3bfcd2a9aa544418e9e5ee0613b9c49b1c6ab5966fab1e571fe1fcf40b28f5a6

Analysis

max time kernel
2s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ad18b1499a5394ea400a9177b602351.exe
Size

996KB
MD5

1ad18b1499a5394ea400a9177b602351
SHA1

7a09d64a68de1e586e1781594b2940a1ad746a91
SHA256

3bfcd2a9aa544418e9e5ee0613b9c49b1c6ab5966fab1e571fe1fcf40b28f5a6
SHA512

554a4f87c3501dc90fc956ecd38955ad7db6b948a08db3cb447289851366e05c36c9a1cc50982bd95967cba4e83f309588d728fcb6c286a4135765a731ae8511
SSDEEP

24576:UJuo5sjkZczo63M87oYbJd5A8uvKovKSHPf4xVv5X:UfsloTYBbSDvKovKSvgxVvl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	215AppsChecker.exe

Loads dropped DLL 24 IoCs

pid	Process
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2960	1ad18b1499a5394ea400a9177b602351.exe
2028	215AppsChecker.exe
2028	215AppsChecker.exe
2028	215AppsChecker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

resource	yara_rule
behavioral1/files/0x00050000000191b0-137.dat	nsis_installer_2
behavioral1/files/0x00080000000191dd-216.dat	nsis_installer_2
behavioral1/files/0x00080000000191dd-213.dat	nsis_installer_2
behavioral1/files/0x00080000000191dd-212.dat	nsis_installer_2
behavioral1/files/0x00080000000191dd-211.dat	nsis_installer_2
behavioral1/files/0x00080000000191dd-208.dat	nsis_installer_2
behavioral1/files/0x00080000000191dd-206.dat	nsis_installer_2
behavioral1/files/0x00050000000191b0-141.dat	nsis_installer_2
behavioral1/files/0x00050000000191b0-140.dat	nsis_installer_2
behavioral1/files/0x00050000000191b0-131.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2028	2960	1ad18b1499a5394ea400a9177b602351.exe	29
PID 2960 wrote to memory of 2028	2960	1ad18b1499a5394ea400a9177b602351.exe	29
PID 2960 wrote to memory of 2028	2960	1ad18b1499a5394ea400a9177b602351.exe	29
PID 2960 wrote to memory of 2028	2960	1ad18b1499a5394ea400a9177b602351.exe	29
PID 2960 wrote to memory of 2028	2960	1ad18b1499a5394ea400a9177b602351.exe	29
PID 2960 wrote to memory of 2028	2960	1ad18b1499a5394ea400a9177b602351.exe	29
PID 2960 wrote to memory of 2028	2960	1ad18b1499a5394ea400a9177b602351.exe	29

C:\Users\Admin\AppData\Local\Temp\1ad18b1499a5394ea400a9177b602351.exe
"C:\Users\Admin\AppData\Local\Temp\1ad18b1499a5394ea400a9177b602351.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\nst1814.tmp\dlhelpdl.exe
  C:\Users\Admin\AppData\Local\Temp\nst1814.tmp\dlhelpdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~2070~3097~~URL Parts Error~~SendRequest Error~EE-2F-31-38-09-B4~#~~SendRequest Error~~IE~~
  2⤵
  PID:2260
- C:\Users\Admin\AppData\Local\Temp\nst1814.tmp\215AppsChecker.exe
  C:\Users\Admin\AppData\Local\Temp\nst1814.tmp\215AppsChecker.exe /checkispublisherinstalled
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso2119.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1814.tmp\215AppsChecker.exe

Filesize
32KB

MD5
b4b1ae5af54067bfbf24a06e6ec43af1

SHA1
ec44e6d548a806d10e5cf4ee69f70facfc4e1741

SHA256
1fe91e35b924b74ea3d16300efba41fd83a37d728f1e44b914c0a43eaf16fe57

SHA512
f68064d352c50bc8c501003c32161f05869b909f23bee0ffca20cffad1473511247512e3722f3066d696778cf877c029ea03d9d9ca8b023caa1bea9f8360163e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1814.tmp\dlhelpdl.exe

Filesize
24KB

MD5
8ad4a516620b5647993484ca375e31d6

SHA1
68c5da8808cfa6a23b711ceb8905e6bc8627f6d6

SHA256
7a4f0d9087ed981240afce32d9f3938a3f7ec3521139fb149b40465e606cbb4f

SHA512
94935a4be1d2afc3018fb5221abf931960a5d7ad93fe95c5cff51c8932a42bc1c31ef0805a42469079eacf03d5e29f851298b11beb9aeb74f0ee03a2ffc45a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1814.tmp\dlhelpdl.exe

Filesize
10KB

MD5
41d4fca65eba5bffa871a8c424f1330b

SHA1
48480b58f8bd7c4e29d9af9d0b33f0d684b8ab9c

SHA256
cf6a5652c45a8153547004d5efa65b0dd94d3975b34b9abd0878ae93c734fc11

SHA512
ba79749c9d05394ded39226117b17d411493c693ec7c7cc2a246624d3b4cdffc64bdb0558db10c68141cff33f51322a1854cfb9ab8cf53d43480a4b29b92d6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1814.tmp\dlhelpdl.exe

Filesize
12KB

MD5
dbd7c7d327f38e5bd2609e24ad6db10a

SHA1
5fb90812fba816af2dcd305713bcf50cbaf69e8b

SHA256
1f11c73b3021a99234b95a459b6a4c3a97fc8dcb18f4f0a94c881bb5615ef32d

SHA512
714eff8aa3a488631025e27207002eadd16d5c77fd43576c8eddaccc69dc02b1ca05449a32c676fafa720ed2cce3a4f7da8a9281835a6413ec867868a63f7adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1814.tmp\intlib.dll

Filesize
13KB

MD5
1f737237d1ed40ff4160a3df9149bcd7

SHA1
813d879c5265f607b0f9fd98cc9533f24f755cb3

SHA256
24243268e56893c37e89591368a57243f7050779aa07f2199c26f218275700db

SHA512
08c4911529ac437b7c914c2d4cb5467e409e9eefb2d6f11966ee1ebd9db1a37cca26810ddd56f1e77da540de8758e91cb9b16cf2386c14c49ff2f0dd66aabbb5

Download Submit
\Users\Admin\AppData\Local\Temp\nso2119.tmp\StdUtils.dll

Filesize
6KB

MD5
4e67bef9240cb80c33e6bdf85089d197

SHA1
e6873d92fa353b3eb8824d5bb15e1bff3691ff46

SHA256
06dc67e57ad57ac16d12d4d1e38a8f2281aafdbfd2dc9674331b8166899cde82

SHA512
6487d0bfde01fee60f211838863cfd68c8700a8f332098775f8d678ee33516ca668afd21baffc775134536acde1a327915256d2d7ad3eda4ee24e0aff1126685

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\215AppsChecker.exe

Filesize
18KB

MD5
0ad504845e6da46237707509219d9d34

SHA1
b0f6f5923441e57db77318c7be11bcc28afbde7a

SHA256
8a6332ac7fb73196f90d42089afd5b98bc2f47f7022f288655758b53c368759f

SHA512
d696621ca8124b795f5229f2919c3b40c65a8a14a3d21172619e683b03ae57167e2e28214fa75b69f2e43d667490c495a4d91f3fb2edaf916e103c02acfdb3df

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\215AppsChecker.exe

Filesize
38KB

MD5
80ea605f284e17795c7c26f75f0c7670

SHA1
8eff23ccb4b9ef19d44a75834db0b385aec80c42

SHA256
ef832bd5c4a2978d4554d2cba461aa6fa622e85c1364125287aa392dc880c906

SHA512
03340a555137ced3ec5fd47e90f6e2250b43fa88a0a3b1d0d55138e5fc8459ded90026ae0ea084c8a126853a0265a0b028c9c2a2d20832c46ceb78cdab6c7034

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\215AppsChecker.exe

Filesize
39KB

MD5
420320e78490a36cf23cb17ffbb13358

SHA1
fcf1151c22f9b8c9e29ec6387b38e6b040bd196e

SHA256
bc13af4eb6cc4917d617785d7e4ad09f64745a9cf06354833e815e9229ce8dcf

SHA512
fe2774fd095c3a3b51b01a1da1c5fcd49b53f939b647c84cdfd3c243cb74644ca2909971bc87d3e5c8781a93c27ac3ef7691625a024008b4f1ffba4c947cd023

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\GetVersion.dll

Filesize
1KB

MD5
ad41d2238c7c9c2c0deb3d4a03ba18fd

SHA1
ec3c3dc197d8fc2e73afee1a07b52518b31109ad

SHA256
1e8f08bb409b72ec8a0f0f954821d1aa61eb0e603de1cbe4885a40d8a13a768c

SHA512
bfb298bbbd9d9a1540c61da6560d0b9d8cdaca800054908f41296e1e9ee947f7c498bf61e6cdf7725f0e5ab687569509d7fbc2bc9ac256993a021e9d513ab652

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\GetVersion.dll

Filesize
6KB

MD5
5264f7d6d89d1dc04955cfb391798446

SHA1
211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc

SHA256
7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4

SHA512
80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\System.dll

Filesize
8KB

MD5
f23e6fe6645f613012ee11e7489d4eaf

SHA1
3364c0ed28a6793d43b3c58a0bbacb316e09a4bf

SHA256
f0be64c29a1c9e8e4c4f42072dc6d075270a4fa0def9f3d4e6ebf6b29ee4ba9a

SHA512
64a6de4b9e5f52b21b4d88aa68c15a79ab4df8d681d460b452f58d96d415b449b35c53aec7aa0ae80aeda1dc26ae91f0ce5e6af5c5198e17a00b1e1a286c0fe3

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\dlhelpdl.exe

Filesize
25KB

MD5
c0c5954bd811f924c5fbadf1d50dba17

SHA1
adc33fe2eeb6bd92c6feaaaae63d909acc46d796

SHA256
d443a30d8af857187c752c572f52b844980240cfcfbff7a693439531ade61f74

SHA512
924cf720756aa7930aaefc59aca1cd2bf3af7a1dcf2e5020158850e196b27cacd50d85f35b3756de5110352c063995caffc3d2aba2af8cb81fbe871744d4c0cb

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\dlhelpdl.exe

Filesize
3KB

MD5
0cc61257adccf63c0087055382e8f6ad

SHA1
3e2ed38104c9b24ecd757ccdf0683695c0da4045

SHA256
26d8253718f06275eb63baa7461d0a72cc48653946818a08d50a0c6115a22703

SHA512
62fc8dca53309c38c24853c38d5a1515231b91488d677b6292f37845afeea9b487baa3acf5014fc6c7563bc2073519cfa09cfadcecb9e0eaa0596ce615b9bc0e

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\dlhelpdl.exe

Filesize
1KB

MD5
c1cbb8798acdaedf6cb0ba1cc2772f06

SHA1
812aec7b1435dbeac78d16f62a06bfe157037d5b

SHA256
9d44e41a6f8dd7cf2314197e02369410f7aa5840b4d2bbaecd66fd440a3e87e6

SHA512
3cb608893e998aee323aa886c8226fef8f33960fc36a11f5b331443e0e8075d9afb6920a6ba944faa21fa95a7f0855a2b8eb777ca89b1cde1ff2018c48f2337a

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\intlib.dll

Filesize
24KB

MD5
1efbbf5a54eb145a1a422046fd8dfb2c

SHA1
ec4efd0a95bb72fd4cf47423647e33e5a3fddf26

SHA256
983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341

SHA512
7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\intlib.dll

Filesize
1KB

MD5
6789f6f686109a31e8282a64d4710061

SHA1
d29e63d0c01714d860f59f71c2ad72f2d6aba265

SHA256
5e56b042927d13266a4d4bcfc458d29094ea86c771048be81cd4f63e6672a3fd

SHA512
bebde4b8510a66d83d0a2ba7cc90371202fc824c37f72101751640031dc01074d98322230efc4c8815f465db6cd5fea62efdd4323c6c168c4c29a7676c4375f1

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\intlib.dll

Filesize
2KB

MD5
ca53fa5004061f818b9f4bd74db191b2

SHA1
0e2cf3b9509b3f2c22d1e161667d47f3b31bdb40

SHA256
5cb996a95397fa220bb7779b9435cddc228709c8c521c1cbabe7689f5cc0cea7

SHA512
6185f39e955191336b94c2683c12d82e6464ecde0e91185872c93643d8b758892ce106d65f95354101e112b089dea4efa6793ef8143d5b4ac71eb5249d124789

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\nsDialogs.dll

Filesize
1KB

MD5
8cd3cbb8d61438d5fcb3fb4bce42c2e3

SHA1
7f7cdcb58a9c0972f899727c6ccb98730fbea430

SHA256
f714edbed0f2a9d7bfb97927781b5d6cfa4ebf853d428e77dd12600510750941

SHA512
767cfe35c8faf3934fcb82ea6d43185655e4e84ea7d5f6baa110ca0f2bef7d297c5dd38273502ec4aaaa3554fd77d92da91d50a25a62cbd0eae28859541fc459

Download Submit
\Users\Admin\AppData\Local\Temp\nst1814.tmp\registry.dll

Filesize
16KB

MD5
24a7a119e289f1b5b69f3d6cf258db7c

SHA1
fec84298f9819adf155fcf4e9e57dd402636c177

SHA256
ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1

SHA512
fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

Download Submit
\Users\Admin\AppData\Local\Temp\nst2186.tmp\inetc.dll

Filesize
12KB

MD5
90ea0f47689c907a28dba0aca281354a

SHA1
65d6b1bf71d5475f85cfe64643f91f56f0eb8645

SHA256
986fb1e6b2b41eb50b738dd61da60ee08c1c7f2977ecdb2bcd1c1c8aed2035ba

SHA512
69d5e94a2afc91451ccfc50d8ab4dd71cbb23d81fb4208496b099cd52d9a4b38604209fed45076a722970c7a38c4c3f66d8385a008a9a07fe36401135b378495

Download Submit
memory/2960-181-0x0000000002AB0000-0x0000000002AB3000-memory.dmp

Filesize
12KB

Download
memory/2960-195-0x0000000002AB0000-0x0000000002AB3000-memory.dmp

Filesize
12KB

Download
memory/2960-196-0x0000000002AB0000-0x0000000002AB3000-memory.dmp

Filesize
12KB

Download
memory/2960-65-0x0000000002A50000-0x0000000002A6A000-memory.dmp

Filesize
104KB

Download