e2e202fda0ca462db8c71225a76c177dfb28a5da0fc8993de3ec5d9aae9f98b0

Analysis

max time kernel
367s
max time network
1219s
platform
windows10-1703_x64
resource
win10-20220901-es
resource tags

arch:x64arch:x86image:win10-20220901-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
06/01/2023, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SublimeText4.zip
Size

8.7MB
MD5

fec9ce0c54cf19606555b133dda68a70
SHA1

e3c9e92454c454baf9c9bde9ad59f8080e7bbe0a
SHA256

e2e202fda0ca462db8c71225a76c177dfb28a5da0fc8993de3ec5d9aae9f98b0
SHA512

99bbd09937e7b2b4ff05dbf1f1480b587a5644025b35e07fff0ef3c48a6e7418bb1d4a10d9d9fb3f9870a98fe84f5da6871cfa186f8776094f94163d59e3f5a3
SSDEEP

196608:xyIpHnwUY1kYg8qxPYUt7I/Re6C6Bm4qmFiPGRQpg5UkC:xpvK9n/mhmgPGRQyykC

Score

8^/10

collection discovery spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	4968	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
4132	SublimeSetup.exe

Loads dropped DLL 1 IoCs

pid	Process
4968	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4132	SublimeSetup.exe
4132	SublimeSetup.exe
4132	SublimeSetup.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8	4968	WerFault.exe	73

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4968	rundll32.exe
4968	rundll32.exe
4968	rundll32.exe
4968	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3600	7zG.exe
Token: 35	3600	7zG.exe
Token: SeSecurityPrivilege	3600	7zG.exe
Token: SeSecurityPrivilege	3600	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3600	7zG.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 4968	4132	SublimeSetup.exe	73
PID 4132 wrote to memory of 4968	4132	SublimeSetup.exe	73

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SublimeText4.zip
1⤵
PID:2616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4388

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap27583:82:7zEvent16675
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3600

C:\Users\Admin\Desktop\SublimeSetup.exe
"C:\Users\Admin\Desktop\SublimeSetup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\system32\rundll32.exe
  "C:\Users\Admin\AppData\Roaming\nsis_unse599fff.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8Ev7AHYjAGkAcAB4vwB0AG8Aa0kAc78AUwAwAGEtAln|SIPsKOgEAgD|AEiDxCjDzMz|zEyJRCQYSIn|VCQQSIlMJAj+XQFIi0QkMEiJ2wQkgQE4SG8ACEhvx0QkEC0B6w6BAV8QSIPAAY8BEIEBt0BIOZYAcyWfA4v|DCRIA8hIi8HXSItMqwFUewAD0f9Ii8qKCYgI6|3BZgVlSIsEJWD+8|AzyUiLUBhI|zvRdDZIg8Ig|0iLAkg7wnQq|2aDeEgYdRpM|4tAUGZBgzhru3QHERFLdQgREHj|EC50BUiLAOuv1UiLSP0AwWoAQP9TVVZXQVRBVe9BVkFXXQFmgTn|TVpNi|hMi|K|SIvZD4X88|BM|2NJPEGBPAlQv0UAAA+F6vPwQe+LhAmI8|CFwEi|jTwBD4TWahGDd7wJjC0BD4TH8|D|RItnIESLXxz|i3ckRItPGEz|A+FMA9lIA|H|M8lFhckPhKT+8|BNi8RBixBF|zPSSAPTigKE|8B0HUHByg0Pe77A+gABRAPQvxH|dexBgfqq|A3|fHQOg8EBSYP|wARBO8lzaev|xovBD7cMTkX|iyyLTAPrdFj7M+2qEHRRQYsU|sEA0zPJigJMi9|C6w|BycgRA8je5RABQYoA1RDtM3|AM|ZBOwy24BD+pgCDxgGD+Ahy|+7rCkiLy0H|f9VJiQT3g8XkEH|EBDtvGHKvZgH|QV9BXkFdQVzvX15dWzMXSIHs+2ABZACL6ehm|v|||0iFwA+EmNZ1IEyNrwGLKxDIM|f|6Jt9II1fBEz|jUVGM9KLy||3VCRogCBMi+AP64RrdSBFqBAzwIt905EgSIl8JCCmIP1wgCBIi|APhEv8dSCmIFBIjVYIRH+NR0BIjYwkhRG|SIvY6Hz9fiCNq1ZI3iAQ4iHM8|Do|WfvIESLBo1XCPRBIKYgWMohiYQkgNqHEt7z8IsO2iBYiWOMJHERBzCRIOgx7yD7i5wtMkyLXTpI74P7bEiKIDBMib9kJDhMi6QaMky7iVyEAYQk3IcRhu2SjRGNR0swjCTwfvPwSYvU6On8BTC7ipx4MkiNhHgyQf+A8yGNT2xEMP0YpAKD6QF184H9vHgyIVJleHVN74uEJPQiMZQk+P41AcJIO9hyOIP|+mx2M0SNSUCe+gCUQbgAmACmIECeyiL4dBlEtjDAMUnvjVQkbJEgSYPod2zoa4IwSIvOpiD|eEiF|3QSi1XzQkyOMBsxSI1MJD9A|9dIgcR0IWEkAC0ILQE=
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:4968
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4968 -s 504
    3⤵
    - Program crash
    PID:8

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nsis_unse599fff.dll

Filesize
57KB

MD5
713062daba2534394662294035fd7e92

SHA1
40270752db5576f1d5e6c935f224754c7b6c3450

SHA256
e6a5ca65acfd261d56f622f891bf04e6d41862ab505466374daeee8852a01b71

SHA512
e07d9c38d43334cb8e35b32c12eef9ff1ddb7ffe0004ae0d56fe3fb24fbec6b179b631f61afc54b1d31ad02c619442c783a9d881cce86be833b39c59f236b2fd

Download Submit
C:\Users\Admin\Desktop\SublimeSetup.exe

Filesize
717.1MB

MD5
f9d24d508200a0f652ec68e0e782d4dc

SHA1
da3b896b26960f9c7de45b311eac311743d02e6c

SHA256
3a47750df80b6dbb548f26500bba98aaa4312caa083fbe941647b93f8ce050c2

SHA512
0803f1c1e81ffcef8a82c6a52755f4559f5acf856641d6ff9bcdc1860b4fb18a0a3da24c67f26332aa12d1e64007e49bbb10b4b94b0c9ea191ca4db15b3543ab

Download Submit
C:\Users\Admin\Desktop\SublimeSetup.exe

Filesize
717.1MB

MD5
f9d24d508200a0f652ec68e0e782d4dc

SHA1
da3b896b26960f9c7de45b311eac311743d02e6c

SHA256
3a47750df80b6dbb548f26500bba98aaa4312caa083fbe941647b93f8ce050c2

SHA512
0803f1c1e81ffcef8a82c6a52755f4559f5acf856641d6ff9bcdc1860b4fb18a0a3da24c67f26332aa12d1e64007e49bbb10b4b94b0c9ea191ca4db15b3543ab

Download Submit
C:\Users\Admin\desktop\Privacy Policу\cmds\cmds\system\keystroke.gt

Filesize
6KB

MD5
21ae03873b350256641799662580ade8

SHA1
514eefda0379921195e7ef78135e1516de1eb9ef

SHA256
8401ca19fbc5d0f99269ee14241c7882f1d61885402a4a4bc71c6665f7e5279a

SHA512
39198d9c128fc513553027b92d39c6693fc3f605c4c332ed1465ddbd42dc1cd009e17cc85c81a6ee5facf92a5421e96f03080ddb3fecf6b2151e46339a376889

Download Submit
C:\Users\Admin\desktop\Privacy Policу\cmds\libs\keyboard.g

Filesize
4KB

MD5
6c9e1d1d1be0501a75d0632cf9241b96

SHA1
95ac710f94620a26040fd9f4c83d03e626b0bccb

SHA256
0078883d04ac51f86316887c10919114cf84cad61fc2817e6b50db4a9722f8b8

SHA512
eb9059dd7cc8a2d307b2e06d4a15b5491edda185b5c6dbdd708567ee7a4d88ab8bff6a301a4bbe0c0e093a2266603d8d536abe6d304f68fe39b92400f889cafe

Download Submit
C:\Users\Admin\desktop\Privacy Policу\cmds\sources\keystroke.g

Filesize
5KB

MD5
dd3115f2908fe1b419a0aa12e51ef0b3

SHA1
772a98361aa87c63bbf393c121995a932887cbfd

SHA256
817e3e92ebf78dc10849246b0f8835496b30d85023d6ff305c385d85214964d2

SHA512
32ab286b598c516fc63b2133135b062a4c8375420ccba5b7dd31a9329e98a3a4f85581e011e5984e6d649d5b53d2c81d803797e79d2dad05054925f7fb28f4f1

Download Submit
\Users\Admin\AppData\Roaming\nsis_unse599fff.dll

Filesize
57KB

MD5
713062daba2534394662294035fd7e92

SHA1
40270752db5576f1d5e6c935f224754c7b6c3450

SHA256
e6a5ca65acfd261d56f622f891bf04e6d41862ab505466374daeee8852a01b71

SHA512
e07d9c38d43334cb8e35b32c12eef9ff1ddb7ffe0004ae0d56fe3fb24fbec6b179b631f61afc54b1d31ad02c619442c783a9d881cce86be833b39c59f236b2fd

Download Submit
memory/4132-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-165-0x00000000001C0000-0x00000000001FB000-memory.dmp

Filesize
236KB

Download
memory/4132-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-173-0x0000000000990000-0x00000000009C5000-memory.dmp

Filesize
212KB

Download
memory/4132-174-0x00000000001C0000-0x00000000001FB000-memory.dmp

Filesize
236KB

Download
memory/4132-175-0x000000000073A000-0x000000000073D000-memory.dmp

Filesize
12KB

Download
memory/4132-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-180-0x0000000000850000-0x0000000000873000-memory.dmp

Filesize
140KB

Download
memory/4132-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-185-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-186-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-187-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-191-0x000000000AB3B000-0x000000000BEAA000-memory.dmp

Filesize
19.4MB

Download
memory/4132-196-0x0000000000990000-0x00000000009C5000-memory.dmp

Filesize
212KB

Download
memory/4132-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4968-192-0x00000189B38E0000-0x00000189B38E7000-memory.dmp

Filesize
28KB

Download
memory/4968-193-0x00007FF67E160000-0x00007FF67E25A000-memory.dmp

Filesize
1000KB

Download
memory/4968-200-0x00007FF67E160000-0x00007FF67E25A000-memory.dmp

Filesize
1000KB

Download
memory/4968-201-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download