f4736280eb7981e104c050e0eb72314b51f6a4af10acff1aa57fe6a6ba49cca3

Analysis

max time kernel
31s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 11:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f4736280eb7981e104c050e0eb72314b51f6a4af10acff1aa57fe6a6ba49cca3.exe
Size

188KB
MD5

2f6594e1fc382b9ebe3e1d568d6877aa
SHA1

4fea452e8ce11128c1a185ceaedb46446d59c5d7
SHA256

f4736280eb7981e104c050e0eb72314b51f6a4af10acff1aa57fe6a6ba49cca3
SHA512

af03f4c1f6e1f3c803e1fbffcc61a368e3226f75c0f3589738eaa170e639572a33be26c1b7487169484f11bd257adcaf82c1b8587a29bca7b2845d8dc81e0c31
SSDEEP

3072:hn1/uEAgDPdkBlyFZ+ScjaiKWbETBquAEXlqsUU2oOVSZl6QdegikWk:h1OgDPdkBAFZWjadD4s52pVSZQQYKWk

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1696	5079539fc5411.exe

Loads dropped DLL 3 IoCs

pid	Process
1880	f4736280eb7981e104c050e0eb72314b51f6a4af10acff1aa57fe6a6ba49cca3.exe
1696	5079539fc5411.exe
1696	5079539fc5411.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral1/files/0x00060000000142d6-55.dat	nsis_installer_1
behavioral1/files/0x00060000000142d6-55.dat	nsis_installer_2
behavioral1/files/0x00060000000142d6-57.dat	nsis_installer_1
behavioral1/files/0x00060000000142d6-57.dat	nsis_installer_2
behavioral1/files/0x00060000000142d6-59.dat	nsis_installer_1
behavioral1/files/0x00060000000142d6-59.dat	nsis_installer_2
behavioral1/files/0x0006000000014c4a-68.dat	nsis_installer_1
behavioral1/files/0x0006000000014c4a-68.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1696	1880	f4736280eb7981e104c050e0eb72314b51f6a4af10acff1aa57fe6a6ba49cca3.exe	27
PID 1880 wrote to memory of 1696	1880	f4736280eb7981e104c050e0eb72314b51f6a4af10acff1aa57fe6a6ba49cca3.exe	27
PID 1880 wrote to memory of 1696	1880	f4736280eb7981e104c050e0eb72314b51f6a4af10acff1aa57fe6a6ba49cca3.exe	27
PID 1880 wrote to memory of 1696	1880	f4736280eb7981e104c050e0eb72314b51f6a4af10acff1aa57fe6a6ba49cca3.exe	27
PID 1880 wrote to memory of 1696	1880	f4736280eb7981e104c050e0eb72314b51f6a4af10acff1aa57fe6a6ba49cca3.exe	27
PID 1880 wrote to memory of 1696	1880	f4736280eb7981e104c050e0eb72314b51f6a4af10acff1aa57fe6a6ba49cca3.exe	27
PID 1880 wrote to memory of 1696	1880	f4736280eb7981e104c050e0eb72314b51f6a4af10acff1aa57fe6a6ba49cca3.exe	27

C:\Users\Admin\AppData\Local\Temp\f4736280eb7981e104c050e0eb72314b51f6a4af10acff1aa57fe6a6ba49cca3.exe
"C:\Users\Admin\AppData\Local\Temp\f4736280eb7981e104c050e0eb72314b51f6a4af10acff1aa57fe6a6ba49cca3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\7zS37B4.tmp\5079539fc5411.exe
  .\5079539fc5411.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS37B4.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
512ab564af2ac978e1183b6c98a2672d

SHA1
94e4c8f9da7b63d3221ae4ab129912aeb3f23b7e

SHA256
c091810e4b468049005e950f265b528b52acbeecb5611468ecceff04711b8b87

SHA512
8ceb7a0407f76d63bb5791cf07fe43bcf8b559e8aeaf4dea42e207b4f843b72afbaf7710057b7810ab9bd5ebbd4e8da71cc13b5168356eacc0a66d4541973af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS37B4.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
6a1f274063bb2fd947146616f7bd579f

SHA1
1b87b0935e863480084687170d684b25f19873c8

SHA256
2aeffbd283609530f195541bbe608f05043a7a3d74a00b79f90c48d0a2af423b

SHA512
566e0c8f2f9b938f0aa78d7f85a44f84c7641e95452e28d9559883063dae8030d601bbbfa03a5837fa118c0b9ebddd8e5f08a89f6006e01eb89e802633606a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS37B4.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
8622e2074772c55d1001b828b370dd68

SHA1
420177887fd20d2e9c9ad0ac6ea6da45c62aecdd

SHA256
1108832fd0d957cabf4f70ecd32d846301f468a8b9f210a0c4157674a54fb8ee

SHA512
6041b917d9963adc13770c875a78e58790b1e9494d1efb85eb881eb66db462fe67dca0b131675d14167ab06e9c398e1a16689a9ed26ef86e3f91f37c1ef440dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS37B4.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
cd40caa10ff79164c1c97160bac70172

SHA1
a40bd6d7dea4ccad6c1ee80ccf83c9f043013d59

SHA256
b3c846b4420fd89fe9306aca1c83bf70a313525a95202a2cccc1f71fd6ddc234

SHA512
e579c9f71c6e43b49da7f43418554c635684b5739c897050ae511b798df6d44544a97b5a425fce85277347da27c37717ddc5964826184d592d83bf2bce607fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS37B4.tmp\[email protected]\install.rdf

Filesize
717B

MD5
f82ebcf9c349dc37fa92b8de878751a8

SHA1
076b05127437db799accffba42a1d9ec9c592725

SHA256
45b2f5fb8dc103b377a587958acf08e600e45eac3e5e27e6c460d41681cfce42

SHA512
4a12451336756b3a36889c339f4e1248b8f63b0a1c3bfbc4db078372717956f87cc5a571019f4457f02490d42b6f800be7d05014537f8bbccbf6b3af92662cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS37B4.tmp\5079539fc5411.exe

Filesize
65KB

MD5
6fce522ef2543f1cd8812f45c8718ba6

SHA1
270c89c05963c0f24f976f6b75aa4d12ade4c837

SHA256
d75c34545066eb787ed671c6d4ce4f4c6267637518ca683dfefb79f95f14226b

SHA512
a0a486b95aeb9c059f23e639e16abdbfe94b041f33309b44e95743bf5a82f92d3c444c025b6c36a0dc296add3c2bc4f6affcf130014f16968be0afa8e0007880

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS37B4.tmp\5079539fc5411.exe

Filesize
65KB

MD5
6fce522ef2543f1cd8812f45c8718ba6

SHA1
270c89c05963c0f24f976f6b75aa4d12ade4c837

SHA256
d75c34545066eb787ed671c6d4ce4f4c6267637518ca683dfefb79f95f14226b

SHA512
a0a486b95aeb9c059f23e639e16abdbfe94b041f33309b44e95743bf5a82f92d3c444c025b6c36a0dc296add3c2bc4f6affcf130014f16968be0afa8e0007880

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS37B4.tmp\jdakhenongaodeniggbnkmihjibpblia.crx

Filesize
7KB

MD5
e7d1486078c2e35e155d8f7b480ef0d7

SHA1
549b0151becca4db14c65e8fc2a1bc9ae072c6d3

SHA256
ec00b95b9f26adce489383e683359514c287d7c85b74ae7b85cfc24353344dbb

SHA512
6062dbf69cc7abf404730345f09e0143185f0f28ff7aac7642bd0bcd5e8a843958500e30225de0589649fc79bda36059bc0e82625095484932e5e813a9796ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS37B4.tmp\settings.ini

Filesize
636B

MD5
7ff0a002c7267672dd4df3bd8605073f

SHA1
3c5bc5fd4d023525e5e6ed9b73e8ebf83d7f6002

SHA256
bc975888000a71f8c23cdc3deadc22080fd9f4075e82a966aa3b88d4496a62a4

SHA512
430d132fe656387f4ae581bec120a626505667da7ea51df0ff2d6ed7d42435f2c63e31878e8cf02e04307ea0ccc1457be4ab237b2b08bdf539a3330881c82e99

Download Submit
\ProgramData\wxDownload\uninstall.exe

Filesize
48KB

MD5
602aa39f9ab3b6685bee71c67dc485c5

SHA1
69cd0d6f9ce55a5e5d3d3559d31422303dc6def1

SHA256
d8fb9c21b350a06449c7e6934a3c2d971d20851ce73938bbc5f79349f970721c

SHA512
3bb5a0bf89da8993ae2801b41f7644ec39fc418ac0553bc67ed4f36ad413f3c2237ff9bcdd4a1ca64ad546b30e6445d3f6f1fa3af0f34faf1841da306e81ea94

Download Submit
\Users\Admin\AppData\Local\Temp\7zS37B4.tmp\5079539fc5411.exe

Filesize
65KB

MD5
6fce522ef2543f1cd8812f45c8718ba6

SHA1
270c89c05963c0f24f976f6b75aa4d12ade4c837

SHA256
d75c34545066eb787ed671c6d4ce4f4c6267637518ca683dfefb79f95f14226b

SHA512
a0a486b95aeb9c059f23e639e16abdbfe94b041f33309b44e95743bf5a82f92d3c444c025b6c36a0dc296add3c2bc4f6affcf130014f16968be0afa8e0007880

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3989.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
memory/1880-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download