Overview

overview

9

Static

static

5664ec38d3...7d.exe

windows7-x64

9

5664ec38d3...7d.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    117s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5664ec38d3c68eb1400c9991ccdd8491ce16253e0fbd56f07192bb80f23d257d.exe

  • Size

    615KB

  • MD5

    68f8880ad2453d24c50905c6ace3a298

  • SHA1

    03e734235eda754c73b105cc3231de10396b139b

  • SHA256

    5664ec38d3c68eb1400c9991ccdd8491ce16253e0fbd56f07192bb80f23d257d

  • SHA512

    bd42ee3ac0d2fea1c1f1d09dc9ab5119df04cbe43153cac091640a9800d867f701f002f00eb71ecd1f6b3d7969d69181f1e3035ca1d5d67105d539909ac4fd70

  • SSDEEP

    12288:l4/mCWUk1VrGGiVnnwJ8jFGNW+RfZ9OEBb+ABng3jGv2I:SOUirGR88hGW+pZ9Owbtg3RI

Score
9/10
collectionpersistencespywarestealer

Malware Config

Signatures

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5664ec38d3c68eb1400c9991ccdd8491ce16253e0fbd56f07192bb80f23d257d.exe
    "C:\Users\Admin\AppData\Local\Temp\5664ec38d3c68eb1400c9991ccdd8491ce16253e0fbd56f07192bb80f23d257d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Users\Admin\AppData\Local\Temp\5664ec38d3c68eb1400c9991ccdd8491ce16253e0fbd56f07192bb80f23d257d.exe
      "C:\Users\Admin\AppData\Local\Temp\5664ec38d3c68eb1400c9991ccdd8491ce16253e0fbd56f07192bb80f23d257d.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Users\Admin\AppData\Local\Temp\5664ec38d3c68eb1400c9991ccdd8491ce16253e0fbd56f07192bb80f23d257d.exe
        "C:\Users\Admin\AppData\Local\Temp\5664ec38d3c68eb1400c9991ccdd8491ce16253e0fbd56f07192bb80f23d257d.exe" /stext C:\ProgramData\Mails.txt
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:4076
      • C:\Users\Admin\AppData\Local\Temp\5664ec38d3c68eb1400c9991ccdd8491ce16253e0fbd56f07192bb80f23d257d.exe
        "C:\Users\Admin\AppData\Local\Temp\5664ec38d3c68eb1400c9991ccdd8491ce16253e0fbd56f07192bb80f23d257d.exe" /stext C:\ProgramData\Browsers.txt
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Browsers.txt
    Filesize

    3KB

    MD5

    f94dc819ca773f1e3cb27abbc9e7fa27

    SHA1

    9a7700efadc5ea09ab288544ef1e3cd876255086

    SHA256

    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

    SHA512

    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

    Download Submit
  • memory/1788-133-0x0000000000000000-mapping.dmp
    Download
  • memory/1788-134-0x0000000000400000-0x000000000047E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1788-149-0x0000000074B50000-0x0000000075101000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1788-138-0x0000000074B50000-0x0000000075101000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3972-143-0x0000000000400000-0x0000000000459000-memory.dmp
    Filesize

    356KB

    Download
  • memory/3972-147-0x0000000000400000-0x0000000000459000-memory.dmp
    Filesize

    356KB

    Download
  • memory/3972-146-0x0000000000400000-0x0000000000459000-memory.dmp
    Filesize

    356KB

    Download
  • memory/3972-145-0x0000000000400000-0x0000000000459000-memory.dmp
    Filesize

    356KB

    Download
  • memory/3972-142-0x0000000000000000-mapping.dmp
    Download
  • memory/4076-136-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4076-140-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4076-139-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4076-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4244-141-0x0000000074B50000-0x0000000075101000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4244-132-0x0000000074B50000-0x0000000075101000-memory.dmp
    Filesize

    5.7MB

    Download