5b96c5e553067a8b259fb15155c79f7c632f19bb6800712f0a0ee1b328ef8d11

Analysis

max time kernel
59s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2023, 14:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b96c5e553067a8b259fb15155c79f7c632f19bb6800712f0a0ee1b328ef8d11.exe
Size

359KB
MD5

aa5aba029a334162a8f6f835b10047aa
SHA1

79ec95bf557958302d5afd784f6b21690ad3b950
SHA256

5b96c5e553067a8b259fb15155c79f7c632f19bb6800712f0a0ee1b328ef8d11
SHA512

f67aaf8817e49713aa3716a8a38e7f4db8c97c94a3af98e4ac937e69ec7ccf185e3821344f2198e3cd9d5dd496fb302f8274d9ee4cd4cb66d3ae4b85d6fb7fe3
SSDEEP

6144:PFYljEYN80tuEJTB82XqyLFLnIGfprVvohGnoudr:PFYljEYNvu4TF1IGVvo+

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1736	00000350.exe
4320	00002f63.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	5b96c5e553067a8b259fb15155c79f7c632f19bb6800712f0a0ee1b328ef8d11.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1324	PING.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
240	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1736	2240	5b96c5e553067a8b259fb15155c79f7c632f19bb6800712f0a0ee1b328ef8d11.exe	88
PID 2240 wrote to memory of 1736	2240	5b96c5e553067a8b259fb15155c79f7c632f19bb6800712f0a0ee1b328ef8d11.exe	88
PID 2240 wrote to memory of 1736	2240	5b96c5e553067a8b259fb15155c79f7c632f19bb6800712f0a0ee1b328ef8d11.exe	88
PID 2240 wrote to memory of 4320	2240	5b96c5e553067a8b259fb15155c79f7c632f19bb6800712f0a0ee1b328ef8d11.exe	90
PID 2240 wrote to memory of 4320	2240	5b96c5e553067a8b259fb15155c79f7c632f19bb6800712f0a0ee1b328ef8d11.exe	90
PID 2240 wrote to memory of 4320	2240	5b96c5e553067a8b259fb15155c79f7c632f19bb6800712f0a0ee1b328ef8d11.exe	90
PID 4320 wrote to memory of 5084	4320	00002f63.exe	93
PID 4320 wrote to memory of 5084	4320	00002f63.exe	93
PID 5084 wrote to memory of 240	5084	firefox.exe	94
PID 5084 wrote to memory of 240	5084	firefox.exe	94
PID 5084 wrote to memory of 240	5084	firefox.exe	94
PID 5084 wrote to memory of 240	5084	firefox.exe	94
PID 5084 wrote to memory of 240	5084	firefox.exe	94
PID 5084 wrote to memory of 240	5084	firefox.exe	94
PID 5084 wrote to memory of 240	5084	firefox.exe	94
PID 5084 wrote to memory of 240	5084	firefox.exe	94
PID 5084 wrote to memory of 240	5084	firefox.exe	94
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 3584	240	firefox.exe	97
PID 240 wrote to memory of 936	240	firefox.exe	98
PID 240 wrote to memory of 936	240	firefox.exe	98
PID 240 wrote to memory of 936	240	firefox.exe	98
PID 240 wrote to memory of 936	240	firefox.exe	98

C:\Users\Admin\AppData\Local\Temp\5b96c5e553067a8b259fb15155c79f7c632f19bb6800712f0a0ee1b328ef8d11.exe
"C:\Users\Admin\AppData\Local\Temp\5b96c5e553067a8b259fb15155c79f7c632f19bb6800712f0a0ee1b328ef8d11.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\00000350.exe
  "C:\Users\Admin\AppData\Local\Temp\00000350.exe"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\00002f63.exe
  "C:\Users\Admin\AppData\Local\Temp\00002f63.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --marionette --profile C:\Users\Admin\AppData\Local\Temp\00001ce7 -headless -no-remote
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --marionette --profile C:\Users\Admin\AppData\Local\Temp\00001ce7 -headless -no-remote
      4⤵
      Checks processor information in registry
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:240
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="240.0.1520323341\1361352872" -childID 1 -isForBrowser -prefsHandle 2428 -prefMapHandle 1936 -prefsLen 1 -prefMapSize 218202 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 240 "\\.\pipe\gecko-crash-server-pipe.240" 2516 tab
        5⤵
        
        PID:3584
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="240.6.1562578843\89391337" -childID 2 -isForBrowser -prefsHandle 1920 -prefMapHandle 1868 -prefsLen 35 -prefMapSize 218202 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 240 "\\.\pipe\gecko-crash-server-pipe.240" 2772 tab
        5⤵
        
        PID:936
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\5b96c5e553067a8b259fb15155c79f7c632f19bb6800712f0a0ee1b328ef8d11.exe" >> NUL
  2⤵
  PID:4984
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00000350.exe

Filesize
10.2MB

MD5
7ecc26c832c07b00d32e0b9c9360c3a7

SHA1
37f69d14425297132beeffdf705fd61d981086a7

SHA256
37c78987cd4bd112f15a22e22cf42ecf315dc4179b4ac8332e3b0a9d167a4d91

SHA512
7e0e6bba05f2dd063fe4cf256a1dce5de7ae88eae3d80059c2631f75b0febbb70c830872cbdaca75cbc7e960bb2f4b6d8d37efadab3a98fbc547d3bf3b6a0fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\00001ce7\cookies.sqlite

Filesize
96KB

MD5
89d4b62651fa5c864b12f3ea6b1521cb

SHA1
570d48367b6b66ade9900a9f22d67d67a8fb2081

SHA256
22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

SHA512
e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\00001ce7\key4.db

Filesize
288KB

MD5
4a3833a09745e7cd6389d36ec5aaa3f5

SHA1
c13e0b2c41702041d93b124d9c33b24d67f135f5

SHA256
54552506852e5f7c631828196006d8efb180fe2607cfda89c606f5411f1a5845

SHA512
f257e1ef58a83d2df05a4029016de80e5d4973ff0eca13cf3a1d9c9b6355a5ed969ed339f3d2435ece8469eb70bf49cff5d2897c82e85ae4c796eef7990a2896

Download Submit
C:\Users\Admin\AppData\Local\Temp\00001ce7\user.js

Filesize
3KB

MD5
37011ad31245fe0575b904ea44a3c570

SHA1
39d64059d5b3a5bbf967ddb516d823d98b14fd03

SHA256
0182081c5f6d309d9cbc33c8e935d1e37a35cd0e367c74a16f862953645a941a

SHA512
136b05bc3aae0deddb8dde33acc6ee01e24ed0e0ade08ac5029de25b4330adce7eb6d4c04ac4857338c84d54656edec7ede362286518eede1f0f109e54ad264b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00002f63.exe

Filesize
3.3MB

MD5
f9df44ca9021e81af74f32702dd0bfb7

SHA1
6d3c8cb23d1d7c87f01d118f707898dd1bb142a7

SHA256
a4b57e0f6660bf02351a2715b8eca573af5c4f21ac990bc69021d9f23ca5adea

SHA512
0505ce359710a33cb08c9cde2e8b7559f3951bd29eb44d2f9ea4981bdcdac7e0dbcee0893443787e3fdbf6def2c9afb37b68f55ea8238638062f34f3c1a5175b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00002f63.exe

Filesize
3.3MB

MD5
f9df44ca9021e81af74f32702dd0bfb7

SHA1
6d3c8cb23d1d7c87f01d118f707898dd1bb142a7

SHA256
a4b57e0f6660bf02351a2715b8eca573af5c4f21ac990bc69021d9f23ca5adea

SHA512
0505ce359710a33cb08c9cde2e8b7559f3951bd29eb44d2f9ea4981bdcdac7e0dbcee0893443787e3fdbf6def2c9afb37b68f55ea8238638062f34f3c1a5175b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads