a06132d5da8e609172d84f3e3d2578167bca97e9d896c386136b1f98483d0252

Analysis

max time kernel
112s
max time network
310s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2023, 20:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Soft.exe
Size

855.2MB
MD5

fb61cbd8e373a64a5b5c5224248f28c9
SHA1

3feaa5e93191412bf21eac0aeb88715c5b02690a
SHA256

b5fb87f26faf6bfd0bc49d818f67b8ddc06a481cf42d3e61dcc57aba9a6befd4
SHA512

abd7f27b2024cc94d0f0791eb9c5e3fd17ab1f01a87db8b8c17c8c0ebfd30c206517d1e8889952eb93ae1ca49dc22dcf6405ce54158fb573c0d633cd9e2f561f
SSDEEP

3072:jJdxYVsvlrk2ycpm1fC/zFJrkWilZ2fkWc6/T+jfOWe2brfnRRQfEfxX6deP:ssvlrxqkpMZwkWc7jf33uEfxqeP

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	ip-api.com

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2612	1420	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe
1420	Soft.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	Soft.exe

C:\Users\Admin\AppData\Local\Temp\Soft.exe
"C:\Users\Admin\AppData\Local\Temp\Soft.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 2160
  2⤵
  - Program crash
  PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1420 -ip 1420
1⤵
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ff71ebb0fc22b1084e1d7f9e7657a72d\Admin@[email protected]\Processes.txt

Filesize
4KB

MD5
45e8d7e2f12e256ab90c7ebaa29480e2

SHA1
4b2ab80cbcae9524f4a2071757cd1653ef909889

SHA256
c81da98327d8eaf9b9a0c767668b73dccb34a0b344b8b0c29d1014133cf121d9

SHA512
458de9f333b6f300ae5005dc0c93b9681c481c12e4c902b5f460076db61eb33aba7737501a7381e3746aa64e0cb3df776c1e11b783335d7eeb3001afff5b050c

Download Submit
C:\Users\Admin\AppData\Local\ff71ebb0fc22b1084e1d7f9e7657a72d\Admin@[email protected]\Software.txt

Filesize
813B

MD5
2ce1c791b95adc44eca4c4bd7ace7081

SHA1
1bb69b748fa1e2554f1ebd00de6c2a1e48b34ad0

SHA256
2d3035fc4bfe523ba23b68d4956fabfa9b3924ddfc8e85adf92dd936dbb2d88b

SHA512
5390bd8a0a220b8ecd263a2190e6999f9b6f07bae4154422f3348e261d34e9ea8535d95858c5c403d45a55e989beb0fde78c5adbdc486bcea8ecc491bc291cd2

Download Submit
C:\Users\Admin\AppData\Local\ff71ebb0fc22b1084e1d7f9e7657a72d\Admin@[email protected]\Software.txt

Filesize
4KB

MD5
4d469fcd07d1ee0a57b64c5ad3a80d22

SHA1
17b0b8600cbe0015c1d3792a05cd5faa69e986e2

SHA256
8a90a8506281a7c79e22c746bb5c0e1900753905d39c3b2cf075889f12566f49

SHA512
0722c29314d54ec23cee1a7e53009ac9295f54aeb5a59760181233c38c8ef96ce5e141915e20b4ae5c6f1efea13b7952698881fa5e7bed7d7ea7d77047b847a6

Download Submit
C:\Users\Admin\AppData\Local\ff71ebb0fc22b1084e1d7f9e7657a72d\msgid.dat

Filesize
13B

MD5
52e2479d75e086f9c280ec6ab5ae4fe6

SHA1
2750d987041c869ebc4be655f31b5803a677fb8b

SHA256
7f4007c917578896645f1844af5459e9218c709da14c5465e687ca61604a3de6

SHA512
d74deb991dcc9c83c86989040405752caefc9313e5f20ca64fcf1c96a278bfd381ebf58e7ac9fc67aea0e699bdaa915319945ab7a1a0daab3ba4279f9774d1ff

Download Submit
memory/1420-7-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1420-6-0x0000000004AF0000-0x0000000004B56000-memory.dmp

Filesize
408KB

Download
memory/1420-32-0x00000000060E0000-0x0000000006684000-memory.dmp

Filesize
5.6MB

Download
memory/1420-46-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/1420-51-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1420-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1420-121-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1420-17-0x0000000005FA0000-0x0000000006032000-memory.dmp

Filesize
584KB

Download
memory/1420-5-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/1420-162-0x0000000005A70000-0x0000000005A7A000-memory.dmp

Filesize
40KB

Download
memory/1420-163-0x0000000005A80000-0x0000000005A92000-memory.dmp

Filesize
72KB

Download
memory/1420-1-0x0000000002030000-0x000000000204E000-memory.dmp

Filesize
120KB

Download
memory/1420-182-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1420-184-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download