Analysis
-
max time kernel
130s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 16:17
Static task
static1
Behavioral task
behavioral1
Sample
1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
-
Size
5.8MB
-
MD5
e8568a0e8f1a3303655720e96d5576b9
-
SHA1
60b789d00d1ea678bca5d94ec6c1b9b6fac29d49
-
SHA256
1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5
-
SHA512
9588db2a91e3ea125b82fcad5f70b07998a9ce8192035c42efd5242448f9a726cb35a558d668f8b868aa7411cd8ef26d12aed39cd95c9ed53a2ad9fd45c006c4
Malware Config
Signatures
-
Loads dropped DLL 15 IoCs
Processes:
1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exepid process 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 api.ipify.org 17 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exedescription pid process Token: 35 2888 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exedescription pid process target process PID 2372 wrote to memory of 2888 2372 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe PID 2372 wrote to memory of 2888 2372 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe PID 2372 wrote to memory of 2888 2372 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe"C:\Users\Admin\AppData\Local\Temp\1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe"C:\Users\Admin\AppData\Local\Temp\1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\VCRUNTIME140.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\VCRUNTIME140.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_bz2.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_bz2.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_hashlib.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_hashlib.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_lzma.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_lzma.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_queue.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_queue.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_socket.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_socket.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_sqlite3.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_sqlite3.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_ssl.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_ssl.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\base_library.zip
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\certifi\cacert.pem
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\libcrypto-1_1.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\libcrypto-1_1.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\libcrypto-1_1.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\libssl-1_1.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\libssl-1_1.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\python37.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\python37.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\select.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\select.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\sqlite3.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\sqlite3.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\unicodedata.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI23722\unicodedata.pyd
-
memory/2888-130-0x0000000000000000-mapping.dmp