cb79879f54a98659a4ae0a72686ecb18027aad44a11527a81c6b4790d053b76c

Analysis

max time kernel
144s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c7d1b64f0cbdd461d277af390d6eae2.exe
Size

101KB
MD5

7c7d1b64f0cbdd461d277af390d6eae2
SHA1

fb62a44e96fdbfd76fe03b550ab23a1f5f312aed
SHA256

cb79879f54a98659a4ae0a72686ecb18027aad44a11527a81c6b4790d053b76c
SHA512

f50681911a5bc35bbe7ac680cc0a5e0becffd3abaf47a2e6417adc48778e9262939038c181c58fcbb52d1208fb3efe3672b05719bced9003ec8714deb8af1c2e
SSDEEP

1536:DuLdaekIpG1GCDPy+EiaD4y3oAYp+d5qw6Re+u58753fNk3OJGkYVPdUUk4moGmL:bep8PHGDUw6Re453fufPdo4mPWIGN

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1892	QuickyPlaeyr.exe

Loads dropped DLL 9 IoCs

pid	Process
2540	7c7d1b64f0cbdd461d277af390d6eae2.exe
2540	7c7d1b64f0cbdd461d277af390d6eae2.exe
1892	QuickyPlaeyr.exe
1892	QuickyPlaeyr.exe
1892	QuickyPlaeyr.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2776	1892	WerFault.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1892	2540	7c7d1b64f0cbdd461d277af390d6eae2.exe	28
PID 2540 wrote to memory of 1892	2540	7c7d1b64f0cbdd461d277af390d6eae2.exe	28
PID 2540 wrote to memory of 1892	2540	7c7d1b64f0cbdd461d277af390d6eae2.exe	28
PID 2540 wrote to memory of 1892	2540	7c7d1b64f0cbdd461d277af390d6eae2.exe	28
PID 2540 wrote to memory of 1892	2540	7c7d1b64f0cbdd461d277af390d6eae2.exe	28
PID 2540 wrote to memory of 1892	2540	7c7d1b64f0cbdd461d277af390d6eae2.exe	28
PID 2540 wrote to memory of 1892	2540	7c7d1b64f0cbdd461d277af390d6eae2.exe	28
PID 1892 wrote to memory of 2776	1892	QuickyPlaeyr.exe	29
PID 1892 wrote to memory of 2776	1892	QuickyPlaeyr.exe	29
PID 1892 wrote to memory of 2776	1892	QuickyPlaeyr.exe	29
PID 1892 wrote to memory of 2776	1892	QuickyPlaeyr.exe	29
PID 1892 wrote to memory of 2776	1892	QuickyPlaeyr.exe	29
PID 1892 wrote to memory of 2776	1892	QuickyPlaeyr.exe	29
PID 1892 wrote to memory of 2776	1892	QuickyPlaeyr.exe	29

C:\Users\Admin\AppData\Local\Temp\7c7d1b64f0cbdd461d277af390d6eae2.exe
"C:\Users\Admin\AppData\Local\Temp\7c7d1b64f0cbdd461d277af390d6eae2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\QuickyPlaeyr.exe
  C:\Users\Admin\AppData\Local\Temp\QuickyPlaeyr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 496
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\QuickyPlaeyr.exe

Filesize
21KB

MD5
fea3de2f25ca36ec3d6b66014b72e32e

SHA1
034f40ed75c6f7c84fef3685ce339054b0d951af

SHA256
0d411ca57a9bd810bbf4a4824e3a4741643e4364fa68eb946a0959464c159871

SHA512
75062f647605eea3f910027a4a1a87602c5991e376238a0279667839e06b41f3612fc8182c65fef447c6b88773546eb6259113cad52a24c0de2152766793163c

Download Submit
memory/1892-12-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1892-13-0x00000000001D0000-0x00000000001D5000-memory.dmp

Filesize
20KB

Download
memory/1892-15-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2540-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download