40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17

Resubmissions

01/11/2023, 20:57

231101-zryfwadb3s 8

01/11/2023, 20:12

31/10/2023, 21:03

31/10/2023, 18:05

31/10/2023, 17:13

31/10/2023, 16:52

Analysis

max time kernel
362s
max time network
366s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
Size

203KB
MD5

e26bba0304f14ef96beb60376791d32c
SHA1

24f6785ca2e82d1d1d61f4cb01d5e753f80445cf
SHA256

40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17
SHA512

f38c594c10ec95a1b0cb3acdb1e920d8343728aa34641d773d4f7fb391cf2d6bb7d11264496b9792c7aec551ce4b1b74bbb78b1a787e6d667824fb18f988d93a
SSDEEP

3072:7uoYEB8lWYjmGlCcrwMuWSiVuFbJj65dVi/gTXouvCFH:73V+hjm6Ccrpu+iB/gTY+CF

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 53 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8DD9D3QP\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Public\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GQUNQV9S\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1ESHDZZN\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HS7UUQ54\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\KE66LTHD\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DW5YQW87\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2952504676-3105837840-1406404655-1000\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4SJV31EU\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SDK22CY5\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1216	3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe	29
PID 3064 wrote to memory of 1216	3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe	29
PID 3064 wrote to memory of 1216	3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe	29
PID 3064 wrote to memory of 2404	3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe	30
PID 3064 wrote to memory of 2404	3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe	30
PID 3064 wrote to memory of 2404	3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe	30
PID 3064 wrote to memory of 2800	3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe	32
PID 3064 wrote to memory of 2800	3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe	32
PID 3064 wrote to memory of 2800	3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe	32
PID 3064 wrote to memory of 2768	3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe	31
PID 3064 wrote to memory of 2768	3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe	31
PID 3064 wrote to memory of 2768	3064	40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe	31

C:\Users\Admin\AppData\Local\Temp\40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe
"C:\Users\Admin\AppData\Local\Temp\40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\system32\cmd.exe
  cmd.exe /c vssadmin delete shadows /quIet /all
  2⤵
  PID:1216
- C:\Windows\system32\cmd.exe
  cmd.exe /c wmic shadowcopy delete
  2⤵
  PID:2404
- C:\Windows\system32\cmd.exe
  cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2768
- C:\Windows\system32\cmd.exe
  cmd.exe / c bcdedit / set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...