f8b234082461ac20ad8075759e9b05e29f8fa8f77ae4223a1e7fc5a6f4e47c38

Analysis

max time kernel
51s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Netspeedmeter.exe
Size

53.3MB
MD5

b646435178433a3d2704e82615bddafb
SHA1

a6d14282390694c7c4d916c55bd03471c927e805
SHA256

f8b234082461ac20ad8075759e9b05e29f8fa8f77ae4223a1e7fc5a6f4e47c38
SHA512

df9f748f7cbfaf9fec62d8e1c2e515f3081254ab4c175a15c683a033a6cecce652f018c96c8a65602eb39952415bae1ead91e491767ebad64598b304f3c60cd4
SSDEEP

1572864:ZDSG9Ztq9oJeQvy4GTY4B9HPkNNOTFlYK00:ZTRXGhpkNNOTFlYK00

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
900	Netspeedmeter.tmp
1064	Net Speed Meter.exe

Loads dropped DLL 5 IoCs

pid	Process
1808	Netspeedmeter.exe
900	Netspeedmeter.tmp
900	Netspeedmeter.tmp
1064	Net Speed Meter.exe
1064	Net Speed Meter.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Netspeed\System\99\chromedriver.exe	Netspeedmeter.tmp
File opened for modification	C:\Program Files (x86)\Netspeed\System\97\chromedriver.exe	Netspeedmeter.tmp
File opened for modification	C:\Program Files (x86)\Netspeed\System\100\chromedriver.exe	Netspeedmeter.tmp
File opened for modification	C:\Program Files (x86)\Netspeed\System\96\chromedriver.exe	Netspeedmeter.tmp
File opened for modification	C:\Program Files (x86)\Netspeed\System\104\chromedriver.exe	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\System\103\is-PDDD4.tmp	Netspeedmeter.tmp
File opened for modification	C:\Program Files (x86)\Netspeed\System\103\chromedriver.exe	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\is-6FJCR.tmp	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\is-620JU.tmp	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\System\101\is-NBMS1.tmp	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\System\106\is-MEQDG.tmp	Netspeedmeter.tmp
File opened for modification	C:\Program Files (x86)\Netspeed\System\98\chromedriver.exe	Netspeedmeter.tmp
File opened for modification	C:\Program Files (x86)\Netspeed\WebDriver.dll	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\is-KA0QM.tmp	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\is-O8521.tmp	Netspeedmeter.tmp
File opened for modification	C:\Program Files (x86)\Netspeed\unins000.dat	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\is-1NG53.tmp	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\System\102\is-4UM3B.tmp	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\System\96\is-TSMUT.tmp	Netspeedmeter.tmp
File opened for modification	C:\Program Files (x86)\Netspeed\System\102\chromedriver.exe	Netspeedmeter.tmp
File opened for modification	C:\Program Files (x86)\Netspeed\System\101\chromedriver.exe	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\is-KO5KD.tmp	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\System\is-QTH52.tmp	Netspeedmeter.tmp
File opened for modification	C:\Program Files (x86)\Netspeed\Newtonsoft.Json.dll	Netspeedmeter.tmp
File opened for modification	C:\Program Files (x86)\Netspeed\Net Speed Meter.exe	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\unins000.dat	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\is-HH9UA.tmp	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\System\105\is-P2UJS.tmp	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\System\98\is-TDJU9.tmp	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\System\99\is-UD54H.tmp	Netspeedmeter.tmp
File opened for modification	C:\Program Files (x86)\Netspeed\System\106\chromedriver.exe	Netspeedmeter.tmp
File opened for modification	C:\Program Files (x86)\Netspeed\System\105\chromedriver.exe	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\is-D91R1.tmp	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\System\100\is-SK751.tmp	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\System\104\is-6JHOC.tmp	Netspeedmeter.tmp
File created	C:\Program Files (x86)\Netspeed\System\97\is-0O5C9.tmp	Netspeedmeter.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
816	taskkill.exe
1392	taskkill.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp	Netspeedmeter.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\NetspeedFile.myp	Netspeedmeter.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\NetspeedFile.myp\DefaultIcon	Netspeedmeter.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\NetspeedFile.myp\shell\open\command	Netspeedmeter.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetspeedFile.myp\shell	Netspeedmeter.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetspeedFile.myp\shell\open	Netspeedmeter.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	Netspeedmeter.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetspeedFile.myp\ = "Netspeed File"	Netspeedmeter.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Net Speed Meter.exe	Netspeedmeter.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids	Netspeedmeter.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids\NetspeedFile.myp	Netspeedmeter.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetspeedFile.myp\DefaultIcon\ = "C:\\Program Files (x86)\\Netspeed\\Net Speed Meter.exe,0"	Netspeedmeter.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetspeedFile.myp\shell\open\command	Netspeedmeter.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.myp\OpenWithProgids	Netspeedmeter.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetspeedFile.myp	Netspeedmeter.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetspeedFile.myp\shell\open\command\ = "\"C:\\Program Files (x86)\\Netspeed\\Net Speed Meter.exe\" \"%1\""	Netspeedmeter.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\Net Speed Meter.exe\SupportedTypes	Netspeedmeter.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Net Speed Meter.exe\SupportedTypes	Netspeedmeter.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Net Speed Meter.exe\SupportedTypes\.myp	Netspeedmeter.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
900	Netspeedmeter.tmp
900	Netspeedmeter.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
900	Netspeedmeter.tmp

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 900	1808	Netspeedmeter.exe	27
PID 1808 wrote to memory of 900	1808	Netspeedmeter.exe	27
PID 1808 wrote to memory of 900	1808	Netspeedmeter.exe	27
PID 1808 wrote to memory of 900	1808	Netspeedmeter.exe	27
PID 1808 wrote to memory of 900	1808	Netspeedmeter.exe	27
PID 1808 wrote to memory of 900	1808	Netspeedmeter.exe	27
PID 1808 wrote to memory of 900	1808	Netspeedmeter.exe	27
PID 900 wrote to memory of 1064	900	Netspeedmeter.tmp	29
PID 900 wrote to memory of 1064	900	Netspeedmeter.tmp	29
PID 900 wrote to memory of 1064	900	Netspeedmeter.tmp	29
PID 900 wrote to memory of 1064	900	Netspeedmeter.tmp	29
PID 1064 wrote to memory of 816	1064	Net Speed Meter.exe	30
PID 1064 wrote to memory of 816	1064	Net Speed Meter.exe	30
PID 1064 wrote to memory of 816	1064	Net Speed Meter.exe	30
PID 1064 wrote to memory of 816	1064	Net Speed Meter.exe	30
PID 1064 wrote to memory of 1392	1064	Net Speed Meter.exe	33
PID 1064 wrote to memory of 1392	1064	Net Speed Meter.exe	33
PID 1064 wrote to memory of 1392	1064	Net Speed Meter.exe	33
PID 1064 wrote to memory of 1392	1064	Net Speed Meter.exe	33

C:\Users\Admin\AppData\Local\Temp\Netspeedmeter.exe
"C:\Users\Admin\AppData\Local\Temp\Netspeedmeter.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\is-IO36I.tmp\Netspeedmeter.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IO36I.tmp\Netspeedmeter.tmp" /SL5="$80124,55031467,916992,C:\Users\Admin\AppData\Local\Temp\Netspeedmeter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Program Files (x86)\Netspeed\Net Speed Meter.exe
    "C:\Program Files (x86)\Netspeed\Net Speed Meter.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM "chrome.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM "chromedriver.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Netspeed\Net Speed Meter.exe

Filesize
216KB

MD5
ab68364e5186bf7b27c9b54b4926719e

SHA1
d1e69d16e743c979c4c74e47eac373853fc78a96

SHA256
c8f487ea128210597513d9eb09fbd01422aed37814145be043912819aaffbea3

SHA512
e40ee6857b3733886a1baf416a286356385de45db2eba9a06f9960a5bc51a11b44c65a2a94bd64d1a7f8042308424a068f664f37aec56b8b4194e483be06d56d

Download Submit
C:\Program Files (x86)\Netspeed\Net Speed Meter.exe

Filesize
216KB

MD5
ab68364e5186bf7b27c9b54b4926719e

SHA1
d1e69d16e743c979c4c74e47eac373853fc78a96

SHA256
c8f487ea128210597513d9eb09fbd01422aed37814145be043912819aaffbea3

SHA512
e40ee6857b3733886a1baf416a286356385de45db2eba9a06f9960a5bc51a11b44c65a2a94bd64d1a7f8042308424a068f664f37aec56b8b4194e483be06d56d

Download Submit
C:\Program Files (x86)\Netspeed\Net Speed Meter.exe.config

Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\Program Files (x86)\Netspeed\Net Speed Meter.pdb

Filesize
33KB

MD5
6e0745ac9fdc98ef2559a08f9b119ae5

SHA1
434799b276636cece3a2611e3866c9cab01e19c2

SHA256
8ad6db1e1ce3e13d6635cf98157256288439f939e6921c0c8a4527c33ddaeb7d

SHA512
3cf08d11989128bdca56c192fc9740fd319bd258deb85be6e8bdaee8aa19ad72fc49ec338b9cc8b92029b4ac5fc57c8ab21a1d7fa1fdc167bcfbb4ec9192a074

Download Submit
C:\Program Files (x86)\Netspeed\WebDriver.dll

Filesize
8.4MB

MD5
961bdd1e0ab192f8e517bd434fb4cbe0

SHA1
e7de4921333a41ff9eaa1f29167bee26195f0daf

SHA256
f3d2ebb39d2edc3cce98299c724c5eff0b7a151c5d0857dd3f35ad0ff48fbe53

SHA512
fedbc711a4e887eb6f8ca99aa89343afcb25eac3dd8cfd0fb2f138a43b8293c3dd2650db9ebd56571a79136a5e00392e7b3ed22ace7c27e6a3fa3c5d927d7217

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IO36I.tmp\Netspeedmeter.tmp

Filesize
3.0MB

MD5
2cfa8e5e8b9f204c715d5751193f2d17

SHA1
d6da72e8fd17bbbf518bed6b40db758fff22e982

SHA256
f1048c58fe926eea164407733463c9ab023974a607df52a9dd41791de4392830

SHA512
b421b8cb6fc1596bb545ced31184f97ab13bf45642a11f3b2714a4a7146cb5572f718b04a8d238d73e41d35834561a0575ea44d92c1f6494cf040573267d89a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IO36I.tmp\Netspeedmeter.tmp

Filesize
3.0MB

MD5
2cfa8e5e8b9f204c715d5751193f2d17

SHA1
d6da72e8fd17bbbf518bed6b40db758fff22e982

SHA256
f1048c58fe926eea164407733463c9ab023974a607df52a9dd41791de4392830

SHA512
b421b8cb6fc1596bb545ced31184f97ab13bf45642a11f3b2714a4a7146cb5572f718b04a8d238d73e41d35834561a0575ea44d92c1f6494cf040573267d89a6

Download Submit
\Program Files (x86)\Netspeed\Net Speed Meter.exe

Filesize
216KB

MD5
ab68364e5186bf7b27c9b54b4926719e

SHA1
d1e69d16e743c979c4c74e47eac373853fc78a96

SHA256
c8f487ea128210597513d9eb09fbd01422aed37814145be043912819aaffbea3

SHA512
e40ee6857b3733886a1baf416a286356385de45db2eba9a06f9960a5bc51a11b44c65a2a94bd64d1a7f8042308424a068f664f37aec56b8b4194e483be06d56d

Download Submit
\Program Files (x86)\Netspeed\Net Speed Meter.exe

Filesize
216KB

MD5
ab68364e5186bf7b27c9b54b4926719e

SHA1
d1e69d16e743c979c4c74e47eac373853fc78a96

SHA256
c8f487ea128210597513d9eb09fbd01422aed37814145be043912819aaffbea3

SHA512
e40ee6857b3733886a1baf416a286356385de45db2eba9a06f9960a5bc51a11b44c65a2a94bd64d1a7f8042308424a068f664f37aec56b8b4194e483be06d56d

Download Submit
\Program Files (x86)\Netspeed\WebDriver.dll

Filesize
8.4MB

MD5
961bdd1e0ab192f8e517bd434fb4cbe0

SHA1
e7de4921333a41ff9eaa1f29167bee26195f0daf

SHA256
f3d2ebb39d2edc3cce98299c724c5eff0b7a151c5d0857dd3f35ad0ff48fbe53

SHA512
fedbc711a4e887eb6f8ca99aa89343afcb25eac3dd8cfd0fb2f138a43b8293c3dd2650db9ebd56571a79136a5e00392e7b3ed22ace7c27e6a3fa3c5d927d7217

Download Submit
\Program Files (x86)\Netspeed\WebDriver.dll

Filesize
8.4MB

MD5
961bdd1e0ab192f8e517bd434fb4cbe0

SHA1
e7de4921333a41ff9eaa1f29167bee26195f0daf

SHA256
f3d2ebb39d2edc3cce98299c724c5eff0b7a151c5d0857dd3f35ad0ff48fbe53

SHA512
fedbc711a4e887eb6f8ca99aa89343afcb25eac3dd8cfd0fb2f138a43b8293c3dd2650db9ebd56571a79136a5e00392e7b3ed22ace7c27e6a3fa3c5d927d7217

Download Submit
\Users\Admin\AppData\Local\Temp\is-IO36I.tmp\Netspeedmeter.tmp

Filesize
3.0MB

MD5
2cfa8e5e8b9f204c715d5751193f2d17

SHA1
d6da72e8fd17bbbf518bed6b40db758fff22e982

SHA256
f1048c58fe926eea164407733463c9ab023974a607df52a9dd41791de4392830

SHA512
b421b8cb6fc1596bb545ced31184f97ab13bf45642a11f3b2714a4a7146cb5572f718b04a8d238d73e41d35834561a0575ea44d92c1f6494cf040573267d89a6

Download Submit
memory/900-62-0x0000000074AF1000-0x0000000074AF3000-memory.dmp

Filesize
8KB

Download
memory/1064-70-0x0000000000890000-0x00000000008CC000-memory.dmp

Filesize
240KB

Download
memory/1064-76-0x0000000007C50000-0x00000000084C6000-memory.dmp

Filesize
8.5MB

Download
memory/1064-78-0x0000000000525000-0x0000000000536000-memory.dmp

Filesize
68KB

Download
memory/1064-81-0x0000000000525000-0x0000000000536000-memory.dmp

Filesize
68KB

Download
memory/1808-72-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1808-61-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1808-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1808-55-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download