3c806eec38fc8565c942fe0a79331bf3215989d494bb3d5fa8d8057dcef58e03

Resubmissions

03-08-2023 07:22

230803-h7h8fsbh93 8

24-10-2022 20:50

221024-zmn2msaeen 10

Analysis

max time kernel
104s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2023 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.............exe
Size

3.9MB
MD5

1c9d03acc5ce4d1565e01418e2892087
SHA1

345be215d0017d06a3934150105389730038fa69
SHA256

bdb03d50cba10bbbaea2409521c515d15f3e674e6ccabbadfec319bdc08cd1ea
SHA512

1442ad0b3af4fddc1c6980426a25f6d2c4b033902b8cc42596ad0077385ca3d56e4fed4517a61fe4d5b5b185b34030196ac9c5dcc61d93fd48292aed2b7998e8
SSDEEP

49152:gnHn5pXUXb6c9YuoHjAbDiYFpIDckO4iNQxgei6HQR9sXafgkDFMVR9C1UhPJXMS:45pEXOc9AH8FpQrDgeJrBiCV2HXq

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Drops file in Program Files directory 1 IoCs

Processes:

.............exe

description ioc process

File created C:\Program Files (x86)\0E579E15.log .............exe
Loads dropped DLL 1 IoCs

Processes:

.............exe

pid process

4580 .............exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

.............exe

pid process

4580 .............exe
4580 .............exe
4580 .............exe
4580 .............exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

.............exe

description pid process

Token: SeShutdownPrivilege 4580 .............exe
Token: SeCreatePagefilePrivilege 4580 .............exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

.............exe

pid process

4580 .............exe
4580 .............exe

description	ioc	process
File created	C:\Program Files (x86)\0E579E15.log	.............exe

pid	process
4580	.............exe

pid	process
4580	.............exe
4580	.............exe
4580	.............exe
4580	.............exe

description	pid	process
Token: SeShutdownPrivilege	4580	.............exe
Token: SeCreatePagefilePrivilege	4580	.............exe

pid	process
4580	.............exe
4580	.............exe

C:\Users\Admin\AppData\Local\Temp\.............exe
"C:\Users\Admin\AppData\Local\Temp\.............exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4580

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\1498f5c051d947bb8f80f2984dc47386 /t 4432 /p 4580
1⤵
PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fusion_ld\Fusion.dll

Filesize
1011KB

MD5
7d900a78879abc427d67533fea28a2bb

SHA1
db0632d5db8edc354922b32c5b948eac44a86fdc

SHA256
b4eba257269060b9ee20c0c24d943d31d81a6da7b26c33c2ffac311a977d5404

SHA512
af35d6f02d92c76913a2787df1b4f6f1f7800ad4ed1d7c692b270b2a576e991675df75932995fd1136a9ab4f6911325be4cc2733b7304546fd4a87c75fd38b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd24062079653233\bootstrap_47637.html

Filesize
156B

MD5
1ea9e5b417811379e874ad4870d5c51a

SHA1
a4bd01f828454f3619a815dbe5423b181ec4051c

SHA256
f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a

SHA512
965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd24062079653233\css\main.css

Filesize
6KB

MD5
9b27e2a266fe15a3aabfe635c29e8923

SHA1
403afe68c7ee99698c0e8873ce1cd424b503c4c8

SHA256
166aa42bc5216c5791388847ae114ec0671a0d97b9952d14f29419b8be3fb23f

SHA512
4b07c11db91ce5750d81959c7b2c278ed41bb64c1d1aa29da87344c5177b8eb82d7d710b426f401b069fd05062395655d985ca031489544cdf9b72fe533afa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd24062079653233\images\Loader.gif

Filesize
10KB

MD5
57ca1a2085d82f0574e3ef740b9a5ead

SHA1
2974f4bf37231205a256f2648189a461e74869c0

SHA256
476a7b1085cc64de1c0eb74a6776fa8385d57eb18774f199df83fc4d7bbcc24e

SHA512
2d50b9095d06ffd15eeeccf0eb438026ca8d09ba57141fed87a60edd2384e2139320fb5539144a2f16de885c49b0919a93690974f32b73654debca01d9d7d55c

Download Submit
memory/4580-384-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-142-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-145-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-146-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-141-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-388-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-389-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download
memory/4580-390-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-392-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-393-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-394-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-398-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-400-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-401-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-403-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-144-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-138-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-411-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-412-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-415-0x0000000008CF0000-0x0000000008D10000-memory.dmp

Filesize
128KB

Download
memory/4580-137-0x0000000006ED0000-0x0000000006FB4000-memory.dmp

Filesize
912KB

Download
memory/4580-418-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-419-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-420-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-430-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-432-0x0000000006ED0000-0x0000000006FB4000-memory.dmp

Filesize
912KB

Download
memory/4580-433-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-435-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-434-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4580-437-0x0000000007210000-0x000000000741C000-memory.dmp

Filesize
2.0MB

Download
memory/4580-439-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download