179b4678a221ac2bb5059260512515eec9dd7a825287d3f71376b67371fa367b

Analysis

max time kernel
14s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

158b93438a8d54328fef3c117bb59ef7.exe
Size

5.5MB
MD5

158b93438a8d54328fef3c117bb59ef7
SHA1

aa24e314910adf064dff33b5106a6dd009e90c45
SHA256

179b4678a221ac2bb5059260512515eec9dd7a825287d3f71376b67371fa367b
SHA512

30b016d84ff1be67fd15a4cd66b2dec24713507f197a6e0b93dad5c9ff13be6701d4d46162cd0c085e641b5b2a83e42901bd907304fcb4f60bc96465a5c86360
SSDEEP

98304:prCupviDxaPqmbS5jR5sG6wKEU/1QoNMvCvzCC2bd6vO6W0GUEcqmdw8yPITd50I:prFpaEPdAN5UpFtlNMv22CCdJEEcqZ8P

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2948	2eb70839910d44c9eef38b4745275bb4.exe
4764	2eb70839910d44c9eef38b4745275bb4.exe

Loads dropped DLL 47 IoCs

pid	Process
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe
3136	158b93438a8d54328fef3c117bb59ef7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira	2eb70839910d44c9eef38b4745275bb4.exe
Key opened	\REGISTRY\MACHINE\Software\Avira	2eb70839910d44c9eef38b4745275bb4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\0a965c0975063071e0e7aa67bc12a2cf\13c3944b7348de08c590376ae9160093.ico	158b93438a8d54328fef3c117bb59ef7.exe
File opened for modification	\??\c:\program files\0a965c0975063071e0e7aa67bc12a2cf\b3f0860be535f914bc428b4b9cdaa0bf.exe	2eb70839910d44c9eef38b4745275bb4.exe
File created	\??\c:\program files\0a965c0975063071e0e7aa67bc12a2cf\8d71433b41896220541cb6bf64bb5b30\pdqtqn.dll	2eb70839910d44c9eef38b4745275bb4.exe
File created	C:\Program Files\0a965c0975063071e0e7aa67bc12a2cf\c5a914d45b1fcc27e9a3c2444b7a0ac8	158b93438a8d54328fef3c117bb59ef7.exe
File created	\??\c:\program files\0a965c0975063071e0e7aa67bc12a2cf\8d71433b41896220541cb6bf64bb5b30\bymror.dll	2eb70839910d44c9eef38b4745275bb4.exe
File created	C:\Program Files\0a965c0975063071e0e7aa67bc12a2cf\b3f0860be535f914bc428b4b9cdaa0bf.exe	158b93438a8d54328fef3c117bb59ef7.exe
File created	C:\Program Files\0a965c0975063071e0e7aa67bc12a2cf\2eb70839910d44c9eef38b4745275bb4.exe	158b93438a8d54328fef3c117bb59ef7.exe
File created	C:\Program Files\0a965c0975063071e0e7aa67bc12a2cf\840503f74cece9fc0ebc1d83eb385cca.exe	158b93438a8d54328fef3c117bb59ef7.exe
File created	C:\Program Files\0a965c0975063071e0e7aa67bc12a2cf\a501bbb6937aeceefcb764af89bc8d8b.exe	158b93438a8d54328fef3c117bb59ef7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\3045035B-3C14-4698-8AC4-ADB18CC42C1E	2eb70839910d44c9eef38b4745275bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\3045035B-3C14-4698-8AC4-ADB18CC42C1E\LocalService = "17a7eab8138fd8bfaa576c21628b2de6"	2eb70839910d44c9eef38b4745275bb4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4764	2eb70839910d44c9eef38b4745275bb4.exe
4764	2eb70839910d44c9eef38b4745275bb4.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	4764	2eb70839910d44c9eef38b4745275bb4.exe
Token: SeSecurityPrivilege	4764	2eb70839910d44c9eef38b4745275bb4.exe
Token: SeSecurityPrivilege	4764	2eb70839910d44c9eef38b4745275bb4.exe
Token: SeSecurityPrivilege	4764	2eb70839910d44c9eef38b4745275bb4.exe
Token: SeSecurityPrivilege	4764	2eb70839910d44c9eef38b4745275bb4.exe
Token: SeSecurityPrivilege	4764	2eb70839910d44c9eef38b4745275bb4.exe
Token: SeBackupPrivilege	4764	2eb70839910d44c9eef38b4745275bb4.exe
Token: SeSecurityPrivilege	4764	2eb70839910d44c9eef38b4745275bb4.exe
Token: SeSecurityPrivilege	4764	2eb70839910d44c9eef38b4745275bb4.exe
Token: SeSecurityPrivilege	4764	2eb70839910d44c9eef38b4745275bb4.exe
Token: SeSecurityPrivilege	4764	2eb70839910d44c9eef38b4745275bb4.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 2948	3136	158b93438a8d54328fef3c117bb59ef7.exe	91
PID 3136 wrote to memory of 2948	3136	158b93438a8d54328fef3c117bb59ef7.exe	91

C:\Users\Admin\AppData\Local\Temp\158b93438a8d54328fef3c117bb59ef7.exe
"C:\Users\Admin\AppData\Local\Temp\158b93438a8d54328fef3c117bb59ef7.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Program Files\0a965c0975063071e0e7aa67bc12a2cf\2eb70839910d44c9eef38b4745275bb4.exe
  "C:\Program Files\0a965c0975063071e0e7aa67bc12a2cf\2eb70839910d44c9eef38b4745275bb4.exe" --install
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:2948
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\0a965c0975063071e0e7aa67bc12a2cf" /f /v "UninstallString" /t REG_SZ /d "C:\Windows\2d01e6c2c883a2ae6cc66857872b4b3b.exe"
  2⤵
  PID:4892
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\0a965c0975063071e0e7aa67bc12a2cf" /f /v "DisplayIcon" /t REG_SZ /d "C:\Windows\2d01e6c2c883a2ae6cc66857872b4b3b.exe"
  2⤵
  PID:1232

C:\Program Files\0a965c0975063071e0e7aa67bc12a2cf\2eb70839910d44c9eef38b4745275bb4.exe
"C:\Program Files\0a965c0975063071e0e7aa67bc12a2cf\2eb70839910d44c9eef38b4745275bb4.exe"
1⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\0a965c0975063071e0e7aa67bc12a2cf\2eb70839910d44c9eef38b4745275bb4.exe

Filesize
803KB

MD5
3d056ef3569bca226dadee8fae9d567e

SHA1
82f7557573b3f7348f5cf0f072c4a70360e78fc5

SHA256
ff5cfa5aa6766a11eeb0db79d553f6de348e153169683b894210cb9a9a7dfcab

SHA512
75eddf47c7e5d1dac0938b24e852b20b7bd9279f8b449ba0812366313ec8eecfbca3da9d52d647b9dba484345f0866ebca59e7f480066b102b84127abda802ea

Download Submit
C:\Program Files\0a965c0975063071e0e7aa67bc12a2cf\2eb70839910d44c9eef38b4745275bb4.exe

Filesize
14KB

MD5
d9198705ba03fe35e4868626e6c4e03f

SHA1
a20c14f7890584ac4dd1d79bdd0fe5f0f6a11068

SHA256
4bae636a91523d039333e632aba6410579f65e9cedd1b3e636b0c2370535ffde

SHA512
8d4b1beba9385925b542c51e36b9a89c5b61fd2732fcb84aea5eced5439040453a418b16e45287d0b828edfcc1de1bc95adcf07bf0f701cbdbb5f8a482626763

Download Submit
C:\Program Files\0a965c0975063071e0e7aa67bc12a2cf\2eb70839910d44c9eef38b4745275bb4.exe

Filesize
202KB

MD5
c15e45e0234038d4629d396a4cf282e3

SHA1
b607fe4b7c165d18eb5899035544aa66e1be7695

SHA256
1aedfe4d63ab57c91663584fb3badcbe05bfb4a53224e056f33e65be5b5e9eef

SHA512
7ba81fbdba14411e2cb306e97f7e3254a0dc83ee2b1cbaab8ec2815acba13ed7613410cd0eeee67ee1be73f17394292aecbc1dd8be58cf18b3e2435fd5440bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj43E0.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj43E0.tmp\MoreInfo.dll

Filesize
7KB

MD5
80e34b7f576b710d100f6e7c0bed0c2e

SHA1
2b5b895034d41ee0d0d01bf650594ad0d1346662

SHA256
569d62345f6c915236772fa2575d1806cd2bfe089505807cb477618f1eeccf99

SHA512
f5970c192b7089040fd1cf26e5cab131879b91722dff0216cdc735f9cfde1eda061409b579eb0f11e3b32e5513e34bbedd4050b75bb1b2acc81be814c2c6c59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj43E0.tmp\NSISList.dll

Filesize
97KB

MD5
2e0785f18f8714393bc4bc1fe170eadf

SHA1
1efba431c0fac46c6cb6f60dc08f65a0e23ccf3d

SHA256
e68d65626b24e7c1f6fbe1001f43174d0243095181025736f37ad704662f4351

SHA512
8a272bb264fa066960a4f34411a81652839eccdbc6fa25be20c0b94d7d10b16cb568338abb5d1a96c155cbc4bc7923d0387fa36bed69c1021296cc6cc5fbb45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj43E0.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj43E0.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj43E0.tmp\brh.dll

Filesize
149KB

MD5
f2fc3ee6e3e31c5e92e9959fb76dcff7

SHA1
f987a5af3796c9b35e6bd29051cd2c3a2b4be248

SHA256
919d477c4bf7513ed5f5272e1ce6c036c4a829d3d2b908a68f75ba377b09a49d

SHA512
3de0df73d9ab5988c0d690abbd64a83f0876e777b0b5fc5d6bfde8e0de83bfdd144cb5c0811758e767e233abfdddd7d0a67c1ccd447b598115ec2437cba96de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj43E0.tmp\inetc.dll

Filesize
19KB

MD5
c933e3feb9acd7d5a7e343a3de68e4cd

SHA1
cd9cad4b789064edb43200e89300c295e3c45c08

SHA256
7aaef5982071549f5d1f9a7271141d14e66ca7cef23d00a537ec5c93689a8dbe

SHA512
1b32d0fc21b0a6254c4f96ef28d390ae6efd00e9b669c3652db805fb67b48728242cac710944e62089699931fa2e089d7f0717058dc6dd2c3b853c1029bc3f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj43E0.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj43E0.tmp\md5dll.dll

Filesize
8KB

MD5
97960d7a18662dac9cd80a8c5e3c794b

SHA1
4c28449cefa9af46bb7a63e9b9ea66a2de0ea287

SHA256
e0d1dc6e4c5cc13fb2db08fc741da0d08b315ebc8d3b53baa61552625d19b9c3

SHA512
1baab7b5378f3a396b31bf63b01b7905759c9f1d17d71882af63338d64eceda1884c947d93e4d9ef911bded1ef061043c873a88b8272f1aa296731aa745e756c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj43E0.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\??\c:\program files\0a965c0975063071e0e7aa67bc12a2cf\840503f74cece9fc0ebc1d83eb385cca.exe

Filesize
171KB

MD5
513895f81eb3aef394985bc5713e8faa

SHA1
a87bb89241b9f87e8174a32491ece7916d9507fe

SHA256
53ebd2905dc0d93a02ebe2a73571458e12de6779277969edeb5a18d271f34acd

SHA512
cb3b2772ebffcc7023f277a266ff83dbf6783be0e22e06939640addce4289eb5c2bc5d8d6678c745e05256562bebbb629929294b7a3ff5b137348452ba0c7611

Download Submit
\??\c:\program files\0a965c0975063071e0e7aa67bc12a2cf\b3f0860be535f914bc428b4b9cdaa0bf.exe

Filesize
140KB

MD5
ddf8edef68285efc347c21757a49ee17

SHA1
e0bea54341f4784ecd102fb346c56e76f4860c9f

SHA256
297aa7d4a69620c2c68f42a56f0ea26a0bc3c4e7a183dc12aa33fcfd98231323

SHA512
209c2414240c9a513bb484c4b7bd7a3133795ac77c80b151c888115a2b6b79669b8b8d37cc2f2d4d1e072ef16ea3b82917bf045f08cebefd066caf2a1152e4ef

Download Submit
\??\c:\program files\0a965c0975063071e0e7aa67bc12a2cf\c5a914d45b1fcc27e9a3c2444b7a0ac8

Filesize
72KB

MD5
e89c1fbe7111f9358b2f9f11105cf0ac

SHA1
fb2de9905a21971fcd165f4617ebf431b9ab5798

SHA256
886fe52d45653f63653129a762d4335fe4bc0ea83557a06af575b032635e9e69

SHA512
dd9ef96b732c9cf113d051a3f735c41f17bc871306d90382e5d782291de2a3cef000a37b131823b85b7e7ca6a097c6ae51c99cfc357b2f87b086fcb0071b853c

Download Submit
memory/3136-125-0x0000000003C30000-0x0000000003C43000-memory.dmp

Filesize
76KB

Download
memory/3136-59-0x0000000003C30000-0x0000000003C4D000-memory.dmp

Filesize
116KB

Download
memory/3136-17-0x0000000000B00000-0x0000000000B26000-memory.dmp

Filesize
152KB

Download