51bf1c26a7c4399f934eb60a16067ecde71a2a86e03a2fd3ca6daae214dd96d5

Analysis

max time kernel
1s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0663ec42e79093f48898f2560695b18c.exe
Size

990KB
MD5

0663ec42e79093f48898f2560695b18c
SHA1

c9a452a6c359908775a2b7dd00a33f549c5aa7e0
SHA256

51bf1c26a7c4399f934eb60a16067ecde71a2a86e03a2fd3ca6daae214dd96d5
SHA512

e3f13ae035f6936ff70b58aeb829648fc6ccaa1c564d6d878ec442e9528f796b07680f4cf7a57da2df22e7155d076ec2ede87082644e41ac4496d8341eadf0fa
SSDEEP

24576:i5sjkZcf3Eo63487oYbJd5A8uvKzS4MvKCINHPf4xVE5:csR3EoxYBbSDvKz0vKCINvgxVE5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2676	215AppsChecker.exe

Loads dropped DLL 24 IoCs

pid	Process
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2784	0663ec42e79093f48898f2560695b18c.exe
2676	215AppsChecker.exe
2676	215AppsChecker.exe
2676	215AppsChecker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2676	2784	0663ec42e79093f48898f2560695b18c.exe	29
PID 2784 wrote to memory of 2676	2784	0663ec42e79093f48898f2560695b18c.exe	29
PID 2784 wrote to memory of 2676	2784	0663ec42e79093f48898f2560695b18c.exe	29
PID 2784 wrote to memory of 2676	2784	0663ec42e79093f48898f2560695b18c.exe	29
PID 2784 wrote to memory of 2676	2784	0663ec42e79093f48898f2560695b18c.exe	29
PID 2784 wrote to memory of 2676	2784	0663ec42e79093f48898f2560695b18c.exe	29
PID 2784 wrote to memory of 2676	2784	0663ec42e79093f48898f2560695b18c.exe	29

C:\Users\Admin\AppData\Local\Temp\0663ec42e79093f48898f2560695b18c.exe
"C:\Users\Admin\AppData\Local\Temp\0663ec42e79093f48898f2560695b18c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\nsy639.tmp\dlhelpdl.exe
  C:\Users\Admin\AppData\Local\Temp\nsy639.tmp\dlhelpdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~1859~2087~~URL Parts Error~~SendRequest Error~5E-44-E0-CF-DD-1C~#~~SendRequest Error~~IE~~
  2⤵
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\nsy639.tmp\215AppsChecker.exe
  C:\Users\Admin\AppData\Local\Temp\nsy639.tmp\215AppsChecker.exe /checkispublisherinstalled
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy639.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy639.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
memory/2784-66-0x0000000001D20000-0x0000000001D3A000-memory.dmp

Filesize
104KB

Download