Analysis
-
max time kernel
104s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
25-11-2022 19:18
General
-
Target
86996493aa0ded11e25ef5a21e45beb22f887c30a87097aea0ad5c274808b794.exe
-
Size
634KB
-
MD5
a94c870e39993f6b9eadf4810dc1d8c0
-
SHA1
4257249486dd3f966aa25aadd8c0865465dafaaa
-
SHA256
86996493aa0ded11e25ef5a21e45beb22f887c30a87097aea0ad5c274808b794
-
SHA512
7699fd1e3053858234a13eab5ac86968f739aa3afbfc9ae6245ac897ae6448c14ac7ea131a5361837c9fadd1e0d947506a33291367cc199107cfb89fea97f75b
-
SSDEEP
12288:77CTw+aL8p301mSXWGQAWli3Genad9m9/FTyt6/JpnLwnOGv9k5A+lJL5aQ:77uwvL8p304SXWGQAWli3xnaPoFTy2bV
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Nirsoft 3 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Kills process with taskkill 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\86996493aa0ded11e25ef5a21e45beb22f887c30a87097aea0ad5c274808b794.exe"C:\Users\Admin\AppData\Local\Temp\86996493aa0ded11e25ef5a21e45beb22f887c30a87097aea0ad5c274808b794.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mailpv.exeC:\Users\Admin\AppData\Local\Temp\mailpv.exe /stext C:\Users\Admin\AppData\Local\Temp\mailpvPasswords.txt2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM mailpv.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassViewPasswords.txt2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM WebBrowserPassView.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\mspass.exeC:\Users\Admin\AppData\Local\Temp\mspass.exe /stext C:\Users\Admin\AppData\Local\Temp\mspassPasswords.txt2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM mspass.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199KB
MD5369661814213b72a87671b25842f76bd
SHA13da4b4cd882f1fb0ed16f37d85ac8b76eb1df051
SHA25605e281144820c35509124e1cb048f2083277ba1f9f405c5647be5b1902b74dc0
SHA5127157ec599041d98a3580418ce30821bffcba604bed3a1ffb7483b4c4a2f2fa8915337b6c718d00a9086f24be29ded29ceb25f68621c1173176ac56f4388e20a8
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
51KB
MD534600476c01f140945c4bd8296e51e5b
SHA143a13815da128d1c351f738449736b5cf3198758
SHA2561b9485443ff7ca17217ab9200c404513030da9ec7ebebb9cbea18d172186598c
SHA512ada2ff2819b43042d4fcda37236c34135c0152f90d0175f45c94ae6e61f51a93c17ee0d9881517840e0c3e7bb6041469d6a8ff3de3d4ccd231bb50599e81b23f
-
Filesize
65KB
MD5ffc52f2b4435fcddaca6e15489a88b75
SHA163ec31a04cf176852344d544ae855da0dac64980
SHA2563f3c8484962b395f304a836ee5e8ee17beaafe982795c9747d8ee98cc6e4ca8f
SHA512389694feccfe6ca352705b9481913fece6d1d47083f235ccdd60c05cfda82606be53845fde0dba8ec3f3748f820a828c9be0ce078c8b9cc853285b23f172841c
-
-
Filesize
124KB
-
Filesize
8KB
-
Filesize
124KB
-
-
-
Filesize
124KB
-
Filesize
16.6MB
-
Filesize
124KB
-
Filesize
124KB
-
-
-
Filesize
152KB
-
Filesize
372KB
-