5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91

Analysis

max time kernel
139s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91exe.exe
Size

1.7MB
MD5

fee771c9a50a56880f6bce04874f6f5c
SHA1

e5a9f281eb91405004cd4f347db7b5f23f8d6b8f
SHA256

5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91
SHA512

e1cb760ddc11d2eeba73fd5bd3baabcebc82c7f41ed9a7cc2d7e30bf527ac6aaf3593536a57c3ac546ecf29b1521764f0412062a811645d0bbcf739ca579f422
SSDEEP

24576:3eHTg0cKA71b0+P7tT4o+AVDT2wEpXs+XFJP+jP2jetVS7cb6z54R7u9ud9Xu9cI:3TrTqAVm/JRX2IetVz6mRuaxt

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4472	Town.pif

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
616	tasklist.exe
904	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4580	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	616	tasklist.exe
Token: SeDebugPrivilege	904	tasklist.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4472	Town.pif
4472	Town.pif
4472	Town.pif
4472	Town.pif

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 3652	1508	NEAS.5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91exe.exe	93
PID 1508 wrote to memory of 3652	1508	NEAS.5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91exe.exe	93
PID 1508 wrote to memory of 3652	1508	NEAS.5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91exe.exe	93
PID 3652 wrote to memory of 2456	3652	cmd.exe	94
PID 3652 wrote to memory of 2456	3652	cmd.exe	94
PID 3652 wrote to memory of 2456	3652	cmd.exe	94
PID 2456 wrote to memory of 616	2456	cmd.exe	96
PID 2456 wrote to memory of 616	2456	cmd.exe	96
PID 2456 wrote to memory of 616	2456	cmd.exe	96
PID 2456 wrote to memory of 852	2456	cmd.exe	97
PID 2456 wrote to memory of 852	2456	cmd.exe	97
PID 2456 wrote to memory of 852	2456	cmd.exe	97
PID 2456 wrote to memory of 904	2456	cmd.exe	98
PID 2456 wrote to memory of 904	2456	cmd.exe	98
PID 2456 wrote to memory of 904	2456	cmd.exe	98
PID 2456 wrote to memory of 1824	2456	cmd.exe	99
PID 2456 wrote to memory of 1824	2456	cmd.exe	99
PID 2456 wrote to memory of 1824	2456	cmd.exe	99
PID 2456 wrote to memory of 2492	2456	cmd.exe	100
PID 2456 wrote to memory of 2492	2456	cmd.exe	100
PID 2456 wrote to memory of 2492	2456	cmd.exe	100
PID 2456 wrote to memory of 2240	2456	cmd.exe	101
PID 2456 wrote to memory of 2240	2456	cmd.exe	101
PID 2456 wrote to memory of 2240	2456	cmd.exe	101
PID 2456 wrote to memory of 2932	2456	cmd.exe	102
PID 2456 wrote to memory of 2932	2456	cmd.exe	102
PID 2456 wrote to memory of 2932	2456	cmd.exe	102
PID 2456 wrote to memory of 4472	2456	cmd.exe	103
PID 2456 wrote to memory of 4472	2456	cmd.exe	103
PID 2456 wrote to memory of 4472	2456	cmd.exe	103
PID 2456 wrote to memory of 4580	2456	cmd.exe	104
PID 2456 wrote to memory of 4580	2456	cmd.exe	104
PID 2456 wrote to memory of 4580	2456	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\NEAS.5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91exe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91exe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /k cmd < Sorry & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:616
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:852
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:904
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe"
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c mkdir 32663
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Edges + Inf + Foul + Entrepreneurs 32663\Town.pif
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Admit + Like + Yu 32663\a
      4⤵
      PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\16698\32663\Town.pif
      32663\Town.pif 32663\a
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4472
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16698\32663\Town.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\16698\32663\Town.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\16698\32663\a

Filesize
1.1MB

MD5
cf3cad1cd81fdcd412284f36cd152e4f

SHA1
9e13626b96829190239294a430a7490cd3f08356

SHA256
4f78826f2e0ec86ca4a4b13a50220a79aaad30ee2374bd10548e105de38827c6

SHA512
f14a9e88bf0aacdf48e3fbd36784ce9620e2127f5f41e105afdf5366ac5ff7dcc8664708f2a84fcd12c29ea80361bc592b0222ce13d8f5158a224c67d0517196

Download Submit
C:\Users\Admin\AppData\Local\Temp\16698\Admit

Filesize
446KB

MD5
2b3c9515510eee0dc19c67772f793c4f

SHA1
6d4c851e63dd8d7073e9d9fbf2603bbab7b60100

SHA256
7bfbe7b40752a99a4405031be7a92ee835238bd098081afe527663fa4f8ac4bf

SHA512
470cf48f1e3966865eb3c6bea8d14fe67444069a6c689451271ec968a320d1496432956b21f6746b3c5d72c1b241c166da5cda3abf7c2e767c0817d98c1e899e

Download Submit
C:\Users\Admin\AppData\Local\Temp\16698\Edges

Filesize
250KB

MD5
bc38068047fa909483d2029dbd56a138

SHA1
447a3143f062a11854eba0db83c4b1e8ee5649ce

SHA256
65f59b33867862480eb3765dbbe8666cd038770daf6d22761cf0a5f50613221f

SHA512
11f0acbedc74dd6ff1979b238b2bed638f55f4fb2a0c6503e48d6be66c8d360600dc1c41d0a161ea8568598f9117d3c998e1e2825959078eb6942d7d5270fb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\16698\Entrepreneurs

Filesize
219KB

MD5
f27a3c6f675ef8dc39afa3e9d1ca52f1

SHA1
50c617f9727877f69cb45d0860110508e5ddd99a

SHA256
107c9f5f21d19fd781218ef317597a5039ba9fe22a908a5b610ee60480059d3f

SHA512
f5452015f2eb9c6b0452bd1729b06baea9d5a2848594bed478e3c949266fa8438c552f2961d19a4624f981ba552e9525bc42188792a75babbee98c0f1557db1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\16698\Foul

Filesize
190KB

MD5
0fb98b666cec21e6a510379372988208

SHA1
2701956d358029eacffc086adf94cfb287744d5b

SHA256
c5f575ab19db378b1303debb9b5417cb14fde8f330667f71fe93230ea9b33926

SHA512
5285f84364c501c828081f3c12fb0e407edabe77aa13634ffdb1344460f969faf5fbdf08bc66ebf93551421442993d9650728bfc7fc10da582031bc64892a86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\16698\Inf

Filesize
265KB

MD5
f7b1477adc53dd39d4d4095c5ef777ea

SHA1
fe4fefd565e79d3417f527bbf3586d93519304aa

SHA256
1c2d1a532679278f12fc4994195f1e190da14424e781caa9ebbb2e8615d0d899

SHA512
cb521aaa5f53c8816e379b17740a88c3c1290a6e6dc06ad1bcd23d56681a1b52ba3250f5ecd4416e2eb3da35dca1501a67eca0835e6ed4a7cb71fe2d45612d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\16698\Like

Filesize
404KB

MD5
2369acddad6dc5da2a87623b652974d9

SHA1
efc1441d1ddbc0c36011676415841c49a5a0223c

SHA256
3d470e1b625e72b8b89d18236380074c2893c42371a04670d1ca9b27ac825738

SHA512
d3330f2e186c7c438f8394ac485ac55c2f5ecb6430fe30fd929aa3451e5f8dbec8ac1ce0a0ee7c7d7687a7290752043b5811a76ee80497044d42156f41ded112

Download Submit
C:\Users\Admin\AppData\Local\Temp\16698\Sorry

Filesize
11KB

MD5
26413b5e758c26171fec67d8139b8482

SHA1
42548f7957d4d19b3afbd6b81405a2d80f638c55

SHA256
24017740ee1bd1195a54de9b174823a2a6fde0f04cbd5bfbde5917b4bf760d30

SHA512
4f1631b328c863e03e2157aa178f7a99b63bfec61a8416c0ec2bb9ba546b58ddef880149fc1800493846f79342f66939d1067f8a2d44f407563983082db8121d

Download Submit
C:\Users\Admin\AppData\Local\Temp\16698\Yu

Filesize
278KB

MD5
5ac68d1e171391b319399de52fb5472a

SHA1
690f71693528b9ae7718a1bfc580d8588f1f06ae

SHA256
b0743290c227ea97f6c03ff7a9f0027a0c9c0c82ad028fb100ac46e09250782a

SHA512
c4615167cd5b6f336cab0690efcd5893e328de8a7def90142a8e8104953e7a5ec832ce82db37582cad52b335a950f841da6d7640f008a15b9921a9acddc14c04

Download Submit
memory/1508-23-0x0000000000600000-0x00000000007B1000-memory.dmp

Filesize
1.7MB

Download
memory/1508-1-0x0000000000600000-0x00000000007B1000-memory.dmp

Filesize
1.7MB

Download
memory/1508-10-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1508-25-0x0000000000600000-0x00000000007B1000-memory.dmp

Filesize
1.7MB

Download
memory/1508-0-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/4472-26-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/4472-28-0x0000000005760000-0x00000000057E6000-memory.dmp

Filesize
536KB

Download
memory/4472-29-0x0000000005760000-0x00000000057E6000-memory.dmp

Filesize
536KB

Download
memory/4472-30-0x0000000005760000-0x00000000057E6000-memory.dmp

Filesize
536KB

Download
memory/4472-31-0x0000000005760000-0x00000000057E6000-memory.dmp

Filesize
536KB

Download
memory/4472-27-0x0000000005760000-0x00000000057E6000-memory.dmp

Filesize
536KB

Download
memory/4472-33-0x0000000005760000-0x00000000057E6000-memory.dmp

Filesize
536KB

Download
memory/4472-34-0x0000000005760000-0x00000000057E6000-memory.dmp

Filesize
536KB

Download
memory/4472-35-0x0000000005760000-0x00000000057E6000-memory.dmp

Filesize
536KB

Download