3f437fac21450591cd48416d917ebf9fe402d6f829c2346d0727ad84c3187888

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57916fe8a1f2625956ac6e676bd8f000.exe
Size

1.9MB
MD5

57916fe8a1f2625956ac6e676bd8f000
SHA1

5e3bd615d2778c7e201709b13662db828d11dd1f
SHA256

3f437fac21450591cd48416d917ebf9fe402d6f829c2346d0727ad84c3187888
SHA512

017607994f44f391677d3cc40730e1fa697141b676f6716b932a6b121504c2186559aeb897df70cd5dbfc978a9b8cea20f35ccbbba193bb440a86f10349cd930
SSDEEP

49152:trUeYg5fmzgo6cDG5E14sKzVNsRsAcpINWQKFKB2K8:Wo5fmzgHrC1RKB6RapI6K

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2732	57916fe8a1f2625956ac6e676bd8f000.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~2\is259394281.log	57916fe8a1f2625956ac6e676bd8f000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
648	2732	WerFault.exe	27

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	57916fe8a1f2625956ac6e676bd8f000.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2732	57916fe8a1f2625956ac6e676bd8f000.exe
2732	57916fe8a1f2625956ac6e676bd8f000.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2732	57916fe8a1f2625956ac6e676bd8f000.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2732	57916fe8a1f2625956ac6e676bd8f000.exe
2732	57916fe8a1f2625956ac6e676bd8f000.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 648	2732	57916fe8a1f2625956ac6e676bd8f000.exe	30
PID 2732 wrote to memory of 648	2732	57916fe8a1f2625956ac6e676bd8f000.exe	30
PID 2732 wrote to memory of 648	2732	57916fe8a1f2625956ac6e676bd8f000.exe	30
PID 2732 wrote to memory of 648	2732	57916fe8a1f2625956ac6e676bd8f000.exe	30

C:\Users\Admin\AppData\Local\Temp\57916fe8a1f2625956ac6e676bd8f000.exe
"C:\Users\Admin\AppData\Local\Temp\57916fe8a1f2625956ac6e676bd8f000.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1704
  2⤵
  - Program crash
  PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ish259393813\bootstrap_44348.html

Filesize
156B

MD5
1ea9e5b417811379e874ad4870d5c51a

SHA1
a4bd01f828454f3619a815dbe5423b181ec4051c

SHA256
f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a

SHA512
965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259393813\css\main.css

Filesize
4KB

MD5
cad4777cb5fcf9dd9f4758a34bdd85c0

SHA1
59d32936448e89e656ceb38f832dfa7f4cbec593

SHA256
8d0f9fa10e7145c740340e83db8a3b8d05970cba1a707b79c851af37a56d74f4

SHA512
6c9f1f72d2c64d711d375755c9aad4b45b8d209f2998c0add2a6014ec2c8257dd43bc75e46b7dc853a36013b81752cdfecc49faa60e96915dfdcc0d20cb83924

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259393813\css\sdk-ui\progress-bar.css

Filesize
506B

MD5
5335f1c12201b5f7cf5f8b4f5692e3d1

SHA1
13807a10369f7ff9ab3f9aba18135bccb98bec2d

SHA256
974cd89e64bdaa85bf36ed2a50af266d245d781a8139f5b45d7c55a0b0841dda

SHA512
0d4e54d2ffe96ccf548097f7812e3608537b4dae9687816983fddfb73223c196159cc6a39fcdc000784c79b2ced878efbc7a5b5f6e057973bf25b128124510df

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259393813\images\BG.png

Filesize
63KB

MD5
674ebeb11c056b0cdf01802020b8b41a

SHA1
16fba8a46be739be737fcce768021a83142dc7eb

SHA256
b2f6875b12c8d4d583f93380c34babc18bb027cb15ed4e8a39bfbb5d9848f0b7

SHA512
71a826aca996b7db61a23e3011d4b3d9e61469f82620e6c0b08b1c85492d81da0d151d4c9aac6b3c168b53f0e4314bc2af6d5949c1e579f062f2697ae86be40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259393813\images\Close.png

Filesize
1KB

MD5
60e7a3f760637dd125a1150474e7f6bb

SHA1
46e4b53480dd7b3db532e3511a7ad3b9e99b2f48

SHA256
d244e6d623fb3706340ead5491bb61663e5d53a3f7d96d4b613175c875c42184

SHA512
d279b197d330c4fe7de5e891b45e60273b603d58c84a502461ba2edf008ed51e6bcfd8768a74ee95bc9558bcbe8294f9f759c188327f7c54b1483d1072b32268

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259393813\images\Color_Button.png

Filesize
1KB

MD5
a4987c1267f6e8361800aa3d2dc840a2

SHA1
6d428d5e9333f78ffb65f8ac3aab06c8915078a3

SHA256
1b7fffc6ecbde629472f7e1b534243f7f7da06a6f2fed082cf1c62b6b002e9d5

SHA512
5fc4a1619851dddb8e689cbb342570f3004a7e4c030c593ac361b55584cda6178b3ce6a4baeed810467e569c07587affde5180420d793eb380782f440b23660a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259393813\images\Grey_Button.png

Filesize
991B

MD5
8a99e16e48ab5bfd0084ccd49281b036

SHA1
ab40545bb33ab2bad0891d3b71c3f618a916cb1d

SHA256
e44a2c233a1b29a6cb3bdd5955dece4ddd1e7497d3529bb55add8da124ad3fef

SHA512
f8b5fd65300cfd1f7554e381d0a3313ce8611aa092b44322c1b59ebc145e915707825f0fcf8e2e979ef6464df713db4d3897f4624f5ab9d777d4f8c4c5ef95cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259393813\images\Loader.gif

Filesize
10KB

MD5
57ca1a2085d82f0574e3ef740b9a5ead

SHA1
2974f4bf37231205a256f2648189a461e74869c0

SHA256
476a7b1085cc64de1c0eb74a6776fa8385d57eb18774f199df83fc4d7bbcc24e

SHA512
2d50b9095d06ffd15eeeccf0eb438026ca8d09ba57141fed87a60edd2384e2139320fb5539144a2f16de885c49b0919a93690974f32b73654debca01d9d7d55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259393813\images\Logo.png

Filesize
5KB

MD5
45d8e7f1e721db59eca3dc36e932bf8b

SHA1
974fbb730c8c1ae66c6187f99d887f44d8a77a56

SHA256
f8cfaea0b23c976a4e7a67ffe79dd82210c5fea7d6eba2383a3cc33f8802ae05

SHA512
85b671dc81758977e5f807af91333573e1733ce8ca6721100dbe8538a481d8811d6d36754517948ff6a5ad984bb5ed0724790f43ba30dafdafb8c94735e249bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259393813\locale\EN.locale

Filesize
2KB

MD5
5b736b0265eab61e0b5e21d1129ba75a

SHA1
b1d0a839ed10092ed786b4a0a33ffbae85068366

SHA256
b3568cea6293cfd184bcba6784e93de54a1b121feffe2414f0f88cc2d5eb49b1

SHA512
ea478ef260ac25f98dc0d0071ebb7a619d76d81c7c2b5e01159eeecbddc24d63088e7735c74b73ec8cc5db80ffa81c643ed161460bb5f233086b7eff3e099634

Download Submit
\Users\Admin\AppData\Local\Temp\ICReinstall_57916fe8a1f2625956ac6e676bd8f000.exe

Filesize
1.1MB

MD5
58236f0e99d49b20919c328b815f039a

SHA1
72b94a88324b85c9f20121c77e1ee6b2ba93516b

SHA256
08172836c563b5389d874c31c82799901ccfdd9f94cddf873ef9a370d0f37b33

SHA512
d6d8ab2030b6d8cc9934ec3e325194bdcd3e47ae6e88a817cedcca80b8cfeabeac289046e43e1aed188816d2d2777756af2f3ce221f57cee905ed2e5d35f627e

Download Submit
memory/2732-0-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2732-25-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2732-147-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2732-149-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download