01842e24de82197032b21c850b75eb931223fcc8b1220d6676f9e6f8d4488e99

Resubmissions

17/04/2023, 11:32

230417-nnkvtsdh63 10

24/03/2023, 17:23

230324-vyhlsaga37 7

Analysis

max time kernel
135s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

81.7MB
MD5

82bc0607f18e933669cea4381090a42e
SHA1

1b1891f9b6f79de7ef774f654f9bd7981d713a2b
SHA256

01842e24de82197032b21c850b75eb931223fcc8b1220d6676f9e6f8d4488e99
SHA512

6690404a377413a3c47dce7bb1c378467a2c1039abe35542ecfd4d4dc7f01ea230ee6787c0318513395a621655048c991e2dd0d500762b78683a6cb86b3e3886
SSDEEP

393216:91JEv+zYZH0UCIBWMM9TZ0VoMJUfXPWNIEQvI8PnxXdPkF1NwAJBLfmMcuB0hUBx:92Z1EXu5oEcVyuCcwTpH9YC2jpY/I+

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
640	sample.exe
640	sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3944	powershell.exe
3944	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3944	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2296	640	sample.exe	87
PID 640 wrote to memory of 2296	640	sample.exe	87
PID 2296 wrote to memory of 2980	2296	cmd.exe	88
PID 2296 wrote to memory of 2980	2296	cmd.exe	88
PID 2296 wrote to memory of 3944	2296	cmd.exe	89
PID 2296 wrote to memory of 3944	2296	cmd.exe	89
PID 3944 wrote to memory of 4348	3944	powershell.exe	90
PID 3944 wrote to memory of 4348	3944	powershell.exe	90
PID 4348 wrote to memory of 4588	4348	csc.exe	92
PID 4348 wrote to memory of 4588	4348	csc.exe	92

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
    3⤵
    PID:2980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kbz1webw\kbz1webw.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD788.tmp" "c:\Users\Admin\AppData\Local\Temp\kbz1webw\CSC12F231D39323442685BD4DA1DED96060.TMP"
        5⤵
        
        PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.nexe_natives\sqlite3\lib\binding\napi-v3-win32-x64\node_sqlite3.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\lib\binding\napi-v3-win32-x64\node_sqlite3.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\node_modules\ignore-walk\LICENSE

Filesize
765B

MD5
82703a69f6d7411dde679954c2fd9dca

SHA1
bb408e929caeb1731945b2ba54bc337edb87cc66

SHA256
4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b

SHA512
3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\node_modules\node-pre-gyp\package.json

Filesize
2KB

MD5
c805601907d0fc526136632c0aba18d3

SHA1
72fbba26600697c82dc191709dd7d4b8721038ee

SHA256
b0d2a69729723be09eab6197cb5b566802b96d41f1badf4d526be1d7141fccb0

SHA512
739d2dad3dfbc4a08ae2063447d03c0d9a54d7b69039faa35cd39a4c1e11745fb0eee9c5e6f88a0718bcf11652a912b1512bef26d4e3f354844f7dc1ca123ecc

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\node_modules\object-assign\license

Filesize
1KB

MD5
a12ebca0510a773644101a99a867d210

SHA1
0c94f137f6e0536db8cb2622a9dc84253b91b90c

SHA256
6fb9754611c20f6649f68805e8c990e83261f29316e29de9e6cedae607b8634c

SHA512
ae79e7a4209a451aef6b78f7b0b88170e7a22335126ac345522bf4eafe0818da5865aae1507c5dc0224ef854548c721df9a84371822f36d50cbcd97fa946eee9

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\node_modules\tunnel-agent\LICENSE

Filesize
8KB

MD5
f3f8ead5440d1c311b45be065d135d90

SHA1
05979f0750cf5c2a17bd3aa12450849c151d8b7c

SHA256
d446a8c73d7bbe4872d6524b15ae206f9a2d7eb53f8c9cb6e6c893a43acc5276

SHA512
d52ead0329e9223dce3d54f83c9e8caab7974355c248e2e85a1a8aa3198af402507761c22bad31307ae3bda06528ed0b3487e9ac9f6a6c3c413e09a5acac915d

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\package.json

Filesize
3KB

MD5
6fc2ac3e58ea88eba8ef8c78257804e6

SHA1
92ce5c01712271f80aa85e2ba78c2e06791b4b1f

SHA256
1ee12a8175e8a1c842a9790de45777c7a253588a7f02e5f8c314ec0d75b90567

SHA512
85dbb253372ce1f61ea4bc8d1eed8b489808f6f2f39a1d4713e7618268bc1b328f7667bbbadf91502e41b54ee5f16bf85f377737b34d08e8971077d0059771c8

Download Submit
C:\Users\Admin\.nexe_natives\win-dpapi\build\Release\node-dpapi.node

Filesize
141KB

MD5
73014193067589feeae80c055dc356f8

SHA1
7ce792fe932ebc29c4c56d2ee238cc4aa07ab245

SHA256
2dc81875cafc9bbd1d1c1fce32a5147d0a3e8266711f765b82679b36e236e9d6

SHA512
2d147171810837a14863130b0938a245c51e579a6ecb5e471f2322c67cfda7ee91dc4a8d54be6ce2a61e36bf7edddfde9eee73f2dc05eda391deab22d68b8c12

Download Submit
C:\Users\Admin\.nexe_natives\win-dpapi\build\Release\node-dpapi.node

Filesize
141KB

MD5
73014193067589feeae80c055dc356f8

SHA1
7ce792fe932ebc29c4c56d2ee238cc4aa07ab245

SHA256
2dc81875cafc9bbd1d1c1fce32a5147d0a3e8266711f765b82679b36e236e9d6

SHA512
2d147171810837a14863130b0938a245c51e579a6ecb5e471f2322c67cfda7ee91dc4a8d54be6ce2a61e36bf7edddfde9eee73f2dc05eda391deab22d68b8c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD788.tmp

Filesize
1KB

MD5
d2d190dca2fbb1eda7e62a90d89f166e

SHA1
f80ca27fc7983bcb0c350502d88c7a6ee13f290c

SHA256
b0f0c73d07a317c5ccce6c2dba465be1738a344fbcddeafe8fa7a9bc2e73722f

SHA512
6494ec8040cbe51f0b90d5f773d4b2d983984fde84fdea661e89c7335b4372cf4e9cc725ee0842b62ec3bd86c673d4234885bc2814b48541cd9557fc51ca130b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2hewanbj.wnb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbz1webw\kbz1webw.dll

Filesize
3KB

MD5
db5400ffd9335994717be413d4657ff2

SHA1
57c56ac32aeaeace6e0e2a5538baf181dbd26f11

SHA256
7d1c6ec30c3e03e7ec4cba73f1169fb0a17818907f985a8ed8d6c73884608058

SHA512
05d4ed7d386986493fe75374168436f8ddafd226507826330bb5de8408caf725d150ccddfb220dfff9c6aac42db5a7ed0db0d0730258fd9f368e5ba3b14505dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kbz1webw\CSC12F231D39323442685BD4DA1DED96060.TMP

Filesize
652B

MD5
8f8bce063f5d03302d4c32cdf3dcc705

SHA1
e99d86c1608fd8f38be7197b0e21f61e258bf8ba

SHA256
89da5e6008226f20e438165060b4700b1cc0817df0374a119b017c4ec874dee5

SHA512
00c11b488bc0e225b14f46c1c72e90d0611fa4d0de47aa56c791806c5fe5a6141de472642296534352fdd557c09635a2eaf7c47b7ce47edd1e7872ee52972000

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kbz1webw\kbz1webw.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kbz1webw\kbz1webw.cmdline

Filesize
369B

MD5
59f4a4459d700cecfac7835cef72613a

SHA1
03961a61adf41348a78fd3dc80dcf45d1a0b0e1b

SHA256
69651e2745be03145edd83b7c15c573469148ba89124524016f801407670c987

SHA512
82db4ab8934aba67211b422b58f681ae6912088885369f7701d53cc8215de8ac72bb3252b4abf208466fb5d595bb7d356859acd5b69336c6f1a33f14ecff58c3

Download Submit
memory/3944-150-0x000001ECF7920000-0x000001ECF7930000-memory.dmp

Filesize
64KB

Download
memory/3944-149-0x000001ECF7920000-0x000001ECF7930000-memory.dmp

Filesize
64KB

Download
memory/3944-148-0x000001ECF7920000-0x000001ECF7930000-memory.dmp

Filesize
64KB

Download
memory/3944-147-0x000001ECF8740000-0x000001ECF87B6000-memory.dmp

Filesize
472KB

Download
memory/3944-146-0x000001ECF8420000-0x000001ECF8464000-memory.dmp

Filesize
272KB

Download
memory/3944-136-0x000001ECF6030000-0x000001ECF6052000-memory.dmp

Filesize
136KB

Download