80de038fa8ee564ad91ec09be420fcc9ad97cb28874c2f3aa7dd994625deec3f

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

161ff7ba1c8b2692c5a5cd36b68c7a02.exe
Size

6.7MB
MD5

161ff7ba1c8b2692c5a5cd36b68c7a02
SHA1

84b826d79dc77c9c501ff3eadb6af04b19be2850
SHA256

80de038fa8ee564ad91ec09be420fcc9ad97cb28874c2f3aa7dd994625deec3f
SHA512

3424c6944c5e6fe1ffedff9aac4df249c120f6fc01e56a12812db6be892cfa4dd5d1924bdc7c01773e0c6028ea119ce0340e272eae0a3c733d19f2e390d445ce
SSDEEP

98304:PUKKmD+eNEn9TAn9TiyVPKA/n9TBfUbX7fUbX0:PUKKAEn9TAn9Tvn9TBfUffUY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	_v_14883.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2652	1976	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	28
PID 1976 wrote to memory of 2652	1976	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	28
PID 1976 wrote to memory of 2652	1976	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	28
PID 1976 wrote to memory of 2652	1976	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	28
PID 1976 wrote to memory of 2208	1976	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	30
PID 1976 wrote to memory of 2208	1976	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	30
PID 1976 wrote to memory of 2208	1976	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	30
PID 1976 wrote to memory of 2208	1976	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	30
PID 1976 wrote to memory of 2672	1976	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	32
PID 1976 wrote to memory of 2672	1976	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	32
PID 1976 wrote to memory of 2672	1976	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	32
PID 1976 wrote to memory of 2672	1976	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	32

C:\Users\Admin\AppData\Local\Temp\161ff7ba1c8b2692c5a5cd36b68c7a02.exe
"C:\Users\Admin\AppData\Local\Temp\161ff7ba1c8b2692c5a5cd36b68c7a02.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del _v_*
  2⤵
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del /windows/../../../../../../../../../_v_*
  2⤵
  PID:2208
- \??\c:\_v_14883.exe
  c:/_v_14883.exe
  2⤵
  - Executes dropped EXE
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\_v_14883.exe

Filesize
2.0MB

MD5
65cd80a44c968cbdca55d8860f13e8fc

SHA1
2a7546c73d3a9726702ab680e237f6754db6a2c7

SHA256
9856038c6d5538f45dc53f493623453e4dd725fc11bbae3c28ebf3a5a4474ed2

SHA512
508c39aa05d887c09e9c8ae1915add119b3d23cefb5e4575470a662a52d4ef7a3284173eb6cf76e6f420d13a2355a6963cf8c0d6ee4f5e1162534c73655d6a74

Download Submit
C:\_v_14883.exe

Filesize
1.3MB

MD5
129e9555671d3ac0e2c7a5df6c531090

SHA1
8a7950c544f2975a2c2bed3c2efa0bb2eab4fbec

SHA256
77bf70d78100bed63eb2760b5356f100c3a04fe63dc73c20b45211025f34af8e

SHA512
0630ff9f2d8525a3192896b8c10a33df8bc939f8d9ebce86a548e23b8a816e7493edc4b9ffbad9c6805198ae8d2abc3b6b0ea43ceebf118a0afa82a42f3b8325

Download Submit
memory/1976-8-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2672-6-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-7-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2672-9-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2672-11-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-12-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download