3c90b3d32f3fe37632edfad2b768cf77d70e7de0d3291d0e5274ea8a7dc69141

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/02/2023, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Slither x32y 64/nw.exe
Size

1.2MB
MD5

1e0a6531ac049218b21117bae9f1c97c
SHA1

d84a9b8027b137798763a2719b10511200c803ed
SHA256

6ce31b657cd28cdd5bf665cf7dd45ccf235a8031d16134ec868f84875f9ef553
SHA512

e9f0d55b66e6f4bef41252e4853610d95c22c05868f8de86da9545b19020123934f606cf5000634333b505325b3a930e820bc631140c3d189f21b2b861818a65
SSDEEP

24576:QhbjXbCjgIv4An+9LPiG0WBliA/DlrmqyDjG5:2bXCj6AWPiY2A/DsO5

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation	nw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1692	nw.exe
1692	nw.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1692	nw.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1956	1692	nw.exe	28
PID 1692 wrote to memory of 1956	1692	nw.exe	28
PID 1692 wrote to memory of 1956	1692	nw.exe	28
PID 1692 wrote to memory of 1956	1692	nw.exe	28
PID 1692 wrote to memory of 1008	1692	nw.exe	29
PID 1692 wrote to memory of 1008	1692	nw.exe	29
PID 1692 wrote to memory of 1008	1692	nw.exe	29
PID 1692 wrote to memory of 1008	1692	nw.exe	29
PID 1692 wrote to memory of 1684	1692	nw.exe	30
PID 1692 wrote to memory of 1684	1692	nw.exe	30
PID 1692 wrote to memory of 1684	1692	nw.exe	30
PID 1692 wrote to memory of 1684	1692	nw.exe	30
PID 1692 wrote to memory of 1340	1692	nw.exe	32
PID 1692 wrote to memory of 1340	1692	nw.exe	32
PID 1692 wrote to memory of 1340	1692	nw.exe	32
PID 1692 wrote to memory of 1340	1692	nw.exe	32
PID 1692 wrote to memory of 1688	1692	nw.exe	34
PID 1692 wrote to memory of 1688	1692	nw.exe	34
PID 1692 wrote to memory of 1688	1692	nw.exe	34
PID 1692 wrote to memory of 1688	1692	nw.exe	34
PID 1692 wrote to memory of 528	1692	nw.exe	35
PID 1692 wrote to memory of 528	1692	nw.exe	35
PID 1692 wrote to memory of 528	1692	nw.exe	35
PID 1692 wrote to memory of 528	1692	nw.exe	35

C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe
"C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=crashpad-handler /prefetch:7 --no-rate-limit --database=C:\Users\Admin\AppData\Local\Crashpad --annotation=channel= --annotation=plat=Win32 --annotation=prod=nwjs --annotation=ver=-devel --handshake-handle=0xb8
  2⤵
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=gpu-process --channel="1692.0.317959510\70652472" --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" --disable-breakpad --supports-dual-gpus=false --gpu-driver-bug-workarounds=3,11,25,54 --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:2
  2⤵
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=utility --channel="1692.1.1653881189\1474360314" --lang=en-US --no-sandbox --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:8
  2⤵
  PID:1684
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=renderer --no-sandbox --enable-features=AutomaticTabDiscarding<AutomaticTabDiscarding --lang=en-US --force-fieldtrials=AsyncSetAsDefault/Enabled/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/*AutomaticTabDiscarding/Enabled_Once/*BrowserBlacklist/Enabled/CaptivePortalInterstitial/Enabled/ChildAccountDetection/Disabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DataReductionProxyConfigService/Enabled/EnableGoogleCachedCopyTextExperiment/Button/EnableSessionCrashedBubbleUI/Enabled/*ExtensionActionRedesign/Enabled/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GoogleNow/Enable/IconNTP/Default/InstanceID/Enabled/IntelligentSessionRestore/Enabled/MaterialDesignDownloads/Enabled/*NetworkQualityEstimator/Enabled/*NewProfileManagement/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/PasswordGeneration/Disabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SRTPromptFieldTrial/On/SafeBrowsingReportPhishingErrorLink/Enabled/SafeBrowsingUnverifiedDownloads/DisableByParameterExe/SafeBrowsingUpdateFrequency/UpdateTime15m/SdchPersistence/Enabled/*SettingsEnforcement/enforce_always_with_extensions_and_dse/SpdyEnableDependencies/Enable/StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TriggeredResetFieldTrial/On/UseDelayAgnosticAEC/DefaultEnabled/VarationsServiceControl/Interval_30min/WebFontsIntervention/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/ --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" --nwjs --extension-process --enable-webrtc-hw-h264-encoding --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --channel="1692.2.651161324\1868431757" /prefetch:1
  2⤵
  PID:1340
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=utility --channel="1692.3.767393763\430711649" --lang=en-US --no-sandbox --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:8
  2⤵
  PID:1688
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=utility --channel="1692.4.909113253\1697046899" --lang=en-US --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:8
  2⤵
  PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\debug.log

Filesize
266B

MD5
84bb710132bbb463b77a9124f75ab96f

SHA1
91d52b1715f1412085e1399ea1cb84102e4fde32

SHA256
e7aae5db89eb481122673d13c7db75044a423c98ca3e9dc75c1b2e5d64a48b8b

SHA512
98d16db768fbe48402c61eba4c7a7eefbd75d73f5656abf500dfe40c14c03a6bcb269e131eaf2fdd8695778f1ae7fe9ac59a24876bb2d17cd60786ca7f805045

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\debug.log

Filesize
346B

MD5
63fc5357f5a7e052f351c0d900245aa2

SHA1
02f8cd9f1ea98dd102e0438b2decb81c8d22ca5c

SHA256
3961ccb8241584987dd4054c2c8cf767e7de804380405f7bedcc5935108a1d8d

SHA512
386032cba5ed62436398fc7bdd9d27c96f7401a24728f4e4697b6107e01de2f6bdae1a8d283906600707711bf438a957ce8565a7af799e30df2f4355fbf300a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\debug.log

Filesize
426B

MD5
1badcabd65a271d11ce246013cca8be3

SHA1
7a4393bb7019fd4535891f75ce735ab50de34fe4

SHA256
beb8f73805345855d71088335b04dd3dde6d9a7eae9706dc380d2b091633373e

SHA512
d6241b0235cade9ba5af61e8468ec385f8978f921397bacf8e0f3a92ed336fd3ab461ed5f9f84325651866f819baa5923a718346f4c30f724b4e4c9979f5ed36

Download Submit
memory/1692-54-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download