381e884829e765cbdf83184324a99abe61715781665da56d7e6700f01e3912a1

Analysis

max time kernel
151s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 20:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

75.8MB
MD5

f7d1571fbbdc6a510ff26daeed172170
SHA1

f9a151c5655ce5ee95734665281298943a88f23b
SHA256

381e884829e765cbdf83184324a99abe61715781665da56d7e6700f01e3912a1
SHA512

91f9d0564848b298562e6b2b29adfe70d060eb950345cf12669f8e55a9f5b4c60fd6ea647fa8d6d9905e1e2bf0d36a43247ed63592a5f9c2e526cc89a5ab85c0
SSDEEP

786432:0zSNJtWyuoRCx4Col4rMmEyCc3siXMkSY/I8:0GNJrl4rMp4JnI8

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2376	sample.exe
2376	sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
112	powershell.exe
112	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	112	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2508	2376	sample.exe	86
PID 2376 wrote to memory of 2508	2376	sample.exe	86
PID 2508 wrote to memory of 116	2508	cmd.exe	87
PID 2508 wrote to memory of 116	2508	cmd.exe	87
PID 2508 wrote to memory of 112	2508	cmd.exe	88
PID 2508 wrote to memory of 112	2508	cmd.exe	88
PID 112 wrote to memory of 4592	112	powershell.exe	89
PID 112 wrote to memory of 4592	112	powershell.exe	89
PID 4592 wrote to memory of 3008	4592	csc.exe	90
PID 4592 wrote to memory of 3008	4592	csc.exe	90

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
    3⤵
    PID:116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g5cg0kfk\g5cg0kfk.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E99.tmp" "c:\Users\Admin\AppData\Local\Temp\g5cg0kfk\CSC55A4BF6AE5EC4CC5AE334681B4EF99B3.TMP"
        5⤵
        
        PID:3008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.nexe_natives\sqlite3\lib\binding\napi-v3-win32-x64\node_sqlite3.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\lib\binding\napi-v3-win32-x64\node_sqlite3.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\node_modules\ignore-walk\LICENSE

Filesize
765B

MD5
82703a69f6d7411dde679954c2fd9dca

SHA1
bb408e929caeb1731945b2ba54bc337edb87cc66

SHA256
4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b

SHA512
3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\node_modules\node-pre-gyp\package.json

Filesize
2KB

MD5
c805601907d0fc526136632c0aba18d3

SHA1
72fbba26600697c82dc191709dd7d4b8721038ee

SHA256
b0d2a69729723be09eab6197cb5b566802b96d41f1badf4d526be1d7141fccb0

SHA512
739d2dad3dfbc4a08ae2063447d03c0d9a54d7b69039faa35cd39a4c1e11745fb0eee9c5e6f88a0718bcf11652a912b1512bef26d4e3f354844f7dc1ca123ecc

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\node_modules\object-assign\license

Filesize
1KB

MD5
a12ebca0510a773644101a99a867d210

SHA1
0c94f137f6e0536db8cb2622a9dc84253b91b90c

SHA256
6fb9754611c20f6649f68805e8c990e83261f29316e29de9e6cedae607b8634c

SHA512
ae79e7a4209a451aef6b78f7b0b88170e7a22335126ac345522bf4eafe0818da5865aae1507c5dc0224ef854548c721df9a84371822f36d50cbcd97fa946eee9

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\node_modules\tunnel-agent\LICENSE

Filesize
8KB

MD5
f3f8ead5440d1c311b45be065d135d90

SHA1
05979f0750cf5c2a17bd3aa12450849c151d8b7c

SHA256
d446a8c73d7bbe4872d6524b15ae206f9a2d7eb53f8c9cb6e6c893a43acc5276

SHA512
d52ead0329e9223dce3d54f83c9e8caab7974355c248e2e85a1a8aa3198af402507761c22bad31307ae3bda06528ed0b3487e9ac9f6a6c3c413e09a5acac915d

Download Submit
C:\Users\Admin\.nexe_natives\sqlite3\package.json

Filesize
3KB

MD5
6fc2ac3e58ea88eba8ef8c78257804e6

SHA1
92ce5c01712271f80aa85e2ba78c2e06791b4b1f

SHA256
1ee12a8175e8a1c842a9790de45777c7a253588a7f02e5f8c314ec0d75b90567

SHA512
85dbb253372ce1f61ea4bc8d1eed8b489808f6f2f39a1d4713e7618268bc1b328f7667bbbadf91502e41b54ee5f16bf85f377737b34d08e8971077d0059771c8

Download Submit
C:\Users\Admin\.nexe_natives\win-dpapi\build\Release\node-dpapi.node

Filesize
141KB

MD5
741ecb81bf1d0c7f93d492d24df98bb4

SHA1
8ce8fb8ff99f497800ef03bb09f687e5e6d4ea05

SHA256
2bcf0a481329ca1989a3752bad38dc3cdb0520c81ac73d4e4aa8e6c7cb5e115c

SHA512
fe4a0d54dfbc1918aaf6e13fb6ced017999c4f7fc0f56ef584bb38fd43013bd632680196ca56b255c2b93e8e1da36b1fc7842ad82ca0d86e5abff3f99a818457

Download Submit
C:\Users\Admin\.nexe_natives\win-dpapi\build\Release\node-dpapi.node

Filesize
141KB

MD5
741ecb81bf1d0c7f93d492d24df98bb4

SHA1
8ce8fb8ff99f497800ef03bb09f687e5e6d4ea05

SHA256
2bcf0a481329ca1989a3752bad38dc3cdb0520c81ac73d4e4aa8e6c7cb5e115c

SHA512
fe4a0d54dfbc1918aaf6e13fb6ced017999c4f7fc0f56ef584bb38fd43013bd632680196ca56b255c2b93e8e1da36b1fc7842ad82ca0d86e5abff3f99a818457

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8E99.tmp

Filesize
1KB

MD5
3b6192474cd5a859029a25d1d3ea800a

SHA1
26863b095811df71dc03967033f8c4a2b790c7ca

SHA256
65ff0037f113a0e0e0cb2c12d4dedb848e6fc34fd74fc013acf4592e3836de4e

SHA512
e658ab047c5074d393bea506b8f389c7bce3392c228267e5caaf3128b12e73b836d58b85c7ac036f7ec5650cea053e03f0286567ee6d837128aec25b6f294cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwy2z0mf.zb5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\g5cg0kfk\g5cg0kfk.dll

Filesize
3KB

MD5
411eb4296afc8a77c714ee8925ca0254

SHA1
329c64e1a35f6d5a94a6c32a2e4a9d8d586f8787

SHA256
0d343ae92b6170cd26e901f96e31289e8429123db71e989518ee5858501c8f75

SHA512
1720c7be5677b8e5c54175168d650986f4186a364fd46639a7951d057e46509040342d05411cac30414953d5a6fcb1ddf64065eed5dcf8ad55607be7da899fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g5cg0kfk\CSC55A4BF6AE5EC4CC5AE334681B4EF99B3.TMP

Filesize
652B

MD5
991f6ca1400c77bb8c3482c07a469956

SHA1
a7529961bda5c43b7deecd9be046fd7aabba7b00

SHA256
c319dc2d4d5983453db3a95ca821ffba0fe761c2f5ffe7a1235c3cd7a17d3ab7

SHA512
40dfccc17d0201fcfa6daa562e2abd0df67ae7ef86321acda9f26d8c39600443317a8afa7d6b25e861025d14073ffdff569209399c1c0f12e3822d3b7f986e76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g5cg0kfk\g5cg0kfk.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g5cg0kfk\g5cg0kfk.cmdline

Filesize
369B

MD5
de4e09723056f1b3fbc2f5f168d1c6f1

SHA1
e865569986bf39de0a20ad0652fbd6add9beb46e

SHA256
6f56973ae4624b8874832bf50e17194ae6a83cd6e82bd0f8d1638241bf65d8a0

SHA512
ea85ff4e20e754779267c168df5b01a26c502eab8b97558e8b901d37ff7a5e0e330678a00919e8a30c316e914ea2586d58cf984e7b04ca487de43d5119f08970

Download Submit
memory/112-150-0x00000245EFC70000-0x00000245EFC80000-memory.dmp

Filesize
64KB

Download
memory/112-149-0x00000245EFC70000-0x00000245EFC80000-memory.dmp

Filesize
64KB

Download
memory/112-148-0x00000245EFC70000-0x00000245EFC80000-memory.dmp

Filesize
64KB

Download
memory/112-147-0x00000245F17F0000-0x00000245F1866000-memory.dmp

Filesize
472KB

Download
memory/112-146-0x00000245F1360000-0x00000245F13A4000-memory.dmp

Filesize
272KB

Download
memory/112-145-0x00000245F12E0000-0x00000245F1302000-memory.dmp

Filesize
136KB

Download