34676b6039a9e9d8144dcf7e97b1ac272442acd6c7797068137d378980293719

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34676b6039a9e9d8144dcf7e97b1ac272442acd6c7797068137d378980293719.exe
Size

188KB
MD5

bcbe30a82d105c9dc365e48ba031452b
SHA1

0ca6cefd687f3469aca8e64340c9933825a4b4e6
SHA256

34676b6039a9e9d8144dcf7e97b1ac272442acd6c7797068137d378980293719
SHA512

2cf9da9a6e6a8161b92239e4cdc5dc7137e213948363eb5b8f17f42c7643993f82344e833bc25dabdb9d43f645fda0a0295fa86313eb02b65aac7c67faf31836
SSDEEP

3072:hn1/uEAgDPdkBlyFZ+ScjaiKWbETBquAEXlqsUUxhQRvzNmsELSM16:h1OgDPdkBAFZWjadD4s5xhQRvzNmsEx6

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1496	50700d5a7730b.exe

Loads dropped DLL 1 IoCs

pid	Process
1496	50700d5a7730b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0001000000022e01-133.dat	nsis_installer_1
behavioral2/files/0x0001000000022e01-133.dat	nsis_installer_2
behavioral2/files/0x0001000000022e01-134.dat	nsis_installer_1
behavioral2/files/0x0001000000022e01-134.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1496	2532	34676b6039a9e9d8144dcf7e97b1ac272442acd6c7797068137d378980293719.exe	82
PID 2532 wrote to memory of 1496	2532	34676b6039a9e9d8144dcf7e97b1ac272442acd6c7797068137d378980293719.exe	82
PID 2532 wrote to memory of 1496	2532	34676b6039a9e9d8144dcf7e97b1ac272442acd6c7797068137d378980293719.exe	82

C:\Users\Admin\AppData\Local\Temp\34676b6039a9e9d8144dcf7e97b1ac272442acd6c7797068137d378980293719.exe
"C:\Users\Admin\AppData\Local\Temp\34676b6039a9e9d8144dcf7e97b1ac272442acd6c7797068137d378980293719.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\7zSCB73.tmp\50700d5a7730b.exe
  .\50700d5a7730b.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCB73.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
21c0efd7dc454e28023be70706791f18

SHA1
8363d8965e6a49d894e6632964b9d81e051380f9

SHA256
14dffad409d6bd88427bd628dca74398aad96cd2bc3aa65276aa7cc4c600b9b0

SHA512
061144950a1b0f6973b0ed140cdae7ed124c4729a9e8c0663e476c68ed6e52aa9199f1d929cae25b8baa628a831a1c9cd7353f8aa7d90efa49ddcd50276df3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB73.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
cbb6df9d3d9e9ffa5b041d240628a175

SHA1
6712ea0866ba99109d4a557cf33aab04df90d846

SHA256
0597642d6c2f0c7d06a58b677eee63b75c4615a05f0ab095feb36534555f55d0

SHA512
9ae166748eaa8b7804428b8270a8a1a087dc821b9fe92ccd2cb384e776dd6695b526a29933a67617de3c233f0eeac2f8362de4cf523614bd4e1aa24117ed992f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB73.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
a432e85541b648edbc7e01e54ea730ad

SHA1
7214fa6dd3586d28bbe166c1a3c6e61798e68f53

SHA256
ec696bc2a81e6edadbf46084429b19afaa6de07fc552090e711b28344be9d611

SHA512
41e0c37814a99635e8bad4e6e81f2e2f334bec1fcc6f0823de7c9d07860c17b9340b6b47b9f0d00d8ef5f1d1e0daac4e6f2a7238566306dedf615829ed5163df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB73.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
b7b1767a9916028e71eb35dde6cb620c

SHA1
17f9192a2e631afcd893b8137b994986b4be4a90

SHA256
85bfb30d6f0ea8b26f3be16bd5d6e2f0233815abd4a2ce527f5f842a406335a4

SHA512
fe36b94eb7859e97737b75057078f1307c35e06f0cd656a60be1da6179063017f6ea74c407627ff07829d77ed2a8876dbc795fa310ab6a5dfa518b6b1b3088de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB73.tmp\[email protected]\install.rdf

Filesize
717B

MD5
7ea47158e7f5fe0d596001315993172e

SHA1
a7519912d22d0f1443f75a53f3a6e87c05faf6bb

SHA256
acff2ef7a3252008b8c19372c6113c9c11ceb1046f9bd49a2eb937c293262be3

SHA512
63151fef83aa21e6e0a19a40cc366b96a6d7281dbe89b4c78e3fd391278eaa7ed78797573263ac002a52cf47f9b6f1dd68f800db99d0cdd9fcd7e73a3f7f3f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB73.tmp\50700d5a7730b.exe

Filesize
65KB

MD5
4ccf1a317aa8539c857835e4ebe9c806

SHA1
223b73d09d7398f40aff3ccc569e66cae3886ee9

SHA256
4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242

SHA512
ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB73.tmp\50700d5a7730b.exe

Filesize
65KB

MD5
4ccf1a317aa8539c857835e4ebe9c806

SHA1
223b73d09d7398f40aff3ccc569e66cae3886ee9

SHA256
4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242

SHA512
ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB73.tmp\fjlpkplmbcjmgdiinccbjhkokkjlbhge.crx

Filesize
7KB

MD5
85d82af82118abb7d9b62a9be4a92e01

SHA1
7002096588af4b0ac89c8f58a78609f12ce8145b

SHA256
bc18e5f08db3628f7c5bb9b891c701081ee356dcab5ab3fef3b0dcae8852cc9c

SHA512
120ad6acdd4c9a849d9c074e8428740110f095f6d7634b479ff97c6732de4739e080fe2de9a4841cc440d80d58048ad67ceadbd33d97a9f1ad776ba180d42669

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB73.tmp\settings.ini

Filesize
638B

MD5
56170961cf325cf40cb22ac54f0af9f4

SHA1
1ea59c9f5a432bb29b60d23560fa1ea8de4355b9

SHA256
3186650513012c1ddec25c88e5e3da301c7b1317003dea80bac5809228820d5e

SHA512
ed5551e413f38107c226ed0b934bb233a3bcb49041f9ec1a91e6c6a8e6575938c6750b552cbd72c1f7de288978d0b5c64cc5b4f8465625273266c1c0b1fc41de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCD58.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit