cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3

Analysis

max time kernel
86s
max time network
102s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
Size

2.2MB
MD5

a50dbe0de91b8790688f41fd1c8f766a
SHA1

cb2fe854d981ea011e284d55083d1a675505ef68
SHA256

cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3
SHA512

03be9d10253d4a0e6fc81c270b6e62ed84922d00e539167ab9ad6c9c9476adfb0db9fd15809e15db2c9fe8ab0a3962415de25faf5110da64e7ee6d67a6bb9e76
SSDEEP

49152:pN4nFAOAWNCG/KsUr2aQLny4NqVuv9/Iju2xKn9UpzTepv4:0nFBMW6r2aQby4MVuvFMRxKn9Upzapg

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 20 IoCs

Processes:

cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe

pid	process
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1296	wmic.exe
Token: SeSecurityPrivilege	1296	wmic.exe
Token: SeTakeOwnershipPrivilege	1296	wmic.exe
Token: SeLoadDriverPrivilege	1296	wmic.exe
Token: SeSystemProfilePrivilege	1296	wmic.exe
Token: SeSystemtimePrivilege	1296	wmic.exe
Token: SeProfSingleProcessPrivilege	1296	wmic.exe
Token: SeIncBasePriorityPrivilege	1296	wmic.exe
Token: SeCreatePagefilePrivilege	1296	wmic.exe
Token: SeBackupPrivilege	1296	wmic.exe
Token: SeRestorePrivilege	1296	wmic.exe
Token: SeShutdownPrivilege	1296	wmic.exe
Token: SeDebugPrivilege	1296	wmic.exe
Token: SeSystemEnvironmentPrivilege	1296	wmic.exe
Token: SeRemoteShutdownPrivilege	1296	wmic.exe
Token: SeUndockPrivilege	1296	wmic.exe
Token: SeManageVolumePrivilege	1296	wmic.exe
Token: 33	1296	wmic.exe
Token: 34	1296	wmic.exe
Token: 35	1296	wmic.exe
Token: SeIncreaseQuotaPrivilege	1296	wmic.exe
Token: SeSecurityPrivilege	1296	wmic.exe
Token: SeTakeOwnershipPrivilege	1296	wmic.exe
Token: SeLoadDriverPrivilege	1296	wmic.exe
Token: SeSystemProfilePrivilege	1296	wmic.exe
Token: SeSystemtimePrivilege	1296	wmic.exe
Token: SeProfSingleProcessPrivilege	1296	wmic.exe
Token: SeIncBasePriorityPrivilege	1296	wmic.exe
Token: SeCreatePagefilePrivilege	1296	wmic.exe
Token: SeBackupPrivilege	1296	wmic.exe
Token: SeRestorePrivilege	1296	wmic.exe
Token: SeShutdownPrivilege	1296	wmic.exe
Token: SeDebugPrivilege	1296	wmic.exe
Token: SeSystemEnvironmentPrivilege	1296	wmic.exe
Token: SeRemoteShutdownPrivilege	1296	wmic.exe
Token: SeUndockPrivilege	1296	wmic.exe
Token: SeManageVolumePrivilege	1296	wmic.exe
Token: 33	1296	wmic.exe
Token: 34	1296	wmic.exe
Token: 35	1296	wmic.exe
Token: SeIncreaseQuotaPrivilege	1320	wmic.exe
Token: SeSecurityPrivilege	1320	wmic.exe
Token: SeTakeOwnershipPrivilege	1320	wmic.exe
Token: SeLoadDriverPrivilege	1320	wmic.exe
Token: SeSystemProfilePrivilege	1320	wmic.exe
Token: SeSystemtimePrivilege	1320	wmic.exe
Token: SeProfSingleProcessPrivilege	1320	wmic.exe
Token: SeIncBasePriorityPrivilege	1320	wmic.exe
Token: SeCreatePagefilePrivilege	1320	wmic.exe
Token: SeBackupPrivilege	1320	wmic.exe
Token: SeRestorePrivilege	1320	wmic.exe
Token: SeShutdownPrivilege	1320	wmic.exe
Token: SeDebugPrivilege	1320	wmic.exe
Token: SeSystemEnvironmentPrivilege	1320	wmic.exe
Token: SeRemoteShutdownPrivilege	1320	wmic.exe
Token: SeUndockPrivilege	1320	wmic.exe
Token: SeManageVolumePrivilege	1320	wmic.exe
Token: 33	1320	wmic.exe
Token: 34	1320	wmic.exe
Token: 35	1320	wmic.exe
Token: SeIncreaseQuotaPrivilege	1320	wmic.exe
Token: SeSecurityPrivilege	1320	wmic.exe
Token: SeTakeOwnershipPrivilege	1320	wmic.exe
Token: SeLoadDriverPrivilege	1320	wmic.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe

description	pid	process	target process
PID 1912 wrote to memory of 1296	1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe	wmic.exe
PID 1912 wrote to memory of 1296	1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe	wmic.exe
PID 1912 wrote to memory of 1296	1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe	wmic.exe
PID 1912 wrote to memory of 1296	1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe	wmic.exe
PID 1912 wrote to memory of 1320	1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe	wmic.exe
PID 1912 wrote to memory of 1320	1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe	wmic.exe
PID 1912 wrote to memory of 1320	1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe	wmic.exe
PID 1912 wrote to memory of 1320	1912	cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe
"C:\Users\Admin\AppData\Local\Temp\cc739d9f6d862db3d9988faba7dddd8a85c6155cf3d374d41306f58f01adabc3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic useraccount get name,sid
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic useraccount get name,sid
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\DcryptDll.dll
Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\IpConfig.dll
Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\inetc.dll
Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\inetc.dll
Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\inetc.dll
Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\inetc.dll
Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\inetc.dll
Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\inetc.dll
Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\inetc.dll
Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\inetc.dll
Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\inetc.dll
Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\inetc.dll
Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\inetc.dll
Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\md5dll.dll
Filesize
8KB

MD5
97960d7a18662dac9cd80a8c5e3c794b

SHA1
4c28449cefa9af46bb7a63e9b9ea66a2de0ea287

SHA256
e0d1dc6e4c5cc13fb2db08fc741da0d08b315ebc8d3b53baa61552625d19b9c3

SHA512
1baab7b5378f3a396b31bf63b01b7905759c9f1d17d71882af63338d64eceda1884c947d93e4d9ef911bded1ef061043c873a88b8272f1aa296731aa745e756c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\nsDialogs.dll
Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\nsisos.dll
Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
\Users\Admin\AppData\Local\Temp\nsy28C8.tmp\version.dll
Filesize
42KB

MD5
45ec409b03b22ebbbaebf77c96301699

SHA1
a6eaf9cdd8f8f93311f497ab8b6f18bedb62a860

SHA256
09aaf4758f8e45ab371b633ecfa52685c76ed982e58b6ddb02a29b3e14949895

SHA512
b9e9968efdd91a7518d09e0a79713cafda456c6c16011c94bf9bb32fa220f1891d730133e3740cfeb150f896b408e10aa6eef36384776c938584abee9ce2a58e

Download Submit
memory/1296-71-0x0000000000000000-mapping.dmp

Download
memory/1320-73-0x0000000000000000-mapping.dmp

Download
memory/1912-76-0x0000000003761000-0x0000000003769000-memory.dmp

Filesize
32KB

Download
memory/1912-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1912-58-0x0000000003690000-0x00000000036B6000-memory.dmp

Filesize
152KB

Download