b63018530ae196c69a61d921d085fc2f99b1f5519ef71016722cc2cd3e083159

Analysis

max time kernel
35s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b63018530ae196c69a61d921d085fc2f99b1f5519ef71016722cc2cd3e083159.exe
Size

7.1MB
MD5

73f93de9122c1cb5ab2114a48ac89aa5
SHA1

7c7e89120c223757cd56444dd59038ce7d51cc1d
SHA256

b63018530ae196c69a61d921d085fc2f99b1f5519ef71016722cc2cd3e083159
SHA512

dd98dcc58f123b43bc3fd9ff08e1e721780de32f99ace9bacbe1cdd7d1fcd6ef0d271cd2c4fd6c3d23455a95d171af1cfa40c6946ebccb40a89fa56630106f52
SSDEEP

12288:eOdKn0MN4QLAgiEQRSWeFhYaUBm4tlTcVt1NAXo0ntZt7r457iY3ziFitiEj8mJM:uLt8sz8w8AneH9dkKEYju8z2Lx5v

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1548	MihJq.exe.exe
1096	dzyaI.exe.exe
1184	Atom Emulator.exe

Loads dropped DLL 6 IoCs

pid	Process
1096	dzyaI.exe.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1308	1184	WerFault.exe	28

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1548	1452	b63018530ae196c69a61d921d085fc2f99b1f5519ef71016722cc2cd3e083159.exe	26
PID 1452 wrote to memory of 1548	1452	b63018530ae196c69a61d921d085fc2f99b1f5519ef71016722cc2cd3e083159.exe	26
PID 1452 wrote to memory of 1548	1452	b63018530ae196c69a61d921d085fc2f99b1f5519ef71016722cc2cd3e083159.exe	26
PID 1548 wrote to memory of 1096	1548	MihJq.exe.exe	27
PID 1548 wrote to memory of 1096	1548	MihJq.exe.exe	27
PID 1548 wrote to memory of 1096	1548	MihJq.exe.exe	27
PID 1548 wrote to memory of 1096	1548	MihJq.exe.exe	27
PID 1096 wrote to memory of 1184	1096	dzyaI.exe.exe	28
PID 1096 wrote to memory of 1184	1096	dzyaI.exe.exe	28
PID 1096 wrote to memory of 1184	1096	dzyaI.exe.exe	28
PID 1096 wrote to memory of 1184	1096	dzyaI.exe.exe	28
PID 1184 wrote to memory of 1308	1184	Atom Emulator.exe	31
PID 1184 wrote to memory of 1308	1184	Atom Emulator.exe	31
PID 1184 wrote to memory of 1308	1184	Atom Emulator.exe	31
PID 1184 wrote to memory of 1308	1184	Atom Emulator.exe	31

C:\Users\Admin\AppData\Local\Temp\b63018530ae196c69a61d921d085fc2f99b1f5519ef71016722cc2cd3e083159.exe
"C:\Users\Admin\AppData\Local\Temp\b63018530ae196c69a61d921d085fc2f99b1f5519ef71016722cc2cd3e083159.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MihJq.exe.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MihJq.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dzyaI.exe.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dzyaI.exe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Users\Admin\AppData\Roaming\Atom Emulator.exe
      "C:\Users\Admin\AppData\Roaming\Atom Emulator.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 560
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Atom Emulator.exe

Filesize
637KB

MD5
107bf383b07a008456b2d085b51df2c8

SHA1
e1f1447d8950fead479107b3c2978d9bcec983f8

SHA256
95b38d035612054ca7cd6ddececf23636ce245bf28175b20aff9203bff600c95

SHA512
6acfca84a74e0daf756edea58383095cd8441e0eb7045a3dafac1369a7fe643729cc1138a12685b17a457715226817bc2aef4d4f496b01685dc79770e844c7cd

Download Submit
C:\Users\Admin\AppData\Roaming\Atom Emulator.exe

Filesize
637KB

MD5
107bf383b07a008456b2d085b51df2c8

SHA1
e1f1447d8950fead479107b3c2978d9bcec983f8

SHA256
95b38d035612054ca7cd6ddececf23636ce245bf28175b20aff9203bff600c95

SHA512
6acfca84a74e0daf756edea58383095cd8441e0eb7045a3dafac1369a7fe643729cc1138a12685b17a457715226817bc2aef4d4f496b01685dc79770e844c7cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MihJq.exe.exe

Filesize
2.6MB

MD5
001292623404de06887a7013b6616003

SHA1
f10585236c54c9cec593e9060760ef033c5115cb

SHA256
438e247e83964178b593601115baa1097fddbee48d01c8e1baa918d67dd5542f

SHA512
1b9bc2114a1201def741a7e0a0259d061c9bcb4f7b2c45811f30aeac2a9771ff5ae6b38a1de733aa83dc2fd7c0ba5ba6388dae6e2568892fbefe922e4deda8d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MihJq.exe.exe

Filesize
2.6MB

MD5
001292623404de06887a7013b6616003

SHA1
f10585236c54c9cec593e9060760ef033c5115cb

SHA256
438e247e83964178b593601115baa1097fddbee48d01c8e1baa918d67dd5542f

SHA512
1b9bc2114a1201def741a7e0a0259d061c9bcb4f7b2c45811f30aeac2a9771ff5ae6b38a1de733aa83dc2fd7c0ba5ba6388dae6e2568892fbefe922e4deda8d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dzyaI.exe.exe

Filesize
1000KB

MD5
d528837382ba279d7defbeaaf35a46d5

SHA1
1fcab0afd56c2219b90b3bc218001d60a7e37c7d

SHA256
a05108f66d4b01a1f00448ff5e730e644cedf226a142d86fdf497234a18b0337

SHA512
f3c575f48cc5c7eb6cc349e1a74bf6969ff51c31db48e55723e20d59587ad60fc4085fe8a66d50fa08b27c8f2f3dddf9b473c94eff30e86fd6fb23975efb881b

Download Submit
\Users\Admin\AppData\Roaming\Atom Emulator.exe

Filesize
637KB

MD5
107bf383b07a008456b2d085b51df2c8

SHA1
e1f1447d8950fead479107b3c2978d9bcec983f8

SHA256
95b38d035612054ca7cd6ddececf23636ce245bf28175b20aff9203bff600c95

SHA512
6acfca84a74e0daf756edea58383095cd8441e0eb7045a3dafac1369a7fe643729cc1138a12685b17a457715226817bc2aef4d4f496b01685dc79770e844c7cd

Download Submit
\Users\Admin\AppData\Roaming\Atom Emulator.exe

Filesize
637KB

MD5
107bf383b07a008456b2d085b51df2c8

SHA1
e1f1447d8950fead479107b3c2978d9bcec983f8

SHA256
95b38d035612054ca7cd6ddececf23636ce245bf28175b20aff9203bff600c95

SHA512
6acfca84a74e0daf756edea58383095cd8441e0eb7045a3dafac1369a7fe643729cc1138a12685b17a457715226817bc2aef4d4f496b01685dc79770e844c7cd

Download Submit
\Users\Admin\AppData\Roaming\Atom Emulator.exe

Filesize
637KB

MD5
107bf383b07a008456b2d085b51df2c8

SHA1
e1f1447d8950fead479107b3c2978d9bcec983f8

SHA256
95b38d035612054ca7cd6ddececf23636ce245bf28175b20aff9203bff600c95

SHA512
6acfca84a74e0daf756edea58383095cd8441e0eb7045a3dafac1369a7fe643729cc1138a12685b17a457715226817bc2aef4d4f496b01685dc79770e844c7cd

Download Submit
\Users\Admin\AppData\Roaming\Atom Emulator.exe

Filesize
637KB

MD5
107bf383b07a008456b2d085b51df2c8

SHA1
e1f1447d8950fead479107b3c2978d9bcec983f8

SHA256
95b38d035612054ca7cd6ddececf23636ce245bf28175b20aff9203bff600c95

SHA512
6acfca84a74e0daf756edea58383095cd8441e0eb7045a3dafac1369a7fe643729cc1138a12685b17a457715226817bc2aef4d4f496b01685dc79770e844c7cd

Download Submit
\Users\Admin\AppData\Roaming\Atom Emulator.exe

Filesize
637KB

MD5
107bf383b07a008456b2d085b51df2c8

SHA1
e1f1447d8950fead479107b3c2978d9bcec983f8

SHA256
95b38d035612054ca7cd6ddececf23636ce245bf28175b20aff9203bff600c95

SHA512
6acfca84a74e0daf756edea58383095cd8441e0eb7045a3dafac1369a7fe643729cc1138a12685b17a457715226817bc2aef4d4f496b01685dc79770e844c7cd

Download Submit
\Users\Admin\AppData\Roaming\Atom Emulator.exe

Filesize
637KB

MD5
107bf383b07a008456b2d085b51df2c8

SHA1
e1f1447d8950fead479107b3c2978d9bcec983f8

SHA256
95b38d035612054ca7cd6ddececf23636ce245bf28175b20aff9203bff600c95

SHA512
6acfca84a74e0daf756edea58383095cd8441e0eb7045a3dafac1369a7fe643729cc1138a12685b17a457715226817bc2aef4d4f496b01685dc79770e844c7cd

Download Submit
memory/1096-63-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1184-68-0x00000000013C0000-0x0000000001464000-memory.dmp

Filesize
656KB

Download
memory/1452-54-0x000007FEF38E0000-0x000007FEF4303000-memory.dmp

Filesize
10.1MB

Download
memory/1452-55-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download
memory/1548-59-0x000007FEF38E0000-0x000007FEF4303000-memory.dmp

Filesize
10.1MB

Download