b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-05-2022 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
Size

5.9MB
MD5

825e80d3501a520ee2c8886a5cbee7d2
SHA1

9a9b4b689ec6c8cea66f22f12da9b715bf50d75b
SHA256

b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad
SHA512

2abc0c8f832d4e5946e5c1a0cde73cb11594a33379c2bcc20c23e869343760fa55aaaaf76e1017d994f7da99ebc2c6d3352cdfe5d7f00ff401cd33356547a589

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 13 IoCs

Processes:

b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe

pid	process
1916	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
1916	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
1916	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
1916	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
1916	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
1916	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
1916	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
1916	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
1916	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
1916	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
1916	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
1916	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
1916	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe

description pid process

Token: 35 1916 b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process
Token: 35	1916	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe

description	pid	process	target process
PID 1708 wrote to memory of 1916	1708	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
PID 1708 wrote to memory of 1916	1708	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe	b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe

C:\Users\Admin\AppData\Local\Temp\b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
"C:\Users\Admin\AppData\Local\Temp\b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe
"C:\Users\Admin\AppData\Local\Temp\b77e78c2957de70e5796a41876fd9c702531b398379f9f1c77b1ba20ef2f9aad.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI17082\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\_bz2.pyd
Filesize
92KB

MD5
cde853b48405adc6bb2009553951cf4b

SHA1
1cd5ecb2a7c4ded3663b497bfe9b190e7304135e

SHA256
9f3b2a39dd67f9c328dd0e021cae0fb9e60e78f451fc4071a529fde00db0c243

SHA512
7448f6f63a83018c64b69a5f0535aac4287ca838fb122101d02449c34120db3047b967202068fdec60939c28317cfeb5cd7ac8a7732eea84e9358689ee777cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\_bz2.pyd
Filesize
92KB

MD5
cde853b48405adc6bb2009553951cf4b

SHA1
1cd5ecb2a7c4ded3663b497bfe9b190e7304135e

SHA256
9f3b2a39dd67f9c328dd0e021cae0fb9e60e78f451fc4071a529fde00db0c243

SHA512
7448f6f63a83018c64b69a5f0535aac4287ca838fb122101d02449c34120db3047b967202068fdec60939c28317cfeb5cd7ac8a7732eea84e9358689ee777cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\_hashlib.pyd
Filesize
38KB

MD5
d2cd47354de38cc1edf86040e9661e6c

SHA1
d228f223f2a26faf39fa9dae0d311bfd95ef17be

SHA256
85c2fb612e92eb687dfa6ec0a65bbddccb7b49de507b093744587af07c575116

SHA512
f221c5afd0cd71754f97b5554275bd059233e12c2e96513639dea353c2644ec2b3da3ff9773878c793e9fa10239581fddde41f543a080ad5fc0afda7ba130061

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\_hashlib.pyd
Filesize
38KB

MD5
d2cd47354de38cc1edf86040e9661e6c

SHA1
d228f223f2a26faf39fa9dae0d311bfd95ef17be

SHA256
85c2fb612e92eb687dfa6ec0a65bbddccb7b49de507b093744587af07c575116

SHA512
f221c5afd0cd71754f97b5554275bd059233e12c2e96513639dea353c2644ec2b3da3ff9773878c793e9fa10239581fddde41f543a080ad5fc0afda7ba130061

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\_lzma.pyd
Filesize
248KB

MD5
a550f17aed5a5e6660fbfa406590af43

SHA1
e23db31a9eadc90e9c5a1c8a3e55cc7aa677ff35

SHA256
2d3acac7982b190333b16bfc4a1f5ccfc24f50b16994001aee6e32a22df8292a

SHA512
40264569e3d73347e2a6148a6f9cc82896711ad5874d2b0bcdc3d33f59d96b22ca477fb083f44b7c753cfb11f8c511c9f475aa7d89a25e6f153bc2be7e7a7a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\_lzma.pyd
Filesize
248KB

MD5
a550f17aed5a5e6660fbfa406590af43

SHA1
e23db31a9eadc90e9c5a1c8a3e55cc7aa677ff35

SHA256
2d3acac7982b190333b16bfc4a1f5ccfc24f50b16994001aee6e32a22df8292a

SHA512
40264569e3d73347e2a6148a6f9cc82896711ad5874d2b0bcdc3d33f59d96b22ca477fb083f44b7c753cfb11f8c511c9f475aa7d89a25e6f153bc2be7e7a7a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\_queue.pyd
Filesize
27KB

MD5
d8c551b3236fcbf8eddcec60d120cb37

SHA1
6daa6c0a870644710fc0ae43b24f91b31a1bc163

SHA256
bc63eb39366f7de378e2dfebc8ba8a1f574cfa6c90c642b282f60c2d79c0e320

SHA512
1a9245f44dc9c2f3d6e86e1c5650af10810d8ef9732c3304879dd1aac9ddf8bd132af1d4f870b713f3a9df618ef0ab12981d02a7012717ee2e9473f6dd64e051

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\_queue.pyd
Filesize
27KB

MD5
d8c551b3236fcbf8eddcec60d120cb37

SHA1
6daa6c0a870644710fc0ae43b24f91b31a1bc163

SHA256
bc63eb39366f7de378e2dfebc8ba8a1f574cfa6c90c642b282f60c2d79c0e320

SHA512
1a9245f44dc9c2f3d6e86e1c5650af10810d8ef9732c3304879dd1aac9ddf8bd132af1d4f870b713f3a9df618ef0ab12981d02a7012717ee2e9473f6dd64e051

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\_socket.pyd
Filesize
75KB

MD5
d01862e4afe155cd62e69935e739ee51

SHA1
ffa93f260bc82fd33fb3be0d958bf6262537a773

SHA256
9506ef21605d443f1927089eacf0cd6c138bd88dcaef99cbe58960346113b67a

SHA512
3d22dae047d285126c7d527bcafb34c022c6f4d916b7200be7b2154265a7acbd73ab862f6263f531d1f9cb9ff90dcad432fd9bbad59fb847383be21e57c354a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\_socket.pyd
Filesize
75KB

MD5
d01862e4afe155cd62e69935e739ee51

SHA1
ffa93f260bc82fd33fb3be0d958bf6262537a773

SHA256
9506ef21605d443f1927089eacf0cd6c138bd88dcaef99cbe58960346113b67a

SHA512
3d22dae047d285126c7d527bcafb34c022c6f4d916b7200be7b2154265a7acbd73ab862f6263f531d1f9cb9ff90dcad432fd9bbad59fb847383be21e57c354a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\_ssl.pyd
Filesize
118KB

MD5
b07ab1b3fdb06fa7923fd48c8d0ebe3e

SHA1
217ded2b45349d949848dd6f62b0df3ab8d8d3e4

SHA256
aefcacf74e2c2b35d7aa2f15a00b32a00edb107fc3ec230cdad4fb7db23daea6

SHA512
db815aa1341cae2ddba8087cc36abfc2d06fee5f8863f9a3fb23117a24394c21116fd6f46bf9a3f8925526037eb5ea29fb82bad88423fbe60a81e610f30e9964

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\_ssl.pyd
Filesize
118KB

MD5
b07ab1b3fdb06fa7923fd48c8d0ebe3e

SHA1
217ded2b45349d949848dd6f62b0df3ab8d8d3e4

SHA256
aefcacf74e2c2b35d7aa2f15a00b32a00edb107fc3ec230cdad4fb7db23daea6

SHA512
db815aa1341cae2ddba8087cc36abfc2d06fee5f8863f9a3fb23117a24394c21116fd6f46bf9a3f8925526037eb5ea29fb82bad88423fbe60a81e610f30e9964

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\base_library.zip
Filesize
768KB

MD5
891d0b37f2199294ed33e4843f81587b

SHA1
2f3370368fab6644f9f14c8db00ff451928f085d

SHA256
54bd9ed53ccae8e94dc522fbb86de1811851733dae44b0ccdd1b487a622154d3

SHA512
ebf5b1d34fbdd1670ed8e09b75b575696243fda2601580893d110a0a8d74d15942c6584365ca87d734c0842d73474fed65f1070f8f315c8dcc98ab8dbfb5fb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\certifi\cacert.pem
Filesize
275KB

MD5
c760591283d5a4a987ad646b35de3717

SHA1
5d10cbd25ac1c7ced5bfb3d6f185fa150f6ea134

SHA256
1a14f6e1fd11efff72e1863f8645f090eec1b616614460c210c3b7e3c13d4b5e

SHA512
c192ae381008eaf180782e6e40cd51834e0233e98942bd071768308e179f58f3530e6e883f245a2630c86923dbeb68b624c5ec2167040d749813fedc37a6d1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\grabber.exe.manifest
Filesize
1KB

MD5
1742b1860362ee839afff995eccd000b

SHA1
d7926c65bae53a4174c5786f4ca426fe7b405ca4

SHA256
77852f91ae6586125b5f489e78a623fba9c73095883fd7424fa4597aebe0dd38

SHA512
28182af3534f13d21618fc94cbdd1764f5498c43012a5192f1e6f458085b152526810d0a4fdf90e0364c2d7aae33c36149fb38b7a7887e0fa8caf09fc3ba1d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\libcrypto-1_1.dll
Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\libcrypto-1_1.dll
Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\libcrypto-1_1.dll
Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\libssl-1_1.dll
Filesize
670KB

MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\libssl-1_1.dll
Filesize
670KB

MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\python37.dll
Filesize
3.6MB

MD5
f8f12175880677bd010def8ba14208da

SHA1
889e23b96d78135dc3294c84ab900b91fa9f7a0c

SHA256
08686f0e6e3c54d455d4a4801d5deccadedbafd1e010b3d18ade81180853db27

SHA512
7792f4a2005c2721b3fa848e2703bfb380670d6bd108599c5a98299f09197b44fb44adbb59da9c55bf064bb3c083a07fd82acdf29b7a09da07981c964eb11304

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\python37.dll
Filesize
3.6MB

MD5
f8f12175880677bd010def8ba14208da

SHA1
889e23b96d78135dc3294c84ab900b91fa9f7a0c

SHA256
08686f0e6e3c54d455d4a4801d5deccadedbafd1e010b3d18ade81180853db27

SHA512
7792f4a2005c2721b3fa848e2703bfb380670d6bd108599c5a98299f09197b44fb44adbb59da9c55bf064bb3c083a07fd82acdf29b7a09da07981c964eb11304

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\select.pyd
Filesize
26KB

MD5
b394f7551ffd3f97386e48a71f99a702

SHA1
3edf2989b7985903a4987034fea468c38c3198c9

SHA256
f219279eea9b8ec9e017fd59200c0aa49fa99e83eea18316fc1b3c8381e49f3f

SHA512
890fe0b477ebc1d9d25a94ff3db1bf7b0c4eb6d34114e7416f88d7ed085a0bc65ff34e3c7c75db773d54a17fed0bf09825be68bfeae16ebae179c35440941641

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\select.pyd
Filesize
26KB

MD5
b394f7551ffd3f97386e48a71f99a702

SHA1
3edf2989b7985903a4987034fea468c38c3198c9

SHA256
f219279eea9b8ec9e017fd59200c0aa49fa99e83eea18316fc1b3c8381e49f3f

SHA512
890fe0b477ebc1d9d25a94ff3db1bf7b0c4eb6d34114e7416f88d7ed085a0bc65ff34e3c7c75db773d54a17fed0bf09825be68bfeae16ebae179c35440941641

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\unicodedata.pyd
Filesize
1.0MB

MD5
88ee2c01ae13210de752ec48daed4b45

SHA1
5b8792a27f22e8b81249689a7b1ebb136705a618

SHA256
dc1dc90497aa73ff135acdcca8ac863aae5d774c45ece5a4d053d5c24624d0e5

SHA512
4fd96ba6adbbfd9fa659a07ed5d44d548d940b7069a375cea7732dd40f9e7dc183eaf2c3363ac3be1a34ebfc26def4ebf001ff4c802fcd6d594ececddc8b6131

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17082\unicodedata.pyd
Filesize
1.0MB

MD5
88ee2c01ae13210de752ec48daed4b45

SHA1
5b8792a27f22e8b81249689a7b1ebb136705a618

SHA256
dc1dc90497aa73ff135acdcca8ac863aae5d774c45ece5a4d053d5c24624d0e5

SHA512
4fd96ba6adbbfd9fa659a07ed5d44d548d940b7069a375cea7732dd40f9e7dc183eaf2c3363ac3be1a34ebfc26def4ebf001ff4c802fcd6d594ececddc8b6131

Download Submit
memory/1916-130-0x0000000000000000-mapping.dmp

Download