de3c7ba6254b2826f3a9082db334cb2e5fb60fc233394e8fa8bc2764313ce994

Analysis

max time kernel
135s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2023 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000900000002313f-1838.exe
Size

3.1MB
MD5

17f5da38b24f536ff81aec383e40dc93
SHA1

9ee6c50dfd7ca007d9926652c3117f6e1c3283d6
SHA256

de3c7ba6254b2826f3a9082db334cb2e5fb60fc233394e8fa8bc2764313ce994
SHA512

28333b3f98809e7a25234b0f435a44933615a894ecf3031c945324b2e15d6a9959a2644f451fbaa82edb59242c64b0476581b874578a2fa6811b4e964376ea69
SSDEEP

49152:fl1282ocAo1d9iwS2mO13df5k6N21D5MVKPba4SLt6k1Ur3U:fffhcZ9hS2mqaSir3U

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1704 systeminfo.exe

pid	process
1704	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
5000	powershell.exe
5000	powershell.exe
2204	powershell.exe
2204	powershell.exe
4108	powershell.exe
4108	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4840	WMIC.exe
Token: SeSecurityPrivilege	4840	WMIC.exe
Token: SeTakeOwnershipPrivilege	4840	WMIC.exe
Token: SeLoadDriverPrivilege	4840	WMIC.exe
Token: SeSystemProfilePrivilege	4840	WMIC.exe
Token: SeSystemtimePrivilege	4840	WMIC.exe
Token: SeProfSingleProcessPrivilege	4840	WMIC.exe
Token: SeIncBasePriorityPrivilege	4840	WMIC.exe
Token: SeCreatePagefilePrivilege	4840	WMIC.exe
Token: SeBackupPrivilege	4840	WMIC.exe
Token: SeRestorePrivilege	4840	WMIC.exe
Token: SeShutdownPrivilege	4840	WMIC.exe
Token: SeDebugPrivilege	4840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4840	WMIC.exe
Token: SeRemoteShutdownPrivilege	4840	WMIC.exe
Token: SeUndockPrivilege	4840	WMIC.exe
Token: SeManageVolumePrivilege	4840	WMIC.exe
Token: 33	4840	WMIC.exe
Token: 34	4840	WMIC.exe
Token: 35	4840	WMIC.exe
Token: 36	4840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4840	WMIC.exe
Token: SeSecurityPrivilege	4840	WMIC.exe
Token: SeTakeOwnershipPrivilege	4840	WMIC.exe
Token: SeLoadDriverPrivilege	4840	WMIC.exe
Token: SeSystemProfilePrivilege	4840	WMIC.exe
Token: SeSystemtimePrivilege	4840	WMIC.exe
Token: SeProfSingleProcessPrivilege	4840	WMIC.exe
Token: SeIncBasePriorityPrivilege	4840	WMIC.exe
Token: SeCreatePagefilePrivilege	4840	WMIC.exe
Token: SeBackupPrivilege	4840	WMIC.exe
Token: SeRestorePrivilege	4840	WMIC.exe
Token: SeShutdownPrivilege	4840	WMIC.exe
Token: SeDebugPrivilege	4840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4840	WMIC.exe
Token: SeRemoteShutdownPrivilege	4840	WMIC.exe
Token: SeUndockPrivilege	4840	WMIC.exe
Token: SeManageVolumePrivilege	4840	WMIC.exe
Token: 33	4840	WMIC.exe
Token: 34	4840	WMIC.exe
Token: 35	4840	WMIC.exe
Token: 36	4840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1104	wmic.exe
Token: SeSecurityPrivilege	1104	wmic.exe
Token: SeTakeOwnershipPrivilege	1104	wmic.exe
Token: SeLoadDriverPrivilege	1104	wmic.exe
Token: SeSystemProfilePrivilege	1104	wmic.exe
Token: SeSystemtimePrivilege	1104	wmic.exe
Token: SeProfSingleProcessPrivilege	1104	wmic.exe
Token: SeIncBasePriorityPrivilege	1104	wmic.exe
Token: SeCreatePagefilePrivilege	1104	wmic.exe
Token: SeBackupPrivilege	1104	wmic.exe
Token: SeRestorePrivilege	1104	wmic.exe
Token: SeShutdownPrivilege	1104	wmic.exe
Token: SeDebugPrivilege	1104	wmic.exe
Token: SeSystemEnvironmentPrivilege	1104	wmic.exe
Token: SeRemoteShutdownPrivilege	1104	wmic.exe
Token: SeUndockPrivilege	1104	wmic.exe
Token: SeManageVolumePrivilege	1104	wmic.exe
Token: 33	1104	wmic.exe
Token: 34	1104	wmic.exe
Token: 35	1104	wmic.exe
Token: 36	1104	wmic.exe
Token: SeIncreaseQuotaPrivilege	1104	wmic.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

0x000900000002313f-1838.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3048 wrote to memory of 3880	3048	0x000900000002313f-1838.exe	cmd.exe
PID 3048 wrote to memory of 3880	3048	0x000900000002313f-1838.exe	cmd.exe
PID 3048 wrote to memory of 3880	3048	0x000900000002313f-1838.exe	cmd.exe
PID 3880 wrote to memory of 4840	3880	cmd.exe	WMIC.exe
PID 3880 wrote to memory of 4840	3880	cmd.exe	WMIC.exe
PID 3880 wrote to memory of 4840	3880	cmd.exe	WMIC.exe
PID 3048 wrote to memory of 1104	3048	0x000900000002313f-1838.exe	wmic.exe
PID 3048 wrote to memory of 1104	3048	0x000900000002313f-1838.exe	wmic.exe
PID 3048 wrote to memory of 1104	3048	0x000900000002313f-1838.exe	wmic.exe
PID 3048 wrote to memory of 1404	3048	0x000900000002313f-1838.exe	cmd.exe
PID 3048 wrote to memory of 1404	3048	0x000900000002313f-1838.exe	cmd.exe
PID 3048 wrote to memory of 1404	3048	0x000900000002313f-1838.exe	cmd.exe
PID 1404 wrote to memory of 4352	1404	cmd.exe	WMIC.exe
PID 1404 wrote to memory of 4352	1404	cmd.exe	WMIC.exe
PID 1404 wrote to memory of 4352	1404	cmd.exe	WMIC.exe
PID 3048 wrote to memory of 4220	3048	0x000900000002313f-1838.exe	cmd.exe
PID 3048 wrote to memory of 4220	3048	0x000900000002313f-1838.exe	cmd.exe
PID 3048 wrote to memory of 4220	3048	0x000900000002313f-1838.exe	cmd.exe
PID 4220 wrote to memory of 2168	4220	cmd.exe	WMIC.exe
PID 4220 wrote to memory of 2168	4220	cmd.exe	WMIC.exe
PID 4220 wrote to memory of 2168	4220	cmd.exe	WMIC.exe
PID 3048 wrote to memory of 4968	3048	0x000900000002313f-1838.exe	cmd.exe
PID 3048 wrote to memory of 4968	3048	0x000900000002313f-1838.exe	cmd.exe
PID 3048 wrote to memory of 4968	3048	0x000900000002313f-1838.exe	cmd.exe
PID 4968 wrote to memory of 1704	4968	cmd.exe	systeminfo.exe
PID 4968 wrote to memory of 1704	4968	cmd.exe	systeminfo.exe
PID 4968 wrote to memory of 1704	4968	cmd.exe	systeminfo.exe
PID 3048 wrote to memory of 4976	3048	0x000900000002313f-1838.exe	powershell.exe
PID 3048 wrote to memory of 4976	3048	0x000900000002313f-1838.exe	powershell.exe
PID 3048 wrote to memory of 4976	3048	0x000900000002313f-1838.exe	powershell.exe
PID 3048 wrote to memory of 5000	3048	0x000900000002313f-1838.exe	powershell.exe
PID 3048 wrote to memory of 5000	3048	0x000900000002313f-1838.exe	powershell.exe
PID 3048 wrote to memory of 5000	3048	0x000900000002313f-1838.exe	powershell.exe
PID 3048 wrote to memory of 2204	3048	0x000900000002313f-1838.exe	powershell.exe
PID 3048 wrote to memory of 2204	3048	0x000900000002313f-1838.exe	powershell.exe
PID 3048 wrote to memory of 2204	3048	0x000900000002313f-1838.exe	powershell.exe
PID 3048 wrote to memory of 4108	3048	0x000900000002313f-1838.exe	powershell.exe
PID 3048 wrote to memory of 4108	3048	0x000900000002313f-1838.exe	powershell.exe
PID 3048 wrote to memory of 4108	3048	0x000900000002313f-1838.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\0x000900000002313f-1838.exe
"C:\Users\Admin\AppData\Local\Temp\0x000900000002313f-1838.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd "/c " systeminfo
2⤵
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:1704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History\" \"C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC\""
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\MRAjWwhTHctcuAx\""
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\hxKQFDaFpL\""
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\SjFbcXoEFfRsWxP\""
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
78811a94a55d67d97206241f8b1f01fc

SHA1
27c9a2c37fcdc174d2415c88c76e025866ac7a36

SHA256
475b314aded7e4810208535201ceaa25aaad4d19798d6dcd8a353abe2dfdbf6b

SHA512
9161d804ec19d1a057ed661b376f907dcef61544ff8fdb508fbce1cb961323521de2481146ed2d01e5b803d846e8e9dada53aab697c10d1521354383f4240b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
18aa637854071c277d4d086583917366

SHA1
19e6c5ba16635dc941681e23bcf24fe8da142b22

SHA256
b1c442381ab334f28cdd180ec816ee321300eda8880363af0ffa770d7c08df7b

SHA512
e3470c73fe2a3bc1a1044d0eaad95d7ac11165072ded55c771217c62616177f39b80aa9e991fde8d2fd78c22a03786f806da373d770f47033857786d2853603a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
516ff1a56a4921879de9b19d8cea19f8

SHA1
0d1dea4befbaa0e1928f0917da2c708bf67b2e4f

SHA256
e32e949079ba5ba78f2d65cea14af2b836fa20fb185392b0436a20dbc2d5f20c

SHA512
77f60087bc0a16e195fcefc698750874b1d9856ec063d3ba84fd38e28677179555d1b598769c164052cc2ade4ef282f28d401269b23502abc34bb887a1aedf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRAjWwhTHctcuAx
Filesize
71KB

MD5
386c014d0948d4fc41afa98cfca9022e

SHA1
786cc52d9b962f55f92202c7d50c3707eb62607b

SHA256
448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2

SHA512
13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SjFbcXoEFfRsWxP
Filesize
71KB

MD5
386c014d0948d4fc41afa98cfca9022e

SHA1
786cc52d9b962f55f92202c7d50c3707eb62607b

SHA256
448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2

SHA512
13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wluca3fa.bzv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxKQFDaFpL
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
memory/2204-174-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/2204-175-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/4108-189-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/4108-190-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/4976-147-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/4976-137-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/4976-134-0x0000000005BF0000-0x0000000006218000-memory.dmp

Filesize
6.2MB

Download
memory/4976-152-0x0000000006E70000-0x0000000006E92000-memory.dmp

Filesize
136KB

Download
memory/4976-135-0x0000000005940000-0x0000000005962000-memory.dmp

Filesize
136KB

Download
memory/4976-151-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

Filesize
104KB

Download
memory/4976-150-0x0000000007AC0000-0x0000000007B56000-memory.dmp

Filesize
600KB

Download
memory/4976-149-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/4976-148-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/4976-133-0x0000000003030000-0x0000000003066000-memory.dmp

Filesize
216KB

Download
memory/4976-153-0x0000000008110000-0x00000000086B4000-memory.dmp

Filesize
5.6MB

Download
memory/4976-136-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/5000-170-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/5000-159-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download