31695c4eadcb4ed864f0ae142039d83f301d70de6744c9274a105f8655a9e526

Analysis

max time kernel
1s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 12:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6d496a48e22ef07bf6bffa5887fd7622.exe
Size

313KB
MD5

6d496a48e22ef07bf6bffa5887fd7622
SHA1

39e73c31d770ad6d5c9780f3bf1f53946f05b4bf
SHA256

31695c4eadcb4ed864f0ae142039d83f301d70de6744c9274a105f8655a9e526
SHA512

214cd20802d51e38e159da3f3b4b3f3461a55b06b0c8ab8c5444b633fdd8f3582ed1895efc656fefcf2015df5ba3a3bc268b86207bcf29c9abea03e8501c8794
SSDEEP

6144:91OgDPdkBAFZWjadD4slybOoG8l0hDn4jmfAcxniZmcP:91OgLdapCki4jbcxnsZP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2304	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
1732	6d496a48e22ef07bf6bffa5887fd7622.exe
2304	setup.exe
2304	setup.exe
2304	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

resource	yara_rule
behavioral1/files/0x000600000001658a-30.dat	nsis_installer_1
behavioral1/files/0x000600000001658a-30.dat	nsis_installer_2
behavioral1/files/0x000600000001658a-33.dat	nsis_installer_1
behavioral1/files/0x000600000001658a-33.dat	nsis_installer_2
behavioral1/files/0x000600000001658a-36.dat	nsis_installer_1
behavioral1/files/0x000600000001658a-36.dat	nsis_installer_2
behavioral1/files/0x000600000001658a-35.dat	nsis_installer_1
behavioral1/files/0x000600000001658a-35.dat	nsis_installer_2
behavioral1/files/0x000600000001658a-34.dat	nsis_installer_1
behavioral1/files/0x000600000001658a-34.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2304	1732	6d496a48e22ef07bf6bffa5887fd7622.exe	20
PID 1732 wrote to memory of 2304	1732	6d496a48e22ef07bf6bffa5887fd7622.exe	20
PID 1732 wrote to memory of 2304	1732	6d496a48e22ef07bf6bffa5887fd7622.exe	20
PID 1732 wrote to memory of 2304	1732	6d496a48e22ef07bf6bffa5887fd7622.exe	20
PID 1732 wrote to memory of 2304	1732	6d496a48e22ef07bf6bffa5887fd7622.exe	20
PID 1732 wrote to memory of 2304	1732	6d496a48e22ef07bf6bffa5887fd7622.exe	20
PID 1732 wrote to memory of 2304	1732	6d496a48e22ef07bf6bffa5887fd7622.exe	20

C:\Users\Admin\AppData\Local\Temp\6d496a48e22ef07bf6bffa5887fd7622.exe
"C:\Users\Admin\AppData\Local\Temp\6d496a48e22ef07bf6bffa5887fd7622.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\7zS42EA.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS42EA.tmp\setup.exe

Filesize
25KB

MD5
1e84b2c854d542224a1c53736b8122c9

SHA1
f3179bd7ca4e4870751e50c7cd9d5a81c4fe236d

SHA256
f22c5f043accea1f57446aa4097cd563e7180dfe2467db2d00a3fe2e07e2fce2

SHA512
bb1ae122fa7ff97de8d8ffcd58243d8793fd8c699fd80dd069b314f81d637a3329880752221b937063c9dc1c8ee92514f85f919d87565b3c278b63c74ce65266

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42EA.tmp\setup.exe

Filesize
11KB

MD5
bd5c88fc056e526054a6e62d3e4ee43b

SHA1
cf2d2b5c2ca4ebe8c1093bcdaf2eeeea19bcf03f

SHA256
6270fa60ade6c6473d2e0cc48834090acaf3b417c64507184aa167b73d2c47d1

SHA512
52dbfedaa23c6eba46428a83d1a560c66e6cfe7d861846b160522af517c46e95085b490227dbfad1e98a444741928d7035cacd4115ccfa24ba5cd89522a83fc0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS42EA.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS42EA.tmp\setup.exe

Filesize
6KB

MD5
705381d5708e224d98ae6c61015a1079

SHA1
a59f1a7e9fa4ad52e4c7ffc1ad4f845eb211d8b6

SHA256
38c41c24b0db978be408f17c015a130f1292a37231e3e5c69d0147475bc9820a

SHA512
2673b58ab3461e3b4443339ff2a0e4e42aee0bde9dea2d2b0fc034a63d60048d59e336f0543fadee8af756793c31f99906d4c800e42517682ab5b6668d13475a

Download Submit