f510d00b7e76acc0900dcfd9dce320bee26edbdb58f7ffcd9943bda235f576f2

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5379be2782c997c07288897c9ca7a691.exe
Size

401KB
MD5

5379be2782c997c07288897c9ca7a691
SHA1

46d282856f8ff35e31f507152016daae3ba6c570
SHA256

f510d00b7e76acc0900dcfd9dce320bee26edbdb58f7ffcd9943bda235f576f2
SHA512

f3105aced092dd4dcc9812994c97d391ad9cddd7f170d5353f1ff234389901d128ed04563f695fd020c5608f80cd89a5b87d89e05074f7ff35c468c44813596d
SSDEEP

6144:NSbwHWwnIfqrbb1hq9UyqvwS4GclHuYS+12QyoISwMd7wvcY:cwrnIfqrQVGcRu612QyVSwM+P

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1512	5379be2782c997c07288897c9ca7a691.usa

Loads dropped DLL 1 IoCs

pid	Process
2212	5379be2782c997c07288897c9ca7a691.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\UsaShohdi.asu	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	C:\Windows\SysWOW64\UsaShohdi.asu	5379be2782c997c07288897c9ca7a691.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.usa	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\javaws.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files\7-Zip\7zFM.exe	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\javaw.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.usa	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\javaws.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files\Mozilla Firefox\firefox.exe	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.usa	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.usa	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\XLICONS.usa	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Office14\MSOHTMED.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\Chess.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.usa	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.usa	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\chrome.usa	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jmc.usa	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.usa	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOUC.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\uninstall\helper.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files\VideoLAN\VLC\vlc.exe	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\WORDICON.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\PurblePlace.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files\Google\Chrome\Application\chrome_proxy.exe	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.usa	5379be2782c997c07288897c9ca7a691.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.usa	5379be2782c997c07288897c9ca7a691.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	5379be2782c997c07288897c9ca7a691.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1512	2212	5379be2782c997c07288897c9ca7a691.exe	28
PID 2212 wrote to memory of 1512	2212	5379be2782c997c07288897c9ca7a691.exe	28
PID 2212 wrote to memory of 1512	2212	5379be2782c997c07288897c9ca7a691.exe	28
PID 2212 wrote to memory of 1512	2212	5379be2782c997c07288897c9ca7a691.exe	28

C:\Users\Admin\AppData\Local\Temp\5379be2782c997c07288897c9ca7a691.exe
"C:\Users\Admin\AppData\Local\Temp\5379be2782c997c07288897c9ca7a691.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\5379be2782c997c07288897c9ca7a691.usa
  C:\Users\Admin\AppData\Local\Temp\5379be2782c997c07288897c9ca7a691.usa
  2⤵
  - Executes dropped EXE
  PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\UsaShohdi.asu

Filesize
401KB

MD5
5379be2782c997c07288897c9ca7a691

SHA1
46d282856f8ff35e31f507152016daae3ba6c570

SHA256
f510d00b7e76acc0900dcfd9dce320bee26edbdb58f7ffcd9943bda235f576f2

SHA512
f3105aced092dd4dcc9812994c97d391ad9cddd7f170d5353f1ff234389901d128ed04563f695fd020c5608f80cd89a5b87d89e05074f7ff35c468c44813596d

Download Submit
\Users\Admin\AppData\Local\Temp\5379be2782c997c07288897c9ca7a691.usa

Filesize
97KB

MD5
18f0fabaacd7d8c641a68023d359a4b8

SHA1
2b32ca8c89ac40512b9e6f2a7b555cf5ae6fbe01

SHA256
e532631bb42c9d2e58258583c1a461b7661889e20ff7be60595bce76b0dd2369

SHA512
6eb628d1a4d7b0f6d4cf46c8af8ebe373aedb0938c5e96f7444c527e87191f659522572ff32a38ccb05733d002562722a5d57aef08f88b55a67c813b0d8fc7ed

Download Submit