Analysis
-
max time kernel
66s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 21:57
Static task
static1
Behavioral task
behavioral1
Sample
916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
Resource
win7-20220414-en
General
-
Target
916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
-
Size
8.0MB
-
MD5
f6c13c919481028c05947079a5756bd6
-
SHA1
449dcab814192c2d056703de1b7f59e707d2c082
-
SHA256
916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9
-
SHA512
cc70058bc894bb27fa5be699955ec2c9c2bbca982f9ba61c29d68800abad71997dcc3e83a36de1a84ef3b20329ec69a89ca117bc6005daee24b237a32871ca6c
Malware Config
Signatures
-
Loads dropped DLL 14 IoCs
Processes:
916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exepid process 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 6 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exedescription pid process Token: 35 4776 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exedescription pid process target process PID 2712 wrote to memory of 4776 2712 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe PID 2712 wrote to memory of 4776 2712 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe 916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe"C:\Users\Admin\AppData\Local\Temp\916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe"C:\Users\Admin\AppData\Local\Temp\916f44510c8985522c384ef5d000201059a293b32fc08974bcd82eccb3a313e9.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\12.exe.manifestFilesize
1KB
MD5e45afb59ae9011ce3074d4d0cf18b0e0
SHA106a3d099680d7c2a85e9363bfcd52b5f3b858742
SHA256dfa76ea5a6a5494381c7b7d5ffc7b5a9032066250f312d4247723c0c47eaedc7
SHA512e54d18fc3f19e57b25d2c4dd7c15c8a916d8f3d1ce1951adc1179f63de978a262310072b51680cee61801b9dd58ae1e65227ae30548e196ac17a888681452d79
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\VCRUNTIME140.dllFilesize
85KB
MD5edf9d5c18111d82cf10ec99f6afa6b47
SHA1d247f5b9d4d3061e3d421e0e623595aa40d9493c
SHA256d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb
SHA512bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\VCRUNTIME140.dllFilesize
85KB
MD5edf9d5c18111d82cf10ec99f6afa6b47
SHA1d247f5b9d4d3061e3d421e0e623595aa40d9493c
SHA256d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb
SHA512bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\_bz2.pydFilesize
92KB
MD5c9bfb31afe7cce0b57e5bfbbfda5ae7a
SHA137a930d22a9651f7ae940f61a23467deaa1f59d0
SHA25658563fb8798c878bbb19221d8c6c9a3cc243d6dbc9bf5d7f73ba62834c5e4614
SHA5123775adb2750a8a7927f56b1bad853e405b21c678d2708ae1d0e7ddfb68e2228971636ccd88055a9d04e49f009d8ec1fb4e0f7cb6ad9b012b666e132d989668e6
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\_bz2.pydFilesize
92KB
MD5c9bfb31afe7cce0b57e5bfbbfda5ae7a
SHA137a930d22a9651f7ae940f61a23467deaa1f59d0
SHA25658563fb8798c878bbb19221d8c6c9a3cc243d6dbc9bf5d7f73ba62834c5e4614
SHA5123775adb2750a8a7927f56b1bad853e405b21c678d2708ae1d0e7ddfb68e2228971636ccd88055a9d04e49f009d8ec1fb4e0f7cb6ad9b012b666e132d989668e6
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\_cffi_backend.cp36-win_amd64.pydFilesize
176KB
MD573f1df8dcc309fe0be69a7b5bbd6a5a6
SHA1199a0355689536f3b1c7d6293d0bfa9d84132aa0
SHA256165f5f342c5c560c1e647e8beb82f5044d5a91783754fc38baf9925ed52e290d
SHA512e6c9be073983ab0fc6397e953fb42c61d1657d0b165738dcdd8a6d1606f06568d62a1d3023bba96bc4de7507669fe75e1f4677301967db7a7ae62c456264b974
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\_cffi_backend.cp36-win_amd64.pydFilesize
176KB
MD573f1df8dcc309fe0be69a7b5bbd6a5a6
SHA1199a0355689536f3b1c7d6293d0bfa9d84132aa0
SHA256165f5f342c5c560c1e647e8beb82f5044d5a91783754fc38baf9925ed52e290d
SHA512e6c9be073983ab0fc6397e953fb42c61d1657d0b165738dcdd8a6d1606f06568d62a1d3023bba96bc4de7507669fe75e1f4677301967db7a7ae62c456264b974
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\_hashlib.pydFilesize
1.4MB
MD586db282b25244f420a5d7abd44abb098
SHA1992445028220ac07b39e939824a4c6b1fda811dc
SHA256ab3d09c879b395631d8a4f89f6855d98d315675e9607248eed7bc07317260168
SHA51262e2919c4ba74fa69f25209db89f0652c5f8624867b3221aa3865e4dc2bab07e70880c63e4853051f1cc7464ff6478106ac4d6c9fc096172d85e523d8cbd069a
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\_hashlib.pydFilesize
1.4MB
MD586db282b25244f420a5d7abd44abb098
SHA1992445028220ac07b39e939824a4c6b1fda811dc
SHA256ab3d09c879b395631d8a4f89f6855d98d315675e9607248eed7bc07317260168
SHA51262e2919c4ba74fa69f25209db89f0652c5f8624867b3221aa3865e4dc2bab07e70880c63e4853051f1cc7464ff6478106ac4d6c9fc096172d85e523d8cbd069a
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\_lzma.pydFilesize
248KB
MD5857ba2d859502a76789b0cd090ef231a
SHA1352378e0f9536154d698ecbb4c694aae8d416787
SHA25642aafcd7e1050b3307c06874fa1e72eecfb5554bd631097e7af0506a3a200144
SHA512ab70e4fde01bf0d1a2f4dbfe0b556ce3d83e57edf84c62262f0500b6b0295101a36e279f843cef6a08a4d4d3cde150ff76195ff417123eed64b661310fa759a4
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\_lzma.pydFilesize
248KB
MD5857ba2d859502a76789b0cd090ef231a
SHA1352378e0f9536154d698ecbb4c694aae8d416787
SHA25642aafcd7e1050b3307c06874fa1e72eecfb5554bd631097e7af0506a3a200144
SHA512ab70e4fde01bf0d1a2f4dbfe0b556ce3d83e57edf84c62262f0500b6b0295101a36e279f843cef6a08a4d4d3cde150ff76195ff417123eed64b661310fa759a4
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\_socket.pydFilesize
70KB
MD57e080d04a56cd48cf24219774ab0abe2
SHA1b3caf5603ce8da3da728577aa6b06daa32118b57
SHA25677b3597eef6eb044fbec7b2229772495cd632033bec03badad4e4d268748b760
SHA5128bb475b62cb025823ef3eb54db58017b9fc394fe4a8a6d84aee13a4aaf9dd426e59860d3f15abcc218bd7cf4aefeee37d8fdf24dc272b6196b089b65cb584aae
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\_socket.pydFilesize
70KB
MD57e080d04a56cd48cf24219774ab0abe2
SHA1b3caf5603ce8da3da728577aa6b06daa32118b57
SHA25677b3597eef6eb044fbec7b2229772495cd632033bec03badad4e4d268748b760
SHA5128bb475b62cb025823ef3eb54db58017b9fc394fe4a8a6d84aee13a4aaf9dd426e59860d3f15abcc218bd7cf4aefeee37d8fdf24dc272b6196b089b65cb584aae
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\_sqlite3.pydFilesize
83KB
MD5cccc7ccb54fe4db0795e7aaa1caab495
SHA108928d8505296be3340b77433a78c01f0167d089
SHA2566a4d92b3b1308487a2a829e92a8e8b5721e0ab5d9001397af4a375d5c3984a84
SHA51226769273064f5017d442b9680f5d39d2a9da6404bc61b682af3452419434b7640e450be77dad73ac43fdea01a17d2def5ffdc46ae33ada60fd6233d7a90cf8ab
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\_sqlite3.pydFilesize
83KB
MD5cccc7ccb54fe4db0795e7aaa1caab495
SHA108928d8505296be3340b77433a78c01f0167d089
SHA2566a4d92b3b1308487a2a829e92a8e8b5721e0ab5d9001397af4a375d5c3984a84
SHA51226769273064f5017d442b9680f5d39d2a9da6404bc61b682af3452419434b7640e450be77dad73ac43fdea01a17d2def5ffdc46ae33ada60fd6233d7a90cf8ab
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\_ssl.pydFilesize
1.7MB
MD561fb40f4c868059e3378c735d1888c14
SHA173423b0e17eb9a0c231f4d6bffb2541a08975ed2
SHA256ea7cf863090d7f61daae9c6cc679608239e622f4485514dc705d09c1311657c2
SHA512e40a1fcf528b9a0a4bd2161b71d86dacff82647d6895f8a945c0960310397f8ebdc2d3191d04cd262940866ff0d7ddc7e4f2c17b9ebf86f527c08c8179ff2e91
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\_ssl.pydFilesize
1.7MB
MD561fb40f4c868059e3378c735d1888c14
SHA173423b0e17eb9a0c231f4d6bffb2541a08975ed2
SHA256ea7cf863090d7f61daae9c6cc679608239e622f4485514dc705d09c1311657c2
SHA512e40a1fcf528b9a0a4bd2161b71d86dacff82647d6895f8a945c0960310397f8ebdc2d3191d04cd262940866ff0d7ddc7e4f2c17b9ebf86f527c08c8179ff2e91
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\base_library.zipFilesize
756KB
MD5c9641b9a64215c71c6d39da453600df5
SHA18a8b747acb29fb09543358cfa6c50e19c571d488
SHA256a6d204c36e82ac5a8e948f5e17876b2ba978cb4dbd88bfb6ff64051e773d6d93
SHA51206fbbd0430147eb8a9d223ab67b3ccdc3d77d8a21fbb0f156acebec95f0c43cb2b3493d3955078136b71beb7b8bef7aefb94b8c9ba9c881014fb701179f493d7
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\certifi\cacert.pemFilesize
277KB
MD5edd513e1d62ca2b059821b8380c19d19
SHA17e785afc6a7174f008b8b6e775c91c018d72aee3
SHA256870068ef78059c5d012a23f715029f1b7db19060e1c65e12c024221f6ac32abd
SHA51231450f875b46bbbb8e8d2f2e075f82ab4cfe175dadd966be22c66206d5dc2517a870a8cfc46f2f094b6810c09b447bd46354b67c128843b997957522d3cf4f5f
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\cryptography\hazmat\bindings\_constant_time.cp36-win_amd64.pydFilesize
12KB
MD57fc56f99b7459a4f5b924a9e22e84528
SHA15f4113b057b0447b5a5329a309f80263897d18d0
SHA256f158dfe87dc9e9f5b05841a05f34643cb48935620b7bfd57e4a078c71e0638ba
SHA512e8dccbe7076ae672cc5d87970256708f982d57b4710be68f2d857adf80638e19126d8d379e45c530620d72af877a07e7883d0b97af38b58cfc0014a88e913946
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\cryptography\hazmat\bindings\_constant_time.cp36-win_amd64.pydFilesize
12KB
MD57fc56f99b7459a4f5b924a9e22e84528
SHA15f4113b057b0447b5a5329a309f80263897d18d0
SHA256f158dfe87dc9e9f5b05841a05f34643cb48935620b7bfd57e4a078c71e0638ba
SHA512e8dccbe7076ae672cc5d87970256708f982d57b4710be68f2d857adf80638e19126d8d379e45c530620d72af877a07e7883d0b97af38b58cfc0014a88e913946
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\cryptography\hazmat\bindings\_openssl.cp36-win_amd64.pydFilesize
2.4MB
MD531847ecf6c56ca6767f3abf8df59ee57
SHA17ab76a9842ba2fa53fa7be9b1f05978cb2456665
SHA2566173c19ecda89e8b9573db8d3f24ee448e1225466dfaa28c39695011d7aeb046
SHA51283ca3f858377f96426f7b6680243ba718875ef8995d8c3baddd4a59406ac3c4c0f32bcff801eae509c35460e2fd18a4bd32b3192ee29b80a3bc6db3021b412dc
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\cryptography\hazmat\bindings\_openssl.cp36-win_amd64.pydFilesize
2.2MB
MD51a58be60153a4f7e93cb67013ba74bf1
SHA124b3ef246cad934fc14d443e1b456e32930d1e35
SHA256db1c73f9d2d7eb2727b6552504c08da7f40d2c0e130bceb0827afd1fe98b5494
SHA512d1114243090c4d0e379620ccb836264dbc29a6492c1a36106b869e9d6c349fc1e7b0493d07328f5fd6269c6df990f8dd8bb1ef0c1a5bcf1f81d0363455e83e7a
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\python36.dllFilesize
2.4MB
MD589251dfaff0466104052542463269d47
SHA1d44f854d25a9bbe77dbe21a43256cebfc95eaddc
SHA2563a7fd54db2d6e8d9e18b0772c82b33db29ca11e992fe70ae1604f3a5ca61c503
SHA5125b657c2fdffbe91a01b4c423533fc8b4dea35daacaccdfc2f0c3bf491998b35dd02e4a571158075f490a231a7b448f1673ec1b626aa0070e312f45ec5232387c
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\python36.dllFilesize
2.1MB
MD58e022022ef76de02d102020265877c67
SHA1980629297d80414e2ae6e14fda4daf79a18d5a33
SHA2562137574737c8c041ac5c3484233286d43146024780a1b6b83b6602356628097f
SHA512a1d22d0ca5afab14dcf1b33dc41a656c2041303159ffce71455a5e9ca48ca331b6666ee8931f1a952f3286411e9b395c5b5f5082416aea785ea0843cfe242d58
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\select.pydFilesize
26KB
MD5290242633745524a3fb673798faabbe1
SHA17a5df2949b75469242c9287ae529045d7a85fd4c
SHA256df8acaf83e5c861f1d0ad694b087ff0a451f01191602617307a93c9dec893ecd
SHA512a3aec08265e2ea4549df14f6c2683b7b53c553b45304e80ed27ca5b5df70f0e1a3b139608557230e2acbaad4f302b5e20631a9d82de75222a9cc4b2177ce2020
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\select.pydFilesize
26KB
MD5290242633745524a3fb673798faabbe1
SHA17a5df2949b75469242c9287ae529045d7a85fd4c
SHA256df8acaf83e5c861f1d0ad694b087ff0a451f01191602617307a93c9dec893ecd
SHA512a3aec08265e2ea4549df14f6c2683b7b53c553b45304e80ed27ca5b5df70f0e1a3b139608557230e2acbaad4f302b5e20631a9d82de75222a9cc4b2177ce2020
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\sqlite3.dllFilesize
1.1MB
MD5381f7d517392477dc535f25ac3343557
SHA197b92e3585a130fcddaa6d908c0aa421107a51f0
SHA256cc93a60116b834a4367b37741fdfcc3a32b4a2edb315ee765ea0019e11b102f2
SHA5121e1ed9c40e80e788cade1c52f9aa960081dfcb38cbba0fe807fc930041e7118c2f5c9c2a029f3bd23f19fb2d1f9b5c3201afdd35fafbf018ea68d9ae082418c2
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\sqlite3.dllFilesize
1.1MB
MD5381f7d517392477dc535f25ac3343557
SHA197b92e3585a130fcddaa6d908c0aa421107a51f0
SHA256cc93a60116b834a4367b37741fdfcc3a32b4a2edb315ee765ea0019e11b102f2
SHA5121e1ed9c40e80e788cade1c52f9aa960081dfcb38cbba0fe807fc930041e7118c2f5c9c2a029f3bd23f19fb2d1f9b5c3201afdd35fafbf018ea68d9ae082418c2
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\unicodedata.pydFilesize
884KB
MD51c35e860d07c30617326d5a7030961b2
SHA144f727f11b2a19b078a987ad4f4bf7b6ccb393c2
SHA2567c115398f9975004b436c70cfa5d5d08e9f3f1d0f1c8a9e07eeeac96affe6625
SHA512863ffa0d09c7e7fc00b3a5ec8101ed31b6794f8b1dab96501c11725f247dfc5315f9b20602d424e384fdc20031e5d59ae65be1ecc5b72976ac3e2813b0cd2276
-
C:\Users\Admin\AppData\Local\Temp\_MEI27122\unicodedata.pydFilesize
884KB
MD51c35e860d07c30617326d5a7030961b2
SHA144f727f11b2a19b078a987ad4f4bf7b6ccb393c2
SHA2567c115398f9975004b436c70cfa5d5d08e9f3f1d0f1c8a9e07eeeac96affe6625
SHA512863ffa0d09c7e7fc00b3a5ec8101ed31b6794f8b1dab96501c11725f247dfc5315f9b20602d424e384fdc20031e5d59ae65be1ecc5b72976ac3e2813b0cd2276
-
memory/4776-130-0x0000000000000000-mapping.dmp