bb5a9d6418509a04633788d4c9afdb3b3e78f23907565bcdf80e65dd79c1fe79

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14c87d8e079bba8933dd6daa4b118803.exe
Size

1018KB
MD5

14c87d8e079bba8933dd6daa4b118803
SHA1

6efc80e872ece113a011fb2f7dab2e4cc272fd7c
SHA256

bb5a9d6418509a04633788d4c9afdb3b3e78f23907565bcdf80e65dd79c1fe79
SHA512

2f4473dfefa9e351c69e76688448079b5b02bdf53ad45b881450686b43d8d913ced9309117e1ca36262716608d218a7b30b326d50bc238869c033d6923df227e
SSDEEP

24576:An0TX1hQfJuu5x8/elO3gs8ZG8aljjAFF:u0TX1efJug8OO388jAr

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4628	tmppack.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
316	14c87d8e079bba8933dd6daa4b118803.exe
316	14c87d8e079bba8933dd6daa4b118803.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 4628	316	14c87d8e079bba8933dd6daa4b118803.exe	15
PID 316 wrote to memory of 4628	316	14c87d8e079bba8933dd6daa4b118803.exe	15
PID 316 wrote to memory of 4628	316	14c87d8e079bba8933dd6daa4b118803.exe	15

C:\Users\Admin\AppData\Local\Temp\14c87d8e079bba8933dd6daa4b118803.exe
"C:\Users\Admin\AppData\Local\Temp\14c87d8e079bba8933dd6daa4b118803.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\BJMIGGXARECSRILWBPKVVKUX\tmppack.exe
  -y
  2⤵
  - Executes dropped EXE
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BJMIGGXARECSRILWBPKVVKUX\installer.pak

Filesize
93KB

MD5
22eaf0d958599207e015c157570e2856

SHA1
b897b1b7be733cd6945fe152da4634738ce8ab3f

SHA256
654fafedaa947475cee786289ad6f06186d7096293fe68fce21747bddfec16a5

SHA512
0a04717775de978d1f9b6ef8181db14f07e96d6ea47a53964c97e9b9ee9826149266563d7d093ca777e196aaf6abab4d3b1caa52e9ff5dab952ef416de2545ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\BJMIGGXARECSRILWBPKVVKUX\tmppack.exe

Filesize
561KB

MD5
191daa51ab8e3dbe928711f001dc3adb

SHA1
84d307554c31dd13b5789109505b7394f34c7836

SHA256
a39c78f61f42f22bfb40cfe9f56239bb15d7ea6ca153a5ded61c36997a61fa45

SHA512
1b10db82956d2092bee5b0a3f954b47bbfe669193d04fb586545a8a8167d84dc1a6f8aab8bd0d1695145830c733e0fa3b2505223bd50495a65bae32b04837a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\BJMIGGXARECSRILWBPKVVKUX\tmppack.exe

Filesize
96KB

MD5
10ed8990fb0d20cd72e257e7bd67e534

SHA1
313f27bef464a4ab3f4ede492ef2ab6c0ff3a328

SHA256
ea695430fa03bee414db77e41ae515267bf66f5d4b5d6ac2532da65d2318d539

SHA512
67a62571fb6a051d93036ee1c1ce24e58d4319f9d4d89cc924561a1f1f3044b7a9792702c23b115d24279f22dc4bc29559a1d4ed049d4514ccf8de84aa1b7a42

Download Submit
memory/316-7-0x0000000002A80000-0x0000000002BC9000-memory.dmp

Filesize
1.3MB

Download
memory/316-73-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/316-94-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download