25bac63af18bcfff5b7809a94dd30f518f04ee1a404f4af42204075f6365f45e

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2023, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

875817da389bf02f93ee56e43fe42311_mafia_JC.exe
Size

1.2MB
MD5

875817da389bf02f93ee56e43fe42311
SHA1

155f429b8d678e26ba2f132e2073ba2f9c69fa69
SHA256

25bac63af18bcfff5b7809a94dd30f518f04ee1a404f4af42204075f6365f45e
SHA512

83a481d2889dbf95aa857114a0f8ecd8c3aa9540be69ea4528c1d5a7d2271b213f3d38d4a198d64dc822f4fe1f150634cd84c047f5fcfbb7a358e27394724428
SSDEEP

24576:+1QfopqgCJXi6kgaINVD4W7CS7YsXDV6YkHzr9jWp04f6mAZwGOjbvD/+XbdeXcw:+1wgOXiTcNV7CS7bkY8xWa4f6mASDmXE

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4380	tmppack.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1140	875817da389bf02f93ee56e43fe42311_mafia_JC.exe
1140	875817da389bf02f93ee56e43fe42311_mafia_JC.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 4380	1140	875817da389bf02f93ee56e43fe42311_mafia_JC.exe	83
PID 1140 wrote to memory of 4380	1140	875817da389bf02f93ee56e43fe42311_mafia_JC.exe	83
PID 1140 wrote to memory of 4380	1140	875817da389bf02f93ee56e43fe42311_mafia_JC.exe	83

C:\Users\Admin\AppData\Local\Temp\875817da389bf02f93ee56e43fe42311_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\875817da389bf02f93ee56e43fe42311_mafia_JC.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\HSFIAYGAJLADOD\tmppack.exe
  -y
  2⤵
  - Executes dropped EXE
  PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1r6t7bg\gui\3236.html

Filesize
6KB

MD5
c2cdd77cc6c7cdcbd78cf169782ea0fa

SHA1
5116389531c5153c6419ea23402628805b5e0229

SHA256
f3234b260ff7aaa318ca402a99c324dcf2d547c7660fcdfc038abc94191a319d

SHA512
3244a9b00f84f5ceea65da05bb3d28ec93af4faae645aa858079cd900edbc5347bbcfc3e34adbba7c59b43a58eee0fde6f42538e4842125a2b5b74558f4637b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1r6t7bg\gui\events\cav.xml

Filesize
1KB

MD5
53db8144c2937638ab55fbee6dc0cc71

SHA1
47ebda58e209e18c46ca0bd974775b3a7489d1d1

SHA256
fcbaf17f3d3d9ed76c37252a6fba06e740678034edf1d741564de22e6e4f1a33

SHA512
10709f9fd2bae525de8976562937490a8cc967c754c64e9a97f43b93b17d6707eb3c527ac3240c2daebc9cb9204c565dd5a3ad62e14e143a0ec0e80807564899

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSFIAYGAJLADOD\installer.pak

Filesize
1.6MB

MD5
a4a7f8cb2dbefe97901cf657f6ed5ca4

SHA1
3b297cd14d8844b6da442557b0d82d1f2e888b22

SHA256
babacf1ca8865e86ea715364c43b24c1e450a094cab0852dec1b3e26a42978a2

SHA512
bf7373cf77597b0aa6619cfe2186f4f2f2672ed8f5985797918477b78450358dd1bfd053976f8953563af2bc706fb6b7125da61c37cc999397ee34f917f96e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSFIAYGAJLADOD\tmppack.exe

Filesize
716KB

MD5
d2f31d4bcb2f93e137eed54a8f4c8874

SHA1
28bf2717bfda88a3e93906c720065cde847b1487

SHA256
473ab84307c6d9cc7907598705dd2704360557c0ba0becf5a090b269a81d087c

SHA512
d347d271d053c960f895c31a2396d333f05b2792545f20e60cc5c15440e98a7a7c80813346787a980434c6394c33d00be16c0c20f73a9c0551e45f563c5e5b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSFIAYGAJLADOD\tmppack.exe

Filesize
716KB

MD5
d2f31d4bcb2f93e137eed54a8f4c8874

SHA1
28bf2717bfda88a3e93906c720065cde847b1487

SHA256
473ab84307c6d9cc7907598705dd2704360557c0ba0becf5a090b269a81d087c

SHA512
d347d271d053c960f895c31a2396d333f05b2792545f20e60cc5c15440e98a7a7c80813346787a980434c6394c33d00be16c0c20f73a9c0551e45f563c5e5b84

Download Submit
memory/1140-141-0x0000000002770000-0x000000000290D000-memory.dmp

Filesize
1.6MB

Download
memory/1140-211-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1140-231-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download