e2e71408bbf2e68cceafcf2ec9ac72a3785193ebe6b4d82dc974c701afd13f72

Analysis

max time kernel
2s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15423983f3d88a420046dcee942b02df.exe
Size

822KB
MD5

15423983f3d88a420046dcee942b02df
SHA1

9ba79809d9801a3ec22e4a43c8edcaefdbff7111
SHA256

e2e71408bbf2e68cceafcf2ec9ac72a3785193ebe6b4d82dc974c701afd13f72
SHA512

940fdf43bce67349874f3a48957e70d0690f0040e809a0d9aa568a5789e62dae03e46197908f20872ee46cfb8c1d3d3c6f4da2fd03f88d4c5b3c35d63de691a1
SSDEEP

24576:nOUjsjkycf3Eo63cbJd5A8uvKtSAvKQOAkhKnHPdt/:1js23Eo5bSDvKtSAvKQ5khKnvdt/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4952	dllstub.exe

Loads dropped DLL 39 IoCs

pid	Process
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe
640	15423983f3d88a420046dcee942b02df.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4064	640	WerFault.exe	14

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0009000000023248-167.dat	nsis_installer_2
behavioral2/files/0x0009000000023248-166.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 4952	640	15423983f3d88a420046dcee942b02df.exe	67
PID 640 wrote to memory of 4952	640	15423983f3d88a420046dcee942b02df.exe	67
PID 640 wrote to memory of 4952	640	15423983f3d88a420046dcee942b02df.exe	67

C:\Users\Admin\AppData\Local\Temp\15423983f3d88a420046dcee942b02df.exe
"C:\Users\Admin\AppData\Local\Temp\15423983f3d88a420046dcee942b02df.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 1116
  2⤵
  - Program crash
  PID:4064
- C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\dllstub.exe
  C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\dllstub.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~3515~3729~~URL Parts Error~~SendRequest Error~6A-4E-67-23-AB-77~#~~SendRequest Error~~~~
  2⤵
  - Executes dropped EXE
  PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 640 -ip 640
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\GetVersion.dll

Filesize
1KB

MD5
ad41d2238c7c9c2c0deb3d4a03ba18fd

SHA1
ec3c3dc197d8fc2e73afee1a07b52518b31109ad

SHA256
1e8f08bb409b72ec8a0f0f954821d1aa61eb0e603de1cbe4885a40d8a13a768c

SHA512
bfb298bbbd9d9a1540c61da6560d0b9d8cdaca800054908f41296e1e9ee947f7c498bf61e6cdf7725f0e5ab687569509d7fbc2bc9ac256993a021e9d513ab652

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\GetVersion.dll

Filesize
6KB

MD5
5264f7d6d89d1dc04955cfb391798446

SHA1
211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc

SHA256
7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4

SHA512
80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\Math.dll

Filesize
66KB

MD5
b140459077c7c39be4bef249c2f84535

SHA1
c56498241c2ddafb01961596da16d08d1b11cd35

SHA256
0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

SHA512
fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\Math.dll

Filesize
65KB

MD5
d5649b5fcbb827635ca5a89e3e1cf6ee

SHA1
c86143c5708bf178f6928fb9a7b22c0f92159611

SHA256
6806d53b46830305ad632ed268bf7e8905498a17c810b6bfc2b0ff8292f12786

SHA512
c8ab701a3cf0e1a86cecdfee231b71bde7fa0784129a6d7f65f20649239b0c740daa2bae859132560477400d62f1c5a9f94fbd7d933f28e738355d2937af5602

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\dllstub.exe

Filesize
36KB

MD5
cf0d5a8b41d9dad66a6b58a215c40fae

SHA1
efcdbe2988d69e28c2430edb1574d29a65da0401

SHA256
b2e05e1baeba1c2e02a392b7ce65c0a31b588f83a7293e432881d30305ff7f4d

SHA512
7f416de67f771c866be19a090b2da85f77735f8e346ae01e9b5510e61080582846856dc45b17f5d2b5ea06e624116f6bc028b8f622ff78279cf398e72fafa9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\dllstub.exe

Filesize
66KB

MD5
5ba9cd85f2dc3e0e6b132c06741b194a

SHA1
9c323b7a5644a153dcb09dc8d6e69d99befdd2eb

SHA256
227562eaaadce843a398b1554547d62984a525ed4f877273a2af68df509651ac

SHA512
77851e63e7541af36018145ba7fca2c97ff357226c1677879dd43de34f8847bec6d8950512f3a74261638a832349270766a955bd2d59f6082ce59d001267deff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\intlib.dll

Filesize
10KB

MD5
d719b940a55217d0a90f10866265c5ab

SHA1
28b432beb7a6475d4b329d44532231082087cc90

SHA256
7cba3a059e4b134246ca153992d0b3e032fda1ce61c1204cf9dd654e8453540e

SHA512
d3a5e67acba959cf28dd13b4d4cba97fba3db3b2249b62d0a66fc93188f420836f52074014b31841e0a185afb7f0d56314d0be132d38dbd235bc7992db8a0846

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\intlib.dll

Filesize
23KB

MD5
f2b46b3a9e3f90b2b4e9be92b2bbce0e

SHA1
4b0f4d299d7ba0bb20e737f2fb3ea00cf4737537

SHA256
d5d7488467692efed00a8c7b90eb7b9ab800deba1584a2e6b9d68e188278926e

SHA512
5c95397bb8de4490dd3e37221c98cc276646c9c98ad86fb354529e71f40649e654ea9d671e259217a821a4cf364a6bed82e2e315d299e0dcca3ea32216d93520

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\intlib.dll

Filesize
5KB

MD5
832839f77184951076f005d77fd253b6

SHA1
c4fcec57083673a4488ac1e10387818b9d5d0bdd

SHA256
73147c92305bca1b1741315215c81e506609de10c43011902b4113df31bf9949

SHA512
4a48a4ef0fa0872f3d558eda157b401136426d711978724e93f807b8cb30ffbc67b7f914552f7956f39be4c4775b44d315327f054c5269007b7e7acb06f5de40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\intlib.dll

Filesize
24KB

MD5
1efbbf5a54eb145a1a422046fd8dfb2c

SHA1
ec4efd0a95bb72fd4cf47423647e33e5a3fddf26

SHA256
983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341

SHA512
7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\intlib.dll

Filesize
7KB

MD5
2d84e827f14bc55d672a8d5b1f6b249c

SHA1
078be20cfd31ee5dfe78ae629aef5a3a8f103fd2

SHA256
a0d81ac86eb0c5fb8a5309a7eae5fafe387f38aeab679c1bf29533e602348818

SHA512
e32f3407e15bee5c91b7102a48c8310f94d22a6737368259849ac3528a2410a8a9c9811d0117c6a4f88c3fc1b8c4723bbe250886e5121e52d2e734e1120e5043

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\nsDialogs.dll

Filesize
5KB

MD5
a428a1a97d287da6edf2291c2f90ff17

SHA1
2ba8be5f51a28b623f349b0285cc207e521e023c

SHA256
648548dac5e1e47a573b0505c0fae83d172eb0cb24854aaf048a3b82f0723d81

SHA512
20d6e0138472d5166460a2d54ac0f8cb33489d84c8a857e4ede0c79853157b4895e871972d14a3b3cb1b0483aec14d19ebb1f548f861b9b2a0861db4dfae9af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\registry.dll

Filesize
16KB

MD5
24a7a119e289f1b5b69f3d6cf258db7c

SHA1
fec84298f9819adf155fcf4e9e57dd402636c177

SHA256
ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1

SHA512
fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5238.tmp\inetc.dll

Filesize
14KB

MD5
d44e9cd3534f80cb544ed390def5c29a

SHA1
1d73e175a6e925fcc8ca7b68f884836c9f03d12d

SHA256
005326a16efba514b392591936635cd42c2738437d6e4bc1894260b7f65b28a5

SHA512
f7c1a40f7c35f4282d489695d5ede2cadcbbe63d1ac8ab2041781170c5c86b0382d29825a58180ed00ba8300248e8356c9efbd7b46247c6e67cc9c5b8c2639b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5238.tmp\inetc.dll

Filesize
15KB

MD5
d4a43c1645ad2870b01d7317aea4c096

SHA1
9897f9b75f3bcaafc6770c76e07739042d6819cd

SHA256
c2301393eb06741f0e3a8ff1d6079a7454e8578ede80ef3a44b6f7be9b90a20f

SHA512
62149dd9a598ee165d346482cef50246513e8f4aa568095f90af26a77b58914b46f6c89bfb2b22d6df82c6cb5104d21ccefc14ffc7b2ad7f0fee1805351c9437

Download Submit
memory/640-62-0x0000000002B00000-0x0000000002B1A000-memory.dmp

Filesize
104KB

Download