1992bd93d63ce1b1824fd4fffebdacd31bc08bbf413c3d4ec309e3f3d8b3e7ea

Analysis

max time kernel
91s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 00:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1992bd93d63ce1b1824fd4fffebdacd31bc08bbf413c3d4ec309e3f3d8b3e7ea.exe
Size

151KB
MD5

61a731cdfc1b56a187ddd842226963f9
SHA1

40c7bb89f161048ffc1a9ccff4ef3afa9c4e2edc
SHA256

1992bd93d63ce1b1824fd4fffebdacd31bc08bbf413c3d4ec309e3f3d8b3e7ea
SHA512

20cc1b1064c724022dd4fa0499ad57776addaecbe09b5eabb9828271902102a92805c4eec8d750efd56b86f8f7289a514a4fc646b764a24f8b16427812e889fb
SSDEEP

3072:dwWV1igLfnV2okLbhi5oc9CBmht5fUhAfnGpXlBcRQJH0Ohxw17j/+Aout:dwWV19LsosbhBEhUqG1kSJH0O/w1NoS

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1696	msservice32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msservice32.exe	1992bd93d63ce1b1824fd4fffebdacd31bc08bbf413c3d4ec309e3f3d8b3e7ea.exe
File opened for modification	C:\Windows\SysWOW64\msservice32.exe	1992bd93d63ce1b1824fd4fffebdacd31bc08bbf413c3d4ec309e3f3d8b3e7ea.exe
File opened for modification	C:\Windows\SysWOW64\msservice32.exe	msservice32.exe
File created	C:\Windows\SysWOW64\msservice32.exe	msservice32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1696	1344	1992bd93d63ce1b1824fd4fffebdacd31bc08bbf413c3d4ec309e3f3d8b3e7ea.exe	84
PID 1344 wrote to memory of 1696	1344	1992bd93d63ce1b1824fd4fffebdacd31bc08bbf413c3d4ec309e3f3d8b3e7ea.exe	84
PID 1344 wrote to memory of 1696	1344	1992bd93d63ce1b1824fd4fffebdacd31bc08bbf413c3d4ec309e3f3d8b3e7ea.exe	84
PID 1696 wrote to memory of 3480	1696	msservice32.exe	87
PID 1696 wrote to memory of 3480	1696	msservice32.exe	87
PID 1696 wrote to memory of 3480	1696	msservice32.exe	87

C:\Users\Admin\AppData\Local\Temp\1992bd93d63ce1b1824fd4fffebdacd31bc08bbf413c3d4ec309e3f3d8b3e7ea.exe
"C:\Users\Admin\AppData\Local\Temp\1992bd93d63ce1b1824fd4fffebdacd31bc08bbf413c3d4ec309e3f3d8b3e7ea.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\msservice32.exe
  C:\Windows\system32\msservice32.exe 1164 "C:\Users\Admin\AppData\Local\Temp\1992bd93d63ce1b1824fd4fffebdacd31bc08bbf413c3d4ec309e3f3d8b3e7ea.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat C:\Windows\SysWOW64\msservice32.exe
    3⤵
    PID:3480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
136B

MD5
bfcf9cc6d1c37953dfa43312e2c36140

SHA1
07a4c0f29b282c34be24c312c4b920e479f4cee0

SHA256
bac7cce52aeba3a2e2ce2bb6aebf50ffa65530d0d51ca49a2abc7f4e43ce3ce5

SHA512
fb661474557e7168d4050607863b57649fa12a26ab9bd06078ae3254d003d76cfed4eac3d0a78a56eaf0ecc5b231d52788b6c8688cb14b0c86a37efe90f5f53a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\user.js

Filesize
140B

MD5
2af6b05b1444223fc1d434b68ca1d70c

SHA1
b005e12e00f09b008e0350a1d00f7f41b04524f4

SHA256
bfa018f60b77d878d2b4ca34d710f310875141ea8e0ca29b8ea6664cf918ccac

SHA512
1bbef765ed6fd3584715d9be5c4f4a0464a5e0f221b2d174ac60302c5a1c28b7ed9b0d7db997fa8a99bd6332f650d1122674da40dc7d927858af5e35d15e35ba

Download Submit
C:\Windows\SysWOW64\msservice32.exe

Filesize
151KB

MD5
61a731cdfc1b56a187ddd842226963f9

SHA1
40c7bb89f161048ffc1a9ccff4ef3afa9c4e2edc

SHA256
1992bd93d63ce1b1824fd4fffebdacd31bc08bbf413c3d4ec309e3f3d8b3e7ea

SHA512
20cc1b1064c724022dd4fa0499ad57776addaecbe09b5eabb9828271902102a92805c4eec8d750efd56b86f8f7289a514a4fc646b764a24f8b16427812e889fb

Download Submit
C:\Windows\SysWOW64\msservice32.exe

Filesize
151KB

MD5
61a731cdfc1b56a187ddd842226963f9

SHA1
40c7bb89f161048ffc1a9ccff4ef3afa9c4e2edc

SHA256
1992bd93d63ce1b1824fd4fffebdacd31bc08bbf413c3d4ec309e3f3d8b3e7ea

SHA512
20cc1b1064c724022dd4fa0499ad57776addaecbe09b5eabb9828271902102a92805c4eec8d750efd56b86f8f7289a514a4fc646b764a24f8b16427812e889fb

Download Submit
memory/1344-135-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1344-137-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1696-136-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1696-140-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download