5f1d73602982331b76d49f123d1defdf29c394c7a84571b1834afeb2690dcadc

Analysis

max time kernel
152s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f8aaf342051afd5949aa5119134405d.exe
Size

12.3MB
MD5

5f8aaf342051afd5949aa5119134405d
SHA1

0f403390eb2dd0187347c0598fe553b538e202d0
SHA256

5f1d73602982331b76d49f123d1defdf29c394c7a84571b1834afeb2690dcadc
SHA512

d85d545763ded0dc285460a0822b60912115185d630dbd4e9914e02354bd42695bf58763cb469c1c1bafa7359a420ae1f289a023af350f18f905c4fd95599548
SSDEEP

393216:4QQBBFwWWEpCEDLJ83a10RtN3ZWbs1TJ2KsD:4QKFwW3pCEDtEa6tN3KO

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 21 IoCs

pid	Process
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe
452	5f8aaf342051afd5949aa5119134405d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
62	api.ipify.org
64	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
452	5f8aaf342051afd5949aa5119134405d.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4240	tasklist.exe
624	tasklist.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4460	wmic.exe
Token: SeSecurityPrivilege	4460	wmic.exe
Token: SeTakeOwnershipPrivilege	4460	wmic.exe
Token: SeLoadDriverPrivilege	4460	wmic.exe
Token: SeSystemProfilePrivilege	4460	wmic.exe
Token: SeSystemtimePrivilege	4460	wmic.exe
Token: SeProfSingleProcessPrivilege	4460	wmic.exe
Token: SeIncBasePriorityPrivilege	4460	wmic.exe
Token: SeCreatePagefilePrivilege	4460	wmic.exe
Token: SeBackupPrivilege	4460	wmic.exe
Token: SeRestorePrivilege	4460	wmic.exe
Token: SeShutdownPrivilege	4460	wmic.exe
Token: SeDebugPrivilege	4460	wmic.exe
Token: SeSystemEnvironmentPrivilege	4460	wmic.exe
Token: SeRemoteShutdownPrivilege	4460	wmic.exe
Token: SeUndockPrivilege	4460	wmic.exe
Token: SeManageVolumePrivilege	4460	wmic.exe
Token: 33	4460	wmic.exe
Token: 34	4460	wmic.exe
Token: 35	4460	wmic.exe
Token: 36	4460	wmic.exe
Token: SeIncreaseQuotaPrivilege	4460	wmic.exe
Token: SeSecurityPrivilege	4460	wmic.exe
Token: SeTakeOwnershipPrivilege	4460	wmic.exe
Token: SeLoadDriverPrivilege	4460	wmic.exe
Token: SeSystemProfilePrivilege	4460	wmic.exe
Token: SeSystemtimePrivilege	4460	wmic.exe
Token: SeProfSingleProcessPrivilege	4460	wmic.exe
Token: SeIncBasePriorityPrivilege	4460	wmic.exe
Token: SeCreatePagefilePrivilege	4460	wmic.exe
Token: SeBackupPrivilege	4460	wmic.exe
Token: SeRestorePrivilege	4460	wmic.exe
Token: SeShutdownPrivilege	4460	wmic.exe
Token: SeDebugPrivilege	4460	wmic.exe
Token: SeSystemEnvironmentPrivilege	4460	wmic.exe
Token: SeRemoteShutdownPrivilege	4460	wmic.exe
Token: SeUndockPrivilege	4460	wmic.exe
Token: SeManageVolumePrivilege	4460	wmic.exe
Token: 33	4460	wmic.exe
Token: 34	4460	wmic.exe
Token: 35	4460	wmic.exe
Token: 36	4460	wmic.exe
Token: SeDebugPrivilege	4240	tasklist.exe
Token: SeDebugPrivilege	624	tasklist.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 452	2232	5f8aaf342051afd5949aa5119134405d.exe	94
PID 2232 wrote to memory of 452	2232	5f8aaf342051afd5949aa5119134405d.exe	94
PID 452 wrote to memory of 4720	452	5f8aaf342051afd5949aa5119134405d.exe	99
PID 452 wrote to memory of 4720	452	5f8aaf342051afd5949aa5119134405d.exe	99
PID 452 wrote to memory of 4460	452	5f8aaf342051afd5949aa5119134405d.exe	102
PID 452 wrote to memory of 4460	452	5f8aaf342051afd5949aa5119134405d.exe	102
PID 452 wrote to memory of 388	452	5f8aaf342051afd5949aa5119134405d.exe	104
PID 452 wrote to memory of 388	452	5f8aaf342051afd5949aa5119134405d.exe	104
PID 452 wrote to memory of 4240	452	5f8aaf342051afd5949aa5119134405d.exe	105
PID 452 wrote to memory of 4240	452	5f8aaf342051afd5949aa5119134405d.exe	105
PID 452 wrote to memory of 624	452	5f8aaf342051afd5949aa5119134405d.exe	107
PID 452 wrote to memory of 624	452	5f8aaf342051afd5949aa5119134405d.exe	107

C:\Users\Admin\AppData\Local\Temp\5f8aaf342051afd5949aa5119134405d.exe
"C:\Users\Admin\AppData\Local\Temp\5f8aaf342051afd5949aa5119134405d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\5f8aaf342051afd5949aa5119134405d.exe
  "C:\Users\Admin\AppData\Local\Temp\5f8aaf342051afd5949aa5119134405d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4720
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:388
- - C:\Windows\SYSTEM32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4240
- - C:\Windows\SYSTEM32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI22322\VCRUNTIME140.dll

Filesize
18KB

MD5
6e4471d8c99f1f1268a42c60e0883323

SHA1
626ebb184055ba1cbad715d9d2ec06fcea7a74ff

SHA256
2dd231bb2d74547fcbaa719e92173772a055d78a83ebaf4b6f3aed90527c97fe

SHA512
4d5ec9914e12f75ee9748ff42ab600575fecd89636c75208158f661f84b7625962cdd1088144da47179ef45d5b2f36e92ce41fafa9e6aa0235bafc3fc410d0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\VCRUNTIME140.dll

Filesize
92KB

MD5
cbf612a2903bd74742fcd38b7599f52c

SHA1
9320fc42e9bf2a018cc2dee9de0ac475de76e6bc

SHA256
57a8f0f44ea6aee3463a82602e6bf1568eb94de373d6c087e6ff3c3808d047c1

SHA512
8827ace948891a71dfe614e661ec6d5e8696efb1e9b22f6a177325db0a6051f9353e7c1f456e54466a118c57ef98ac058f39be169ed96c6eb8502c1cb54dfba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\_bz2.pyd

Filesize
29KB

MD5
b144ee3a26ea3e4d08bf284709d9c3da

SHA1
04cd8b4f36ab56249885456e57db269a036c32de

SHA256
a8055df35cb4afe451e4f93baed667a7bf35646006f796d2547ddd82137d1e53

SHA512
24909a0d2619b27ed053a63e4cd84ed759ccf17b9033cd0e6e95d3157c22d6b4b4835789b566803f4cbd53b1f677775730cd187bd12f01956b12471dfdea6da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\_bz2.pyd

Filesize
3KB

MD5
32d283b8c6e534d46d427f4343fa8a5f

SHA1
e7197cff843b8960f60aa0f42792510c5fd385ca

SHA256
ebb257cfec61de4646d87171ee8df7505924323baec601dc13fc74a9c43750b5

SHA512
60be8923079b8103d85a8a64153e0e0d2d931eb1db47a46f7518794c3873d0425642d1169575983940be55ed1a3b968af9697bf53498602b1cd8e056b49ec594

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\_ctypes.pyd

Filesize
96KB

MD5
d8b6601147c259b00db9b002b4c83372

SHA1
f4e529890e90941167e03ea202bab74e9aa1345c

SHA256
f35d31aad38fb9e4f20ebec7b89f4f2d74d69d052491403107dcd7ca7e84d3bb

SHA512
a7a9eeeeafb4837b231f0338f2944b1ba562e1943333c37b64b84c2aa117b7d90d248097474cd2b48046669c55d5ea668e07df2e8e54331fee97163b98980bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\_ctypes.pyd

Filesize
124KB

MD5
291a0a9b63bae00a4222a6df71a22023

SHA1
7a6a2aad634ec30e8edb2d2d8d0895c708d84551

SHA256
820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324

SHA512
d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\_lzma.pyd

Filesize
64KB

MD5
f5da342388c27c11f16593f5d38c7f9d

SHA1
74efd6d4e88596876827ddf17617195f5359c8db

SHA256
1d7eb91a427c527b80fca4695ae0791250c06e46cd9e8e110b7b7b66f836e656

SHA512
37517f57d792cdd7dcc4112d47ef6208482721f62e754264e5cca7070883ac0b75560b18e729b4200349f3c3a8b4fa3d1954ae528fe36ca2748b9cdf9ded72ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\_lzma.pyd

Filesize
38KB

MD5
17d5ff99865367f3a54664f65c4b97f8

SHA1
57a4ef2e4f1bdac65d24ca4f10430e3ba5b3d32a

SHA256
eb5ad236d42e17adb745f88c1104d283b14a93a9a97ba10177e186a878959b81

SHA512
c31f8c9eef11c9d01215f7b874c8b4a8544f9994859de0f19aca464d7377555bb6885fc68af8156d360d3f69f33fe36e7dd759bdd804005c54e53e94f34ed02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\_socket.pyd

Filesize
20KB

MD5
d7108d6c15831fc7e7082735485c8e01

SHA1
cf4569037817e0da7a794be039770497bd8e2e39

SHA256
ebfd2443a5ab4f0cde54695c789725c6d62a7bb19857650fbbc6676701559df9

SHA512
35e4a1527275d6b603b3dbf9c52894e79712af5826765e92b7b65ea2aef43a8929ef9c525cb0f2ce2c215e2b87c020df9e67b37b98160c354899c1f5a2e4ee9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\_socket.pyd

Filesize
78KB

MD5
4827652de133c83fa1cae839b361856c

SHA1
182f9a04bdc42766cfd5fb352f2cb22e5c26665e

SHA256
87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba

SHA512
8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\base_library.zip

Filesize
77KB

MD5
2307cae881e57e92daa7c38d27ec074d

SHA1
2eda617f567874d9b3a744733dc3a3d535383b24

SHA256
3a5424350d4c50e28f7338b9f8178d32c4551131ab723b8a91801fb9609ca769

SHA512
8c05e89095e454c63dc55356f0d792d33e07becd9c7cd228b15c7c92a06d780438d75fee8d5fc39820cf89d02a1eb49ad59525e63dc0d76c2611663c486e6460

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\pyexpat.pyd

Filesize
44KB

MD5
20b830a9ffdf99da29da5e1e1185c803

SHA1
f5df2fd65dce125808eb1933563f0575cd3b02d1

SHA256
ed70de59f495db9549e447b161e2a9fe2fad63f4c2d2cd957356f498c123e970

SHA512
ebae1cbd23729292f95a105f128f3321004966dff5a1f8c1ef2ed9af045f199344dd2cc5235c9fa2627f0dca1fd988bb623b9c93db4983df6e5bcb97e7a6c74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\pyexpat.pyd

Filesize
11KB

MD5
bde1050e302184265babf720722becdb

SHA1
29b9c40a1f8f4a39e127ffa24fdfbf539b3f84d6

SHA256
99dae04efff399c62f38365b248e1ca9d126b4f820b55727c66e3af702fc2161

SHA512
44f3e677f80bbb0ab6ac2b7bf3724a9af84bc972d56d756ddccf1935a9e4ec9dc7523464abcf8ae9ea5b74312d65b6832031e18da684dea254ec9252d1750ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\python38.dll

Filesize
979KB

MD5
f64736a2da76c8e240013f7b05210909

SHA1
409c845fd153f0e9909e986526ac93dd29a860b4

SHA256
f48a07462dba6c29f89abd007cf195e30ff9f122d30c5eb40b59aef590918737

SHA512
3098c85114a8980163977d9173099d08abeb505a623a551e46a0dae35d0c316137c715b9015a65a3985d006bb46ea197f9ab596c32fa665de6772d22adb64c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\python38.dll

Filesize
96KB

MD5
f2c15fe651cae3646c0d0e96e788c565

SHA1
9de1b9bef4b3d1ba51c94081d6c0a6466a995f5f

SHA256
0178716bbe6cf2d494824cb23c91f4051ce3706a7b37cf3a9299346ca2e319d0

SHA512
7cc02fb00271f360df1ab7ff2850a6be9e24bd66991b98abced6f0f6f437affc93bfdfcc5def418a1f13bf7986a7b5f830f0d81e5474fe33456a3473cfc30e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22322\select.pyd

Filesize
27KB

MD5
e21cff76db11c1066fd96af86332b640

SHA1
e78ef7075c479b1d218132d89bf4bec13d54c06a

SHA256
fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28

SHA512
e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f

Download Submit
memory/452-1034-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1012-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1044-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1042-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1040-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1038-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1036-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1014-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1032-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1030-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1028-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1026-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1024-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1022-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1020-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1018-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1016-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1046-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1010-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1008-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1006-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1004-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1002-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-1000-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-998-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-996-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-994-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-992-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-990-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-988-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-986-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-984-0x00000227FA4D0000-0x00000227FA4D1000-memory.dmp

Filesize
4KB

Download
memory/452-983-0x00000227FA4C0000-0x00000227FA4C1000-memory.dmp

Filesize
4KB

Download