53efad5eb97bb6b3bb9a5d6422e6ab1c0c210dd48c2b1f10d47562e2b4c59616

General

Target

7898545c599bbf7bcf230a76c1c61db9.exe
Size

249KB
MD5

7898545c599bbf7bcf230a76c1c61db9
SHA1

24bff833cba0bc3e30fe54ff099bd542cc70027f
SHA256

53efad5eb97bb6b3bb9a5d6422e6ab1c0c210dd48c2b1f10d47562e2b4c59616
SHA512

58216eeaef035bc105a1dcb2960940af73b3b77cd24fdb774b1f76d889eae8dfd2860ba2b88321309820753de6e192960b39d8e48c1aa3b889cf49ec78fecd5a
SSDEEP

6144:h1OgDPdkBAFZWjadD4s5TIlxU0oBZ7rkBkakZ1dpBCu:h1OgLdaO0c0y9Fa2Bt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2732	50dc28a4e179f.exe

Loads dropped DLL 2 IoCs

pid	Process
2500	7898545c599bbf7bcf230a76c1c61db9.exe
2732	50dc28a4e179f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2732-54-0x0000000074AA0000-0x0000000074AAA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x00070000000155e9-23.dat	nsis_installer_1
behavioral1/files/0x00070000000155e9-23.dat	nsis_installer_2
behavioral1/files/0x00070000000155e9-20.dat	nsis_installer_1
behavioral1/files/0x00070000000155e9-20.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2732	2500	7898545c599bbf7bcf230a76c1c61db9.exe	17
PID 2500 wrote to memory of 2732	2500	7898545c599bbf7bcf230a76c1c61db9.exe	17
PID 2500 wrote to memory of 2732	2500	7898545c599bbf7bcf230a76c1c61db9.exe	17
PID 2500 wrote to memory of 2732	2500	7898545c599bbf7bcf230a76c1c61db9.exe	17
PID 2500 wrote to memory of 2732	2500	7898545c599bbf7bcf230a76c1c61db9.exe	17
PID 2500 wrote to memory of 2732	2500	7898545c599bbf7bcf230a76c1c61db9.exe	17
PID 2500 wrote to memory of 2732	2500	7898545c599bbf7bcf230a76c1c61db9.exe	17

C:\Users\Admin\AppData\Local\Temp\7898545c599bbf7bcf230a76c1c61db9.exe
"C:\Users\Admin\AppData\Local\Temp\7898545c599bbf7bcf230a76c1c61db9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\7zS2FD7.tmp\50dc28a4e179f.exe
  .\50dc28a4e179f.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS2FD7.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
9a880138334af5f0ae053cc9d4db3c48

SHA1
59daecf2c27a4ed399adc3b81f75c120fc80f174

SHA256
3026fa2f63174c1cb28ffa524f204a8d67ace1a467899a7c3afd364ff086c74c

SHA512
4443c6cfd3029eeb0c099006014679fe1bb60f9149ffa558beb922fe24179dc0bef41e0f16cee2e004c0c0eb8a5a300b32bdb526208e0c463dc68aca5edfd9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2FD7.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
74d5c16e7f06a65f8aac680cf4dfa70b

SHA1
941d9ccf84921579fee5424d4dff92c3e89fd48a

SHA256
7998109fe78a2d5e9a8218ffc39c2f343aacbf64248fee0ed09f36d74658179f

SHA512
f6c7ed9903ec16a1998a9d0c3c73ef3d585f0f51166a7ebbf1970b9260716c23822eb8817beaef4a4c4b023b2d2d9470d78ce8d7fc77a67a7fbb6d794358742e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2FD7.tmp\[email protected]\install.rdf

Filesize
718B

MD5
3e48cd428f2d89038db12bc73527b310

SHA1
c67b7218b6087f12cd22a65da66f127022bb0396

SHA256
75c8fbf9306f947e56292ebb50f47072da6e0a54ea996227240fde7fe5d47109

SHA512
75afe9101fc0d81cb48865ccbb1922a86d15ce9defb8487e98d9613f025f98b01cea98fa26baf1c7cdde044e84e7ada93adf471af103539c197633265f96ee00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2FD7.tmp\50dc28a4e179f.exe

Filesize
70KB

MD5
ebcc3eb1a7021aaead55fb677465a717

SHA1
3c8347f0fd520ee423a4aafea1112a0b06f4b6c8

SHA256
5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c

SHA512
0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2FD7.tmp\settings.ini

Filesize
6KB

MD5
c0642976c4c0b5dd742d8c55eccc44fb

SHA1
613d1101fb472b182c24f74f7aef3df4071636d3

SHA256
5d71c144f32b1196be4841b364d8069a0e6d1fb4d57535db85ae3b135a5a42c9

SHA512
c40479428526dc757ed03335454aa7f8a0e7aadb134eff9bea60f4d31a586d777b56401ec5514412484329cf6c3e73711848e626053a0bdc325affb831382e31

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2FD7.tmp\50dc28a4e179f.exe

Filesize
20KB

MD5
640f77b4d6245dcca4cd8299e52105a9

SHA1
ad9db3e87e153591a9d0a612b4a27c8c97349d8d

SHA256
6ae7f08700de560e7c5e7a49b71302aa20bb5c659e8964ed41a2cc219ee32156

SHA512
0d06a626dcd65e8478559c1bcfde88290809f55f08bef9f470ee2786c96751dc64914941776bf75fca0b2eea801d9c525224e7d9a1f9f0327c7dff4d816b5056

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3083.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
memory/2732-54-0x0000000074AA0000-0x0000000074AAA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing