ea1e39d0b402495b829ab7ce68472e31107f011c7b7e45bb3d13460dc6c957d8

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

243b8405591a802effda2dd8fdea721b.exe
Size

436KB
MD5

243b8405591a802effda2dd8fdea721b
SHA1

f8e24757032c1dca93bbbc439b9e425ea2466692
SHA256

ea1e39d0b402495b829ab7ce68472e31107f011c7b7e45bb3d13460dc6c957d8
SHA512

b9a1b64609fe178f2228285c0ebc2b9c22f2a2cc155dd700954a134de67f74e01351d8784957c3cb358d23df1ee131b7c08f06b658d3a576771afb239570a135
SSDEEP

12288:SeZL60a7gr6KJ525uSHIJVuE+YqYjffK0jRuKJM0r/0QGl:JZLBrjJ5chgF8YzS2j07l

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2592	APNStub.exe

Loads dropped DLL 3 IoCs

pid	Process
2252	243b8405591a802effda2dd8fdea721b.exe
2592	APNStub.exe
2592	APNStub.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2252	243b8405591a802effda2dd8fdea721b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2592	2252	243b8405591a802effda2dd8fdea721b.exe	28
PID 2252 wrote to memory of 2592	2252	243b8405591a802effda2dd8fdea721b.exe	28
PID 2252 wrote to memory of 2592	2252	243b8405591a802effda2dd8fdea721b.exe	28
PID 2252 wrote to memory of 2592	2252	243b8405591a802effda2dd8fdea721b.exe	28

C:\Users\Admin\AppData\Local\Temp\243b8405591a802effda2dd8fdea721b.exe
"C:\Users\Admin\AppData\Local\Temp\243b8405591a802effda2dd8fdea721b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\nst1C59.tmp\APNStub.exe
  "C:\Users\Admin\AppData\Local\Temp\nst1C59.tmp\APNStub.exe" /tb=BDE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst1C59.tmp\APNIC.dll

Filesize
240KB

MD5
197215658b8015182192e1ebca3bbcc3

SHA1
40e49124ad0b55a25f947333ca88e9d0bc30a7e3

SHA256
08db125c09eb53cc28e7bc7c427b6c2217ff6134a122e6d65d1d24f70e875d9e

SHA512
5fe9d6c96c817bd64ea78ff511734e9e11e6ca13b4506b589156a801fa4fed568c37d958cfafb96ad86ee1229ceeb35165965cb776f3a74cafaedb1a946bbf79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1C59.tmp\ApnStub.exe

Filesize
139KB

MD5
c36923084822c017f69396418a999d39

SHA1
fdc2005ced8acf86c68fe1b86b0698d0539e8ce0

SHA256
7a158fdeea8f7107be5ce40242546a503193aa1c278f74a4730871b8edd0ba76

SHA512
fb1106d4f4a138cad28a4282cb00c72688e03610be1d31a7cdd7b42b23e00e4f7ca9e731a7ab016d5920411707e165e3ee48164ef520112d8ac36fad85749c44

Download Submit