c410b85118b5e220feb1b14e665468da166ef205d10411505e829e6991125e3a

Analysis

max time kernel
159s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 10:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c410b85118b5e220feb1b14e665468da166ef205d10411505e829e6991125e3a.exe
Size

188KB
MD5

2d9f8f1c8ac6d566ec4c665458f95f50
SHA1

5f79b1591260e20afa07163a7c639d880e6edd9d
SHA256

c410b85118b5e220feb1b14e665468da166ef205d10411505e829e6991125e3a
SHA512

8a970e00264df7f219f891eaf92316b4788edae1873e5037cfb58f8d1a1f85b295daa14bb2751749ec60d979c871f54cdfc5c2616efd1fde951ac2171633ea93
SSDEEP

3072:hn1/uEAgDPdkBlyFZ+ScjaiKWbETBquAEXlqsUU5qBFV85qMzAQ6kf7GJG:h1OgDPdkBAFZWjadD4s55qB0BzAQ73

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1748	508d1d618843c.exe

Loads dropped DLL 1 IoCs

pid	Process
1748	508d1d618843c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022e21-134.dat	nsis_installer_1
behavioral2/files/0x0006000000022e21-134.dat	nsis_installer_2
behavioral2/files/0x0006000000022e21-133.dat	nsis_installer_1
behavioral2/files/0x0006000000022e21-133.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1748	2944	c410b85118b5e220feb1b14e665468da166ef205d10411505e829e6991125e3a.exe	79
PID 2944 wrote to memory of 1748	2944	c410b85118b5e220feb1b14e665468da166ef205d10411505e829e6991125e3a.exe	79
PID 2944 wrote to memory of 1748	2944	c410b85118b5e220feb1b14e665468da166ef205d10411505e829e6991125e3a.exe	79

C:\Users\Admin\AppData\Local\Temp\c410b85118b5e220feb1b14e665468da166ef205d10411505e829e6991125e3a.exe
"C:\Users\Admin\AppData\Local\Temp\c410b85118b5e220feb1b14e665468da166ef205d10411505e829e6991125e3a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\508d1d618843c.exe
  .\508d1d618843c.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
0255da5b0db9194901412172ea2178cd

SHA1
58f650243e1fa64e0973b8a128603cf7696dd160

SHA256
307fdf01b9382e81bd0e766be954331711100492c5d69ff6f2182d365eeb7282

SHA512
1bc0edd5c7ec56be3b8a4530173045830c4d8f9e76f25cc9f4406cb404a2de3fc04e4c5f037a477340f7280d54c4a80a3df1582e6b9a3e9569e1bc2b65fb58be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
2d050054cf4f1fb60ec4f9134b6c39fe

SHA1
e48c873d40e51bf3b686d1ce18317e606a692e5c

SHA256
7a5bf1105ae9ea34d45043b507fda6c5cfc21851271c3b95c78e3d3f5a987dbb

SHA512
715e3a355ed0a2b5d5c1b3bd9449144ef12d6314d1b821828d0afb108ecb7c472ba3980d2c2659d16f69a1b337159d3a03d0ae5fd8fad8bc6851017418efaabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
8d631a7e4d88c6a5d940874868f0a26b

SHA1
74958a0f400a6bea548204345a5a247c91e37fb2

SHA256
12ccc28f97a9993efbe060c506435431423256c798a8bda5d48e6f27e4609ec9

SHA512
670c2d1eb4f1549065c6c9234570cc586ef64e200c3a4f54c4a57bb86da53327bbfaf49933d76434bd8def9ab457a4acd09cc49de47f8094593c725c1d0979a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
db4c1dcc1057f9f536f8053d84e39e7d

SHA1
509f36987b2d41df3152d730d00f612b5b8ddc2a

SHA256
9cf168bd50f5852b30f3683c87a1ddbd6b0fd52e518c771fc16871fed04a004b

SHA512
0b3e51c95b2f3e3cd57c20cffcb82f395d3c40c867e3652614ae1964a7715bc579e5ad533cee67e3017f9afc71f6d21cd81ee7b6199a2c2d24328b52707db8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\[email protected]\install.rdf

Filesize
717B

MD5
741783d957a0f66989563c19fe66429b

SHA1
9d5ada104125349e8c202ac22430bc5f7ae9d106

SHA256
9d9ab324d3408a414db14266ed542e58ac79cd67d32278541b35736833b1cd67

SHA512
88d8ec53ca0279b6c6d4961eb928d2902495ad75864cbf87542347f50373c2433a1b86301ff7f82e5836913fcc5fde63b757257c696307f3ad4c60b2acd94682

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\508d1d618843c.exe

Filesize
65KB

MD5
6fce522ef2543f1cd8812f45c8718ba6

SHA1
270c89c05963c0f24f976f6b75aa4d12ade4c837

SHA256
d75c34545066eb787ed671c6d4ce4f4c6267637518ca683dfefb79f95f14226b

SHA512
a0a486b95aeb9c059f23e639e16abdbfe94b041f33309b44e95743bf5a82f92d3c444c025b6c36a0dc296add3c2bc4f6affcf130014f16968be0afa8e0007880

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\508d1d618843c.exe

Filesize
65KB

MD5
6fce522ef2543f1cd8812f45c8718ba6

SHA1
270c89c05963c0f24f976f6b75aa4d12ade4c837

SHA256
d75c34545066eb787ed671c6d4ce4f4c6267637518ca683dfefb79f95f14226b

SHA512
a0a486b95aeb9c059f23e639e16abdbfe94b041f33309b44e95743bf5a82f92d3c444c025b6c36a0dc296add3c2bc4f6affcf130014f16968be0afa8e0007880

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\gifdodmddanaeanjjcaahjnhdmkdjlnd.crx

Filesize
7KB

MD5
cdd4aacb70ceee48f0a530d985340fce

SHA1
00d20a9b654fac08928e5d20dd40f6fc57a36c12

SHA256
7b1b0e41cd6204ce24f538f355ac57fa50c5df33f0f31e2c5889bb0d957ca237

SHA512
0c4a46d8f42cd58cea38d49f15663748b7cad7fc9aecee006def49fa6d60ba1fb941de6bf741ce685d266b8b98d61269474e154c18671e5282409dbdc84e7439

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\settings.ini

Filesize
640B

MD5
aa0a821977701643a4c279605b40c0e8

SHA1
cf698962ed9c341dfec9649aaeadab0ee264834c

SHA256
64e244a9aace1b936010dcc9dfd96cefa7bcbb2f6569de21d08716006924cb42

SHA512
c4f35068395911dd03e0a019e80cc51dc92622851e0c62afbc15da505185a488a6b838680e8badea608f9e2618ca9ab66d5841d902cf43e6a8c9fb5a23f3728c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmCC9D.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit