4728b17d58eb5a5939fe9a226164645249d5f275fc2a052a8a9c88699a03db6e

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/11/2023, 07:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4728b17d58eb5a5939fe9a226164645249d5f275fc2a052a8a9c88699a03db6e.exe
Size

16KB
MD5

f0008aa9dd21bff0a523695bc852bd02
SHA1

53484b5a65a906b2693813397ec13d2ebd88c06e
SHA256

4728b17d58eb5a5939fe9a226164645249d5f275fc2a052a8a9c88699a03db6e
SHA512

b2aabd1651c9faf29ca5fb000ad4908438f356b04708aa0cdf6b6d30106ef751ebe4b162d08e9d57f26946fa9958e164d4904809f3ca3fd21d4000b1fd97a133
SSDEEP

192:YcA0hyErRBqgOnPQPdcIdq20dqE5Ps6Z6GQO0bDDvz0EHITbKH62RTUz/PwVkn:vJN0xIwtdn536bOEboEo3KH0z/Pwy

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2088	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe"	4728b17d58eb5a5939fe9a226164645249d5f275fc2a052a8a9c88699a03db6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe"	spoolsv.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\spoolsv.exe	4728b17d58eb5a5939fe9a226164645249d5f275fc2a052a8a9c88699a03db6e.exe
File created	C:\Windows\spoolsv.exe	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	4728b17d58eb5a5939fe9a226164645249d5f275fc2a052a8a9c88699a03db6e.exe
Token: SeDebugPrivilege	2088	spoolsv.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2088	1480	4728b17d58eb5a5939fe9a226164645249d5f275fc2a052a8a9c88699a03db6e.exe	28
PID 1480 wrote to memory of 2088	1480	4728b17d58eb5a5939fe9a226164645249d5f275fc2a052a8a9c88699a03db6e.exe	28
PID 1480 wrote to memory of 2088	1480	4728b17d58eb5a5939fe9a226164645249d5f275fc2a052a8a9c88699a03db6e.exe	28
PID 1480 wrote to memory of 2088	1480	4728b17d58eb5a5939fe9a226164645249d5f275fc2a052a8a9c88699a03db6e.exe	28

C:\Users\Admin\AppData\Local\Temp\4728b17d58eb5a5939fe9a226164645249d5f275fc2a052a8a9c88699a03db6e.exe
"C:\Users\Admin\AppData\Local\Temp\4728b17d58eb5a5939fe9a226164645249d5f275fc2a052a8a9c88699a03db6e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\spoolsv.exe
  "C:\Windows\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sz6lpuDVNNO1ulk.exe

Filesize
16KB

MD5
2f1532976d4f2c378c89fcf3616a7f96

SHA1
5c69466e9c51ffb05dc69bbfb1fe01748487438f

SHA256
f53774d4d012bce95121b2804e0dae11cec5ed89369f0c7925453d851bd3a7c6

SHA512
76c578e8b160d48cab3704a4a58178e0f08b8f1c00478f257082ce931f8bb0e0c316a922fca0e5b6b2c3d5d37181250d34a381672d9a14f763257df4af16ef27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sz6lpuDVNNO1ulk.exe

Filesize
16KB

MD5
2f1532976d4f2c378c89fcf3616a7f96

SHA1
5c69466e9c51ffb05dc69bbfb1fe01748487438f

SHA256
f53774d4d012bce95121b2804e0dae11cec5ed89369f0c7925453d851bd3a7c6

SHA512
76c578e8b160d48cab3704a4a58178e0f08b8f1c00478f257082ce931f8bb0e0c316a922fca0e5b6b2c3d5d37181250d34a381672d9a14f763257df4af16ef27

Download Submit
C:\Windows\spoolsv.exe

Filesize
16KB

MD5
361c84c05ec741535ded781e8e4ec642

SHA1
428b169536a5bb7c3b5a0c83e0ea0b0b48142b80

SHA256
6baa7bb87b1fb6faae543d8101b2006648ab11884c1f871e44cc23894e879ae7

SHA512
bd8aea4481289d1a42fb5e62453df6bff0f82dd567fd8e73c7342f0fc1c0331cb9d372aee732af9442f364bf13d40070ee818548874ffe4196def3527608fcaf

Download Submit
C:\Windows\spoolsv.exe

Filesize
16KB

MD5
361c84c05ec741535ded781e8e4ec642

SHA1
428b169536a5bb7c3b5a0c83e0ea0b0b48142b80

SHA256
6baa7bb87b1fb6faae543d8101b2006648ab11884c1f871e44cc23894e879ae7

SHA512
bd8aea4481289d1a42fb5e62453df6bff0f82dd567fd8e73c7342f0fc1c0331cb9d372aee732af9442f364bf13d40070ee818548874ffe4196def3527608fcaf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads