a06132d5da8e609172d84f3e3d2578167bca97e9d896c386136b1f98483d0252

Analysis

max time kernel
298s
max time network
319s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27/08/2023, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Soft.exe
Size

855.2MB
MD5

fb61cbd8e373a64a5b5c5224248f28c9
SHA1

3feaa5e93191412bf21eac0aeb88715c5b02690a
SHA256

b5fb87f26faf6bfd0bc49d818f67b8ddc06a481cf42d3e61dcc57aba9a6befd4
SHA512

abd7f27b2024cc94d0f0791eb9c5e3fd17ab1f01a87db8b8c17c8c0ebfd30c206517d1e8889952eb93ae1ca49dc22dcf6405ce54158fb573c0d633cd9e2f561f
SSDEEP

3072:jJdxYVsvlrk2ycpm1fC/zFJrkWilZ2fkWc6/T+jfOWe2brfnRRQfEfxX6deP:ssvlrxqkpMZwkWc7jf33uEfxqeP

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
568	Soft.exe
568	Soft.exe
568	Soft.exe
568	Soft.exe
568	Soft.exe
568	Soft.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	568	Soft.exe

C:\Users\Admin\AppData\Local\Temp\Soft.exe
"C:\Users\Admin\AppData\Local\Temp\Soft.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\57aea86c4c5719ff4648182364abd85d\Admin@[email protected]\Software.txt

Filesize
4KB

MD5
0deddb3cd02f97a1b29228e249b3b365

SHA1
fecda2c925798a04ad17871124a441dd96ae1730

SHA256
f347f9e4d3dd0ce266a5d225c0471e33386c659c6c2425a1b2e625864e538b9b

SHA512
23d186926572a79bd7cec17ddfc8dc49e97097636cf34cdbc4a8b3d6b590362635cb41200da96385cbc9da4d255cef65bf5bf2cd964c37c331ef9d1dec50eeb0

Download Submit
C:\Users\Admin\AppData\Local\57aea86c4c5719ff4648182364abd85d\msgid.dat

Filesize
13B

MD5
52e2479d75e086f9c280ec6ab5ae4fe6

SHA1
2750d987041c869ebc4be655f31b5803a677fb8b

SHA256
7f4007c917578896645f1844af5459e9218c709da14c5465e687ca61604a3de6

SHA512
d74deb991dcc9c83c86989040405752caefc9313e5f20ca64fcf1c96a278bfd381ebf58e7ac9fc67aea0e699bdaa915319945ab7a1a0daab3ba4279f9774d1ff

Download Submit
memory/568-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/568-1-0x0000000000250000-0x000000000026E000-memory.dmp

Filesize
120KB

Download
memory/568-5-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/568-6-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/568-7-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/568-29-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/568-52-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/568-95-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/568-108-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download