73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe
Size

171KB
MD5

8f02ee241d09bd77a1ee343df760d46c
SHA1

52a44cae03f45fca531e6de7fc8c2f193572c74b
SHA256

73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc
SHA512

48422683c63df68525d37cd3b69461ca2894dae31fe0cdf40b0eec50b828e9ef695957da97ff1b7900fdd2d8f564d902965b0deecee305f60ea62d18609b47a2
SSDEEP

3072:PM1BjoYNXoKDIJBXJPFyj8uZLpHWUueS5oCEY5sMubWsqfW9X25rplo6sOvuP4hj:PMMYNXqBBFyj8iV2UHS2CEYHsdrmlopW

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe
1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe
1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe
1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe
1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe
1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe
1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe
1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe
956	WerFault.exe
956	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
956	1512	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe
1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 956	1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe	27
PID 1512 wrote to memory of 956	1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe	27
PID 1512 wrote to memory of 956	1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe	27
PID 1512 wrote to memory of 956	1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe	27
PID 1512 wrote to memory of 956	1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe	27
PID 1512 wrote to memory of 956	1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe	27
PID 1512 wrote to memory of 956	1512	73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe	27

C:\Users\Admin\AppData\Local\Temp\73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe
"C:\Users\Admin\AppData\Local\Temp\73c46099141162fad84e843dd3025b4607887b4cbb96a544fa56e6f58a463acc.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 680
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst3796.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Local\Temp\nst3796.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nst3796.tmp\heTrrXy.dll

Filesize
147KB

MD5
cdc131ab9fec85a1c0a047b1aff76d9b

SHA1
e912bcea481937865474ca47deeca4f888e357df

SHA256
1caa9068a187e07d7ffaa1563523d5bf6123a9074ec61b00d23b297aac69c805

SHA512
87948a5a5ca45a030e9781638fd4e65346dec2aee0efb2ae7b9ed5ae96d0a01a23f288ea6eca7ca204e2106b4493f39df1857f7cc90a4147b6e57ab22bdce6d4

Download Submit
\Users\Admin\AppData\Local\Temp\nst3796.tmp\heTrrXy.dll

Filesize
147KB

MD5
cdc131ab9fec85a1c0a047b1aff76d9b

SHA1
e912bcea481937865474ca47deeca4f888e357df

SHA256
1caa9068a187e07d7ffaa1563523d5bf6123a9074ec61b00d23b297aac69c805

SHA512
87948a5a5ca45a030e9781638fd4e65346dec2aee0efb2ae7b9ed5ae96d0a01a23f288ea6eca7ca204e2106b4493f39df1857f7cc90a4147b6e57ab22bdce6d4

Download Submit
\Users\Admin\AppData\Local\Temp\nst3796.tmp\heTrrXy.dll

Filesize
147KB

MD5
cdc131ab9fec85a1c0a047b1aff76d9b

SHA1
e912bcea481937865474ca47deeca4f888e357df

SHA256
1caa9068a187e07d7ffaa1563523d5bf6123a9074ec61b00d23b297aac69c805

SHA512
87948a5a5ca45a030e9781638fd4e65346dec2aee0efb2ae7b9ed5ae96d0a01a23f288ea6eca7ca204e2106b4493f39df1857f7cc90a4147b6e57ab22bdce6d4

Download Submit
\Users\Admin\AppData\Local\Temp\nst3796.tmp\heTrrXy.dll

Filesize
147KB

MD5
cdc131ab9fec85a1c0a047b1aff76d9b

SHA1
e912bcea481937865474ca47deeca4f888e357df

SHA256
1caa9068a187e07d7ffaa1563523d5bf6123a9074ec61b00d23b297aac69c805

SHA512
87948a5a5ca45a030e9781638fd4e65346dec2aee0efb2ae7b9ed5ae96d0a01a23f288ea6eca7ca204e2106b4493f39df1857f7cc90a4147b6e57ab22bdce6d4

Download Submit
\Users\Admin\AppData\Local\Temp\nst3796.tmp\heTrrXy.dll

Filesize
147KB

MD5
cdc131ab9fec85a1c0a047b1aff76d9b

SHA1
e912bcea481937865474ca47deeca4f888e357df

SHA256
1caa9068a187e07d7ffaa1563523d5bf6123a9074ec61b00d23b297aac69c805

SHA512
87948a5a5ca45a030e9781638fd4e65346dec2aee0efb2ae7b9ed5ae96d0a01a23f288ea6eca7ca204e2106b4493f39df1857f7cc90a4147b6e57ab22bdce6d4

Download Submit
\Users\Admin\AppData\Local\Temp\nst3796.tmp\heTrrXy.dll

Filesize
147KB

MD5
cdc131ab9fec85a1c0a047b1aff76d9b

SHA1
e912bcea481937865474ca47deeca4f888e357df

SHA256
1caa9068a187e07d7ffaa1563523d5bf6123a9074ec61b00d23b297aac69c805

SHA512
87948a5a5ca45a030e9781638fd4e65346dec2aee0efb2ae7b9ed5ae96d0a01a23f288ea6eca7ca204e2106b4493f39df1857f7cc90a4147b6e57ab22bdce6d4

Download Submit
\Users\Admin\AppData\Local\Temp\nst3796.tmp\heTrrXy.dll

Filesize
147KB

MD5
cdc131ab9fec85a1c0a047b1aff76d9b

SHA1
e912bcea481937865474ca47deeca4f888e357df

SHA256
1caa9068a187e07d7ffaa1563523d5bf6123a9074ec61b00d23b297aac69c805

SHA512
87948a5a5ca45a030e9781638fd4e65346dec2aee0efb2ae7b9ed5ae96d0a01a23f288ea6eca7ca204e2106b4493f39df1857f7cc90a4147b6e57ab22bdce6d4

Download Submit
\Users\Admin\AppData\Local\Temp\nst3796.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/956-65-0x0000000000000000-mapping.dmp

Download
memory/1512-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1512-62-0x0000000000560000-0x000000000058D000-memory.dmp

Filesize
180KB

Download