3c90b3d32f3fe37632edfad2b768cf77d70e7de0d3291d0e5274ea8a7dc69141

Analysis

max time kernel
125s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Slither x32y 64/nw.exe
Size

1.2MB
MD5

1e0a6531ac049218b21117bae9f1c97c
SHA1

d84a9b8027b137798763a2719b10511200c803ed
SHA256

6ce31b657cd28cdd5bf665cf7dd45ccf235a8031d16134ec868f84875f9ef553
SHA512

e9f0d55b66e6f4bef41252e4853610d95c22c05868f8de86da9545b19020123934f606cf5000634333b505325b3a930e820bc631140c3d189f21b2b861818a65
SSDEEP

24576:QhbjXbCjgIv4An+9LPiG0WBliA/DlrmqyDjG5:2bXCj6AWPiY2A/DsO5

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	nw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1604	nw.exe
1604	nw.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1604	nw.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 4124	1604	nw.exe	79
PID 1604 wrote to memory of 4124	1604	nw.exe	79
PID 1604 wrote to memory of 4124	1604	nw.exe	79
PID 1604 wrote to memory of 2004	1604	nw.exe	82
PID 1604 wrote to memory of 2004	1604	nw.exe	82
PID 1604 wrote to memory of 2004	1604	nw.exe	82
PID 1604 wrote to memory of 4224	1604	nw.exe	83
PID 1604 wrote to memory of 4224	1604	nw.exe	83
PID 1604 wrote to memory of 4224	1604	nw.exe	83
PID 1604 wrote to memory of 4024	1604	nw.exe	84
PID 1604 wrote to memory of 4024	1604	nw.exe	84
PID 1604 wrote to memory of 4024	1604	nw.exe	84
PID 1604 wrote to memory of 4780	1604	nw.exe	94
PID 1604 wrote to memory of 4780	1604	nw.exe	94
PID 1604 wrote to memory of 4780	1604	nw.exe	94
PID 1604 wrote to memory of 3144	1604	nw.exe	95
PID 1604 wrote to memory of 3144	1604	nw.exe	95
PID 1604 wrote to memory of 3144	1604	nw.exe	95

C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe
"C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=crashpad-handler /prefetch:7 --no-rate-limit --database=C:\Users\Admin\AppData\Local\Crashpad --annotation=channel= --annotation=plat=Win32 --annotation=prod=nwjs --annotation=ver=-devel --handshake-handle=0x214
  2⤵
  PID:4124
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=gpu-process --channel="1604.0.1768736814\1670441687" --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" --disable-breakpad --supports-dual-gpus=false --gpu-driver-bug-workarounds=3,11,25,54 --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor=Microsoft --gpu-driver-version=10.0.19041.868 --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:2
  2⤵
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=utility --channel="1604.1.2012297260\1741180373" --lang=en-US --no-sandbox --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:8
  2⤵
  PID:4224
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=renderer --no-sandbox --enable-features=AutomaticTabDiscarding<AutomaticTabDiscarding --lang=en-US --force-fieldtrials=*AsyncSetAsDefault/Enabled/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/*AutomaticTabDiscarding/Enabled_Once/*BrowserBlacklist/Enabled/CaptivePortalInterstitial/Enabled/ChildAccountDetection/Disabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DataReductionProxyConfigService/Enabled/EnableGoogleCachedCopyTextExperiment/Button/EnableSessionCrashedBubbleUI/Enabled/*ExtensionActionRedesign/Enabled/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GoogleNow/Enable/IconNTP/Default/InstanceID/Enabled/IntelligentSessionRestore/Enabled/MaterialDesignDownloads/Enabled/*NetworkQualityEstimator/Enabled/*NewProfileManagement/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/PasswordGeneration/Disabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SRTPromptFieldTrial/On/SafeBrowsingReportPhishingErrorLink/Enabled/SafeBrowsingUnverifiedDownloads/DisableByParameterExe/SafeBrowsingUpdateFrequency/UpdateTime15m/SdchPersistence/Enabled/*SettingsEnforcement/enforce_always_with_extensions_and_dse/SpdyEnableDependencies/Enable/StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TriggeredResetFieldTrial/On/UseDelayAgnosticAEC/DefaultEnabled/VarationsServiceControl/Interval_30min/WebFontsIntervention/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/ --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" --nwjs --extension-process --enable-webrtc-hw-h264-encoding --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --channel="1604.2.296471935\337877386" /prefetch:1
  2⤵
  PID:4024
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=utility --channel="1604.3.668831640\448078225" --lang=en-US --no-sandbox --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:8
  2⤵
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe
  "C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=utility --channel="1604.4.998723829\573733554" --lang=en-US --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:8
  2⤵
  PID:3144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Crashpad\settings.dat

Filesize
40B

MD5
3e255dedcd64447cd27b892935c61e30

SHA1
7a00e17893a7f6883e81aa7396301391a232d5d5

SHA256
3087deb3c3a050007cc8fc3e7adb5c04a76259f9f19de6169c2ed21ef6dae110

SHA512
f48f2fe4cdce4be26326b58486652b11e520bee7235382e6bb474d0bd8089ddbe839ad8ea385c5127df6daa6edacc6d8cb9eee2d85f57a9ff3a8b449e10e3b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\debug.log

Filesize
266B

MD5
d67cf9988c0ae87d07071c52af3011cb

SHA1
66cc0e09ccb67286232358506855921e7657e83b

SHA256
da39b069bc4de101d2f0ebe43243c5579b0870c8f7a871c66702294c2f0f02b4

SHA512
f6331484243ddd1f34f5a780a23f9431b20be80176d83f185d9d05012e0106536339ec668c06c095d13db0dfe72fc4775e4b56651a2b27a32e1accff931e1072

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\debug.log

Filesize
346B

MD5
ca2dd6700d9d9fc292ca48e2d3428002

SHA1
76b9af7e6b122bfd056faae9d7c6ba65e7ebf4d2

SHA256
e63c61e9931931b62ff476f53620dfb15c0c2b745f37327bf7491d43c8bef22e

SHA512
25ddce8100777f9f332f9587052a77bc1fca6a310aa79e6837d9d4efe8d4a95c1daacde4f1461163d2ce3b223b8d9ac052d1d0cc77872fafde7124b90ea964bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\debug.log

Filesize
426B

MD5
8ad01645853861445878f8115ad5c0ed

SHA1
ebcb91b5db64a4a823b4fa6f1e7afd3a211a328b

SHA256
3d53ffc48e08abb758b28ab84ec22cdff42d519371d5c440902baf8b01800611

SHA512
98b4f7d832bb73cf7d4f919379ecba3e4ca9f65a5ffc5f54a50aea3f03ca9f45e43e440a3f5004aa9addf8424482335115df629d4cda2959b27b7f6f6e9bdb8a

Download Submit