f88c03eb0c46e854f8d3df4615bc79f57cb2d59182db6e2c33e05068286e4eed

Analysis

max time kernel
1s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 15:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

294c184d6893d20d910a575152be425f.exe
Size

896KB
MD5

294c184d6893d20d910a575152be425f
SHA1

7e8785952563d136910a1d739eb3f2d9e6af189c
SHA256

f88c03eb0c46e854f8d3df4615bc79f57cb2d59182db6e2c33e05068286e4eed
SHA512

a63376212605672bc96d9b3ec3a56331ca8d55725a62d49d1a01d3c329216638d973f15631e3f6bb8a2fdecd900783aa63b92fe0fb6ce06124ead7547dafbbbe
SSDEEP

24576:e55sjkZcf3Eo63487HbJd5A88vK9EqsvK4GHP8xVEo:gsR3EoxYHbSXvKxsvK4Gv8xVEo

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 35 IoCs

pid	Process
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe
3264	294c184d6893d20d910a575152be425f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5084	3264	WerFault.exe	15

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000900000002324d-176.dat	nsis_installer_2

C:\Users\Admin\AppData\Local\Temp\294c184d6893d20d910a575152be425f.exe
"C:\Users\Admin\AppData\Local\Temp\294c184d6893d20d910a575152be425f.exe"
1⤵
- Loads dropped DLL
PID:3264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 132
  2⤵
  - Program crash
  PID:5084
- C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\dlhelpdl.exe
  C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\dlhelpdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~393~455~~URL Parts Error~~SendRequest Error~F2-33-4E-D3-B5-DD~#~~SendRequest Error~~~~
  2⤵
  PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3264 -ip 3264
1⤵
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\GetVersion.dll

Filesize
6KB

MD5
5264f7d6d89d1dc04955cfb391798446

SHA1
211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc

SHA256
7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4

SHA512
80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\GetVersion.dll

Filesize
1KB

MD5
ec7bc2c5a3e2e4a0f4af82e2f43afe1a

SHA1
eb8891898a87a971a7ac113f338fe084b3f8501a

SHA256
b1f570f05926fa6afed8cfdb84b4423d11c693f19c0eaf4f4175fb9976edb410

SHA512
0ddd647084d49a16a22465e5e7b6d61ca28f6daf38c6dc45e1f2b6a97d70f9ba7c89ebc0493dcad482feb5c3036024a8d9a6d059f1c00dd8f8f5e44dd38684c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\GetVersion.dll

Filesize
1KB

MD5
ad41d2238c7c9c2c0deb3d4a03ba18fd

SHA1
ec3c3dc197d8fc2e73afee1a07b52518b31109ad

SHA256
1e8f08bb409b72ec8a0f0f954821d1aa61eb0e603de1cbe4885a40d8a13a768c

SHA512
bfb298bbbd9d9a1540c61da6560d0b9d8cdaca800054908f41296e1e9ee947f7c498bf61e6cdf7725f0e5ab687569509d7fbc2bc9ac256993a021e9d513ab652

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\Math.dll

Filesize
56KB

MD5
555f494a2a55b7806ebdbc6f86977726

SHA1
0f9937325a89fc23ef610fa2865adbdb9bf60486

SHA256
6cd960d96b41a87a8689811f23490f9b573883e95ae95ba750093fae787a634e

SHA512
b5b79a196b3d8353d5cd042fe08248db650ada02dea2a066d41344f397363fa4175b16eeba5aba6726357953f0a6e4b3970e0fa9e74fd8b4df6981afe933eef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\Math.dll

Filesize
4KB

MD5
f7ebcdb90258a553a87132aa636ecff4

SHA1
e81097e75d37653dcbc681061c8abc0d01145d2f

SHA256
4256143448b9c058b730b2d289e434e6995bcfefb87017d649c3f2efad78b281

SHA512
3b17d1e10f4536431d54466d23db93cd139c12a8c1c5d94b52baeb65628f99a5169639e02d93816d8b8913f2cd2db8a59bb7f1bfdceb3265457dad84e2c02afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\Math.dll

Filesize
9KB

MD5
0d008cc3d3a533f7ab901278a56ce7fc

SHA1
a4232ab3bf16b006c16788d52892b3f7d64e288b

SHA256
595b551b36f35f966bf6f2db85c658a037b4ed7aacc14af52c966791c875019c

SHA512
c9be936377b1874a07e570ba2b044a7b7c2636eec008b2cd571aacd186ec12c70f7980bbe199f25e7589a0885b65dd4474d930f230951abd0465884cebff27f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\System.dll

Filesize
8KB

MD5
566a4e46711e85cb43a8fa010a08c19f

SHA1
f0bd8228aa743ca5870e4fa88a5bc715030a0623

SHA256
dd9c3c4bff9c0f7d88a5869eb0b023591f1b530ac96933d2655fb801bf96d08e

SHA512
75500b61e26bf0a0ff9dc607c69543ab853aac3d1aa11e1ab1f637d269d4ea9f66ce8bad964f47491e65ed1ce00cde453adb4e9f66032303b49e535e98bd7b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\dlhelpdl.exe

Filesize
126KB

MD5
16292168010ec1b9e7bb9653cf2c0977

SHA1
077f663aca0ef31c9783e5fc4e5ed7b4b314f82e

SHA256
96a7e6417b653b6160e3ddc4302bee5a7d3e6b8f8b96b1c2a2e25245cbbbca7c

SHA512
5bc94164aa9208587c9d08250c73868925ea763dc9c3d8f8f85ba8c805460728f3974122237a8fe4eafe8e3ad2996a3683d24635a959c19a2754d1b51912c83d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\intlib.dll

Filesize
24KB

MD5
1efbbf5a54eb145a1a422046fd8dfb2c

SHA1
ec4efd0a95bb72fd4cf47423647e33e5a3fddf26

SHA256
983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341

SHA512
7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\intlib.dll

Filesize
1KB

MD5
6789f6f686109a31e8282a64d4710061

SHA1
d29e63d0c01714d860f59f71c2ad72f2d6aba265

SHA256
5e56b042927d13266a4d4bcfc458d29094ea86c771048be81cd4f63e6672a3fd

SHA512
bebde4b8510a66d83d0a2ba7cc90371202fc824c37f72101751640031dc01074d98322230efc4c8815f465db6cd5fea62efdd4323c6c168c4c29a7676c4375f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\registry.dll

Filesize
11KB

MD5
26311e95e90eadfd873e1abd56314d0a

SHA1
4ae407167390f4e1ce6ac3d4227c3c92c7ded64b

SHA256
b6817f0a4ac560dd6c14e6eb374285ccfef66fa1817ad4aa5a63c17619b839cf

SHA512
2e315f1ce39c42faaad46845e9756824695b7664d69674eb514e55cd1e9a4ffceb5f13f2a7c221be56bf9978f924dafdb07f52c7c4d4645a88785b6c8520bd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\registry.dll

Filesize
1KB

MD5
869a52e6f0e52ead865c53da76b38f48

SHA1
a53305cbfa841aadfa61965ee6f48434beb950ac

SHA256
ab95e26326c7f2eb3ff1f6c4bdf887d2f4057f7bb637fb8dd5a888145a906f14

SHA512
022c688f7f27294f7bdb3d223fb1fcc4a608adfa8ac1d0b81730351e88329315c34bb23eba8ebf4f8bde8caaf456dd60a1cf40346f0bcf0c15b8edf13a37f1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa474B.tmp\registry.dll

Filesize
16KB

MD5
24a7a119e289f1b5b69f3d6cf258db7c

SHA1
fec84298f9819adf155fcf4e9e57dd402636c177

SHA256
ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1

SHA512
fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

Download Submit
memory/3264-65-0x0000000002B10000-0x0000000002B2A000-memory.dmp

Filesize
104KB

Download