80de038fa8ee564ad91ec09be420fcc9ad97cb28874c2f3aa7dd994625deec3f

Analysis

max time kernel
143s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2023, 11:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

161ff7ba1c8b2692c5a5cd36b68c7a02.exe
Size

6.7MB
MD5

161ff7ba1c8b2692c5a5cd36b68c7a02
SHA1

84b826d79dc77c9c501ff3eadb6af04b19be2850
SHA256

80de038fa8ee564ad91ec09be420fcc9ad97cb28874c2f3aa7dd994625deec3f
SHA512

3424c6944c5e6fe1ffedff9aac4df249c120f6fc01e56a12812db6be892cfa4dd5d1924bdc7c01773e0c6028ea119ce0340e272eae0a3c733d19f2e390d445ce
SSDEEP

98304:PUKKmD+eNEn9TAn9TiyVPKA/n9TBfUbX7fUbX0:PUKKAEn9TAn9Tvn9TBfUffUY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4392	_v_7591.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1196	2332	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	89
PID 2332 wrote to memory of 1196	2332	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	89
PID 2332 wrote to memory of 1196	2332	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	89
PID 2332 wrote to memory of 1124	2332	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	91
PID 2332 wrote to memory of 1124	2332	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	91
PID 2332 wrote to memory of 1124	2332	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	91
PID 2332 wrote to memory of 4392	2332	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	96
PID 2332 wrote to memory of 4392	2332	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	96
PID 2332 wrote to memory of 4392	2332	161ff7ba1c8b2692c5a5cd36b68c7a02.exe	96

C:\Users\Admin\AppData\Local\Temp\161ff7ba1c8b2692c5a5cd36b68c7a02.exe
"C:\Users\Admin\AppData\Local\Temp\161ff7ba1c8b2692c5a5cd36b68c7a02.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del _v_*
  2⤵
  PID:1196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del /windows/../../../../../../../../../_v_*
  2⤵
  PID:1124
- \??\c:\_v_7591.exe
  c:/_v_7591.exe
  2⤵
  - Executes dropped EXE
  PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\office2016setup.exe_Rules.xml

Filesize
6.8MB

MD5
77040206bc704f26425133055ca94a4d

SHA1
124c51d29a7276edc4fa6e20e9989be2dc775711

SHA256
8463ea24173ecf4898a80ae8818402e1509bc7ac7d152ce724de14b8bb2951c1

SHA512
fa08b3dd8bd0b9ca73132a69948d100a473c5a6d71fa2ceef82715f0902d9ad96efde40adff883b8d58df498545aa36512ca68f200b0b1cad81971c935639e9f

Download Submit
C:\_v_7591.exe

Filesize
4.0MB

MD5
92f152ff5ddd1ab7a738187f39862302

SHA1
41f605589367ec17361ac34a326b53cadabb7999

SHA256
43ddebc6106ad0dfe2ce2917ba2781447bdf2f7081ce05904304332fe53ef434

SHA512
11e4e6fb5a74af4d8db11a690522c89320d3375d43403a806ccf42e0f534411e1eaae77398c5a343f1834a5846cbbaa9e8f7f67c3b44062c05c0130ff0224839

Download Submit
\??\c:\_v_7591.exe

Filesize
2.0MB

MD5
b9370a3b0cf9b36353426b642d4b8630

SHA1
d638f4fad13f96da9c66a5952a9fe3ab9d98da7f

SHA256
3160b1b05bf627241e9dde9bdb24f926b146bcf12713cf6dfac5b302624cac96

SHA512
d16b619ee3ab2e4f785ca104d6e45be3deebdff82c8cac8f6acee50b467854f7c83dfdf51da2b00d3049022601f558ebfdba8cb6ba91f3374b00e7fa6d27e9f5

Download Submit
memory/2332-24-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4392-4-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/4392-5-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/4392-25-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4392-28-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/4392-29-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download