6727528ba0d78a86115f79d497958c9840dafb23df2cdfd3a6f7fe725f34b1f8

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09efc4122868dbc01a9629a89ec34cdf.exe
Size

1.5MB
MD5

09efc4122868dbc01a9629a89ec34cdf
SHA1

68fe582309befc098e1aab0be94d54fb64e5ba79
SHA256

6727528ba0d78a86115f79d497958c9840dafb23df2cdfd3a6f7fe725f34b1f8
SHA512

c3b1e2ee8fed13e461875451406a8ac8145d55c598364fe9337b10309bd07bef3cfbd3f0368f6591f625a88528f67af62ab1ae12871d585337a36b953e8a9d84
SSDEEP

24576:98wlCawZDWAGUxrlThp3sFIQnYZiqK1d7YZoM68NVXgJ+6EyCCtg3UmjM01oKl2p:98wlCaFELD3st+hKX7Y6ENNgJ8bdUAMv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4708	atrinsic-silent-t.exe

Loads dropped DLL 64 IoCs

pid	Process
4740	09efc4122868dbc01a9629a89ec34cdf.exe
4740	09efc4122868dbc01a9629a89ec34cdf.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe
4708	atrinsic-silent-t.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023207-14.dat	nsis_installer_1
behavioral2/files/0x0008000000023207-14.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4708	4740	09efc4122868dbc01a9629a89ec34cdf.exe	90
PID 4740 wrote to memory of 4708	4740	09efc4122868dbc01a9629a89ec34cdf.exe	90
PID 4740 wrote to memory of 4708	4740	09efc4122868dbc01a9629a89ec34cdf.exe	90

C:\Users\Admin\AppData\Local\Temp\09efc4122868dbc01a9629a89ec34cdf.exe
"C:\Users\Admin\AppData\Local\Temp\09efc4122868dbc01a9629a89ec34cdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\nsy43EF.tmp\atrinsic-silent-t.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy43EF.tmp\atrinsic-silent-t.exe" /OFFERED /CHANNEL="Ezt-Zugo-1337_25624_BingGeneral"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj4519.tmp\GetVersion.dll

Filesize
6KB

MD5
5264f7d6d89d1dc04955cfb391798446

SHA1
211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc

SHA256
7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4

SHA512
80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4519.tmp\Math.dll

Filesize
66KB

MD5
b140459077c7c39be4bef249c2f84535

SHA1
c56498241c2ddafb01961596da16d08d1b11cd35

SHA256
0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

SHA512
fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4519.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4519.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4519.tmp\inetc.dll

Filesize
20KB

MD5
2f94245152dbd233e248909f9c01c578

SHA1
ab4e5879c001b36a2f9ff214946599fd015edda9

SHA256
4c4d85eb9725fc7fade03467990e3dd9671c29a7870c97e69babc2cb3c9adef9

SHA512
f92830de27d6663be5e0df9e32cd88732bc7ee93b14c1ded65258c325d22436400801aff1124f40400c6c3b3c16e71deb08436714716f3888d13a8a6b6a32231

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4519.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4519.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy43EF.tmp\Util.dll

Filesize
64KB

MD5
f330570709e12939244f67217ba2d3a4

SHA1
e6bf91a100b290e348718ad4eb81200328e766e6

SHA256
86a7293de6330c5ccc680419ea8ac9910626f4f93c9e95737f744357eb27ae32

SHA512
a3c51d5737e03837b80f276ae3f023e52266e91c78e04481fcc1912ee8fc059bc4333556b17f7e7a63b5febd2c2f496be6cb9663cc1a707e4d2fa5103a6da622

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy43EF.tmp\atr-inetc.dll

Filesize
21KB

MD5
4a119b14d9bebe4b36e35486fef0aa01

SHA1
c117540ecc5ded43d57414ff2f1ece39a43102db

SHA256
548aab3a07a9085d141856587e5c23be1476cea2cd4ce10b44b712174ff4fad4

SHA512
49a894307049273888f644e55785cf20fb656183a556f7ddae2db7cd9f13288ed0750a3994a91923e4517577ad8c35f5ea8b06335add16f428bf2099bb8a5e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy43EF.tmp\atrinsic-silent-t.exe

Filesize
447KB

MD5
ea091893fc2f549ff240ff3a77e49845

SHA1
39004d2463dacf46cdf96fe65e54d83a5a8fbc40

SHA256
989072c63b1781ad61002437ac3b0975a379767d90041cfa7908f31abe0e97c2

SHA512
fcbd12e44d5d5ef85f42aa882fc569b09aaae4c2dd25ab6794844ad9bddefb836c6afed60f82a0f4f2891c63a8b1c9c8b7e0130a57aa6c1807d215eb6c891f54

Download Submit
memory/4708-29-0x0000000002EF0000-0x0000000002F0A000-memory.dmp

Filesize
104KB

Download