c5f8624867b3221aa3865e4dc2bab07e70880c63e4853051f1cc7464ff6478106ac4d6c9fc096172d85e523d8cbd069a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_lzma.pyd
Filesize
248KB

MD5
857ba2d859502a76789b0cd090ef231a

SHA1
352378e0f9536154d698ecbb4c694aae8d416787

SHA256
42aafcd7e1050b3307c06874fa1e72eecfb5554bd631097e7af0506a3a200144

SHA512
ab70e4fde01bf0d1a2f4dbfe0b556ce3d83e57edf84c62262f0500b6b0295101a36e279f843cef6a08a4d4d3cde150ff76195ff417123eed64b661310fa759a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_socket.pyd
Filesize
70KB

MD5
7e080d04a56cd48cf24219774ab0abe2

SHA1
b3caf5603ce8da3da728577aa6b06daa32118b57

SHA256
77b3597eef6eb044fbec7b2229772495cd632033bec03badad4e4d268748b760

SHA512
8bb475b62cb025823ef3eb54db58017b9fc394fe4a8a6d84aee13a4aaf9dd426e59860d3f15abcc218bd7cf4aefeee37d8fdf24dc272b6196b089b65cb584aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_sqlite3.pyd
Filesize
83KB

MD5
cccc7ccb54fe4db0795e7aaa1caab495

SHA1
08928d8505296be3340b77433a78c01f0167d089

SHA256
6a4d92b3b1308487a2a829e92a8e8b5721e0ab5d9001397af4a375d5c3984a84

SHA512
26769273064f5017d442b9680f5d39d2a9da6404bc61b682af3452419434b7640e450be77dad73ac43fdea01a17d2def5ffdc46ae33ada60fd6233d7a90cf8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_ssl.pyd
Filesize
1.7MB

MD5
61fb40f4c868059e3378c735d1888c14

SHA1
73423b0e17eb9a0c231f4d6bffb2541a08975ed2

SHA256
ea7cf863090d7f61daae9c6cc679608239e622f4485514dc705d09c1311657c2

SHA512
e40a1fcf528b9a0a4bd2161b71d86dacff82647d6895f8a945c0960310397f8ebdc2d3191d04cd262940866ff0d7ddc7e4f2c17b9ebf86f527c08c8179ff2e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\base_library.zip
Filesize
756KB

MD5
c9641b9a64215c71c6d39da453600df5

SHA1
8a8b747acb29fb09543358cfa6c50e19c571d488

SHA256
a6d204c36e82ac5a8e948f5e17876b2ba978cb4dbd88bfb6ff64051e773d6d93

SHA512
06fbbd0430147eb8a9d223ab67b3ccdc3d77d8a21fbb0f156acebec95f0c43cb2b3493d3955078136b71beb7b8bef7aefb94b8c9ba9c881014fb701179f493d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\certifi\cacert.pem
Filesize
277KB

MD5
edd513e1d62ca2b059821b8380c19d19

SHA1
7e785afc6a7174f008b8b6e775c91c018d72aee3

SHA256
870068ef78059c5d012a23f715029f1b7db19060e1c65e12c024221f6ac32abd

SHA512
31450f875b46bbbb8e8d2f2e075f82ab4cfe175dadd966be22c66206d5dc2517a870a8cfc46f2f094b6810c09b447bd46354b67c128843b997957522d3cf4f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\cryptography\hazmat\bindings\_constant_time.cp36-win_amd64.pyd
Filesize
12KB

MD5
7fc56f99b7459a4f5b924a9e22e84528

SHA1
5f4113b057b0447b5a5329a309f80263897d18d0

SHA256
f158dfe87dc9e9f5b05841a05f34643cb48935620b7bfd57e4a078c71e0638ba

SHA512
e8dccbe7076ae672cc5d87970256708f982d57b4710be68f2d857adf80638e19126d8d379e45c530620d72af877a07e7883d0b97af38b58cfc0014a88e913946

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\cryptography\hazmat\bindings\_openssl.cp36-win_amd64.pyd
Filesize
3.0MB

MD5
0ae2b1f2629d54c694e20805d55c8e2a

SHA1
a190fc39fb2e31f68e55b4438a151784d58e75c0

SHA256
3b26a3fc3cb038409ebe05c3678801adc849ac8928a77e5e7af51051a0c9b160

SHA512
d901cd46ec3e74f4a67cb301e741e4518efcd70062f39c4d50a15ad5469dc63ab0387d0e8bdf214213cb8d9a8e2fa908dee7f4d4c1d5f14fd9cab9c23832ba57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\python36.dll
Filesize
3.4MB

MD5
7e5ad98ee1fef48d50c2cb641f464181

SHA1
ba424106c46ab11be33f4954195d10382791677d

SHA256
dd4bba32bf57165371822f5966617f475198764a91f39dc6ef86552457ac795d

SHA512
7633730cc9672bc558f8f3391534f9a0f3627a98c5c9f5acefbfc2356eeb14cd10581dceceec2e2d20ed666bc121b28d2af63bd61ead48d34cbcec5861f8ef82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\select.pyd
Filesize
26KB

MD5
290242633745524a3fb673798faabbe1

SHA1
7a5df2949b75469242c9287ae529045d7a85fd4c

SHA256
df8acaf83e5c861f1d0ad694b087ff0a451f01191602617307a93c9dec893ecd

SHA512
a3aec08265e2ea4549df14f6c2683b7b53c553b45304e80ed27ca5b5df70f0e1a3b139608557230e2acbaad4f302b5e20631a9d82de75222a9cc4b2177ce2020

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\sqlite3.dll
Filesize
1.1MB

MD5
381f7d517392477dc535f25ac3343557

SHA1
97b92e3585a130fcddaa6d908c0aa421107a51f0

SHA256
cc93a60116b834a4367b37741fdfcc3a32b4a2edb315ee765ea0019e11b102f2

SHA512
1e1ed9c40e80e788cade1c52f9aa960081dfcb38cbba0fe807fc930041e7118c2f5c9c2a029f3bd23f19fb2d1f9b5c3201afdd35fafbf018ea68d9ae082418c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9682\unicodedata.pyd
Filesize
884KB

MD5
1c35e860d07c30617326d5a7030961b2

SHA1
44f727f11b2a19b078a987ad4f4bf7b6ccb393c2

SHA256
7c115398f9975004b436c70cfa5d5d08e9f3f1d0f1c8a9e07eeeac96affe6625

SHA512
863ffa0d09c7e7fc00b3a5ec8101ed31b6794f8b1dab96501c11725f247dfc5315f9b20602d424e384fdc20031e5d59ae65be1ecc5b72976ac3e2813b0cd2276

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9682\VCRUNTIME140.dll
Filesize
85KB

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9682\_bz2.pyd
Filesize
92KB

MD5
c9bfb31afe7cce0b57e5bfbbfda5ae7a

SHA1
37a930d22a9651f7ae940f61a23467deaa1f59d0

SHA256
58563fb8798c878bbb19221d8c6c9a3cc243d6dbc9bf5d7f73ba62834c5e4614

SHA512
3775adb2750a8a7927f56b1bad853e405b21c678d2708ae1d0e7ddfb68e2228971636ccd88055a9d04e49f009d8ec1fb4e0f7cb6ad9b012b666e132d989668e6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9682\_cffi_backend.cp36-win_amd64.pyd
Filesize
176KB

MD5
73f1df8dcc309fe0be69a7b5bbd6a5a6

SHA1
199a0355689536f3b1c7d6293d0bfa9d84132aa0

SHA256
165f5f342c5c560c1e647e8beb82f5044d5a91783754fc38baf9925ed52e290d

SHA512
e6c9be073983ab0fc6397e953fb42c61d1657d0b165738dcdd8a6d1606f06568d62a1d3023bba96bc4de7507669fe75e1f4677301967db7a7ae62c456264b974

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9682\_hashlib.pyd
Filesize
1.4MB

MD5
86db282b25244f420a5d7abd44abb098

SHA1
992445028220ac07b39e939824a4c6b1fda811dc

SHA256
ab3d09c879b395631d8a4f89f6855d98d315675e9607248eed7bc07317260168

SHA512
62e2919c4ba74fa69f25209db89f0652c5f8624867b3221aa3865e4dc2bab07e70880c63e4853051f1cc7464ff6478106ac4d6c9fc096172d85e523d8cbd069a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9682\_lzma.pyd
Filesize
248KB

MD5
857ba2d859502a76789b0cd090ef231a

SHA1
352378e0f9536154d698ecbb4c694aae8d416787

SHA256
42aafcd7e1050b3307c06874fa1e72eecfb5554bd631097e7af0506a3a200144

SHA512
ab70e4fde01bf0d1a2f4dbfe0b556ce3d83e57edf84c62262f0500b6b0295101a36e279f843cef6a08a4d4d3cde150ff76195ff417123eed64b661310fa759a4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9682\_socket.pyd
Filesize
70KB

MD5
7e080d04a56cd48cf24219774ab0abe2

SHA1
b3caf5603ce8da3da728577aa6b06daa32118b57

SHA256
77b3597eef6eb044fbec7b2229772495cd632033bec03badad4e4d268748b760

SHA512
8bb475b62cb025823ef3eb54db58017b9fc394fe4a8a6d84aee13a4aaf9dd426e59860d3f15abcc218bd7cf4aefeee37d8fdf24dc272b6196b089b65cb584aae

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9682\_sqlite3.pyd
Filesize
83KB

MD5
cccc7ccb54fe4db0795e7aaa1caab495

SHA1
08928d8505296be3340b77433a78c01f0167d089

SHA256
6a4d92b3b1308487a2a829e92a8e8b5721e0ab5d9001397af4a375d5c3984a84

SHA512
26769273064f5017d442b9680f5d39d2a9da6404bc61b682af3452419434b7640e450be77dad73ac43fdea01a17d2def5ffdc46ae33ada60fd6233d7a90cf8ab

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9682\_ssl.pyd
Filesize
1.7MB

MD5
61fb40f4c868059e3378c735d1888c14

SHA1
73423b0e17eb9a0c231f4d6bffb2541a08975ed2

SHA256
ea7cf863090d7f61daae9c6cc679608239e622f4485514dc705d09c1311657c2

SHA512
e40a1fcf528b9a0a4bd2161b71d86dacff82647d6895f8a945c0960310397f8ebdc2d3191d04cd262940866ff0d7ddc7e4f2c17b9ebf86f527c08c8179ff2e91

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9682\cryptography\hazmat\bindings\_constant_time.cp36-win_amd64.pyd
Filesize
12KB

MD5
7fc56f99b7459a4f5b924a9e22e84528

SHA1
5f4113b057b0447b5a5329a309f80263897d18d0

SHA256
f158dfe87dc9e9f5b05841a05f34643cb48935620b7bfd57e4a078c71e0638ba

SHA512
e8dccbe7076ae672cc5d87970256708f982d57b4710be68f2d857adf80638e19126d8d379e45c530620d72af877a07e7883d0b97af38b58cfc0014a88e913946

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9682\cryptography\hazmat\bindings\_openssl.cp36-win_amd64.pyd
Filesize
3.0MB

MD5
0ae2b1f2629d54c694e20805d55c8e2a

SHA1
a190fc39fb2e31f68e55b4438a151784d58e75c0

SHA256
3b26a3fc3cb038409ebe05c3678801adc849ac8928a77e5e7af51051a0c9b160

SHA512
d901cd46ec3e74f4a67cb301e741e4518efcd70062f39c4d50a15ad5469dc63ab0387d0e8bdf214213cb8d9a8e2fa908dee7f4d4c1d5f14fd9cab9c23832ba57

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9682\python36.dll
Filesize
3.4MB

MD5
7e5ad98ee1fef48d50c2cb641f464181

SHA1
ba424106c46ab11be33f4954195d10382791677d

SHA256
dd4bba32bf57165371822f5966617f475198764a91f39dc6ef86552457ac795d

SHA512
7633730cc9672bc558f8f3391534f9a0f3627a98c5c9f5acefbfc2356eeb14cd10581dceceec2e2d20ed666bc121b28d2af63bd61ead48d34cbcec5861f8ef82

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9682\select.pyd
Filesize
26KB

MD5
290242633745524a3fb673798faabbe1

SHA1
7a5df2949b75469242c9287ae529045d7a85fd4c

SHA256
df8acaf83e5c861f1d0ad694b087ff0a451f01191602617307a93c9dec893ecd

SHA512
a3aec08265e2ea4549df14f6c2683b7b53c553b45304e80ed27ca5b5df70f0e1a3b139608557230e2acbaad4f302b5e20631a9d82de75222a9cc4b2177ce2020

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9682\sqlite3.dll
Filesize
1.1MB

MD5
381f7d517392477dc535f25ac3343557

SHA1
97b92e3585a130fcddaa6d908c0aa421107a51f0

SHA256
cc93a60116b834a4367b37741fdfcc3a32b4a2edb315ee765ea0019e11b102f2

SHA512
1e1ed9c40e80e788cade1c52f9aa960081dfcb38cbba0fe807fc930041e7118c2f5c9c2a029f3bd23f19fb2d1f9b5c3201afdd35fafbf018ea68d9ae082418c2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9682\unicodedata.pyd
Filesize
884KB

MD5
1c35e860d07c30617326d5a7030961b2

SHA1
44f727f11b2a19b078a987ad4f4bf7b6ccb393c2

SHA256
7c115398f9975004b436c70cfa5d5d08e9f3f1d0f1c8a9e07eeeac96affe6625

SHA512
863ffa0d09c7e7fc00b3a5ec8101ed31b6794f8b1dab96501c11725f247dfc5315f9b20602d424e384fdc20031e5d59ae65be1ecc5b72976ac3e2813b0cd2276

Download Submit
memory/560-54-0x0000000000000000-mapping.dmp

Download