Analysis
-
max time kernel
98s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 10:48
Static task
static1
Behavioral task
behavioral1
Sample
3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe
Resource
win10v2004-20220812-en
General
-
Target
3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe
-
Size
322KB
-
MD5
a2f8ef5fb42b3df1cf821b0ff65ff49a
-
SHA1
1e5db5c9ebfffb65385d3d4140aafccd182bb05e
-
SHA256
3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059
-
SHA512
ef32373c620992a2668754a94bf8757e2f22cbe38dd25be4fc3d13d01bda12b4a62f087abaca8d5f1702a5576f2a34b32dbee4df360803de03f7cfd28de10b91
-
SSDEEP
6144:iRSE+VDpJYWmlwnx9u6BMf0Cv3g6dg9wx/Kj64/:2SE+VF9mOx9ukEv3g6dFx/Kj64
Malware Config
Signatures
-
Nirsoft 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\passwordfox.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\iepv.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
passwordfox.exeiepv.exepid process 280 passwordfox.exe 1016 iepv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
iepv.exedescription pid process Token: SeDebugPrivilege 1016 iepv.exe Token: SeRestorePrivilege 1016 iepv.exe Token: SeBackupPrivilege 1016 iepv.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exedescription pid process target process PID 1456 wrote to memory of 280 1456 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe passwordfox.exe PID 1456 wrote to memory of 280 1456 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe passwordfox.exe PID 1456 wrote to memory of 280 1456 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe passwordfox.exe PID 1456 wrote to memory of 280 1456 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe passwordfox.exe PID 1456 wrote to memory of 1016 1456 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe iepv.exe PID 1456 wrote to memory of 1016 1456 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe iepv.exe PID 1456 wrote to memory of 1016 1456 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe iepv.exe PID 1456 wrote to memory of 1016 1456 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe iepv.exe PID 1456 wrote to memory of 544 1456 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe dw20.exe PID 1456 wrote to memory of 544 1456 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe dw20.exe PID 1456 wrote to memory of 544 1456 3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe"C:\Users\Admin\AppData\Local\Temp\3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\passwordfox.exeC:\Users\Admin\AppData\Local\Temp\passwordfox.exe /stext C:\Users\Admin\AppData\Local\Temp\firefox.txt2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\iepv.exeC:\Users\Admin\AppData\Local\Temp\iepv.exe /stext C:\Users\Admin\AppData\Local\Temp\ie.txt2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 10642⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\firefox.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\iepv.exeFilesize
88KB
MD596eaf707a7f5e252e0ef640a9f9a41e9
SHA11db028b8e2dad98ab25abfa498ffd0e344b8178c
SHA2569bf3183768ab8133f686e9d59adf9ac7f157a6442026d00fcd49c177deca6de2
SHA51212f7a815f141c125a50941bace6256de41eb6459f5dae49def6a5d150b816b48b054efa3ef0370d87b546098edb4f6ad2e1d6ebea835eb233bd98f7d225d13c0
-
C:\Users\Admin\AppData\Local\Temp\passwordfox.exeFilesize
88KB
MD509b98d668124d3894814f57e84da1b25
SHA113e3ede7c513d7e6853f99309b83ca01a1de41fd
SHA256432a3ec81735e216dc8a1d637b92158f261b841155960c621c9c149875de4512
SHA5122f028fe6333a2a7604d919b11172960623f11acccc03626fb85888cf5c5b3e6eb69850baa1e8088ef2d29b4cef9334d2f6496290946e3309f9b1c0b9e1075615
-
memory/280-57-0x0000000000000000-mapping.dmp
-
memory/280-59-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/544-65-0x0000000000000000-mapping.dmp
-
memory/544-66-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmpFilesize
8KB
-
memory/1016-62-0x0000000000000000-mapping.dmp
-
memory/1456-54-0x000007FEF4070000-0x000007FEF4A93000-memory.dmpFilesize
10.1MB
-
memory/1456-55-0x000007FEF2FD0000-0x000007FEF4066000-memory.dmpFilesize
16.6MB
-
memory/1456-56-0x00000000005D0000-0x0000000000650000-memory.dmpFilesize
512KB
-
memory/1456-61-0x00000000005D0000-0x0000000000650000-memory.dmpFilesize
512KB