a3c0fd421875bbbf349d4eb8d09f003258a676668782ef1717c529d69483c56b

Analysis

max time kernel
153s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 23:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

069a94015a4d79c923546096804df1f6.exe
Size

809KB
MD5

069a94015a4d79c923546096804df1f6
SHA1

03d607ee44c1dcfb0500bd161072ad67ab22b310
SHA256

a3c0fd421875bbbf349d4eb8d09f003258a676668782ef1717c529d69483c56b
SHA512

9292756495405f9a70acf8e52b6cbe2c3c19be06fdf20cea00c9e54913cb4cd3aa1970cdd873e50cdb4b7400cf440e28367f9746616e5e77d74bb97a35c56b35
SSDEEP

12288:LEhB9nyhHP9PdfuByEMPxlDdCHs3l2lTI9HqXvrvHqB5zxJBhpZfYFvv:L+B9neHa+xCX0UvHej7W

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4740	1312	WerFault.exe	22

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\069a94015a4d79c923546096804df1f6.exe = "11000"	069a94015a4d79c923546096804df1f6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\WebBrowser_embedded.exe = "11000"	069a94015a4d79c923546096804df1f6.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe
1312	069a94015a4d79c923546096804df1f6.exe

C:\Users\Admin\AppData\Local\Temp\069a94015a4d79c923546096804df1f6.exe
"C:\Users\Admin\AppData\Local\Temp\069a94015a4d79c923546096804df1f6.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 3888
  2⤵
  - Program crash
  PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1312 -ip 1312
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nscCA86.tmp\FDMClient.dll

Filesize
28KB

MD5
b682c0814b456836648157a6db584f7c

SHA1
22e5a19ec4a6bca2e4f03cfe2e22031ea5cb31d4

SHA256
7863fc06e9b2cea24f878846b369dee1cccc82a14601816384db9723864856fc

SHA512
c65d5aa44cf41140865c96692ff06dd3e201e116f5e2bd000a44aeab9df4635727c3141865b32ce5900902e284184b4827e3c0805d77aaab582b20763f2560cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCA86.tmp\FDMClient.dll

Filesize
193KB

MD5
2d18687d3a06fceeb055c88eb5c5e009

SHA1
baaba03803ad4b7780754f6fcdb8df94cee2890b

SHA256
60659c7787917689fb7bbb5c88501bec5a43bd0df2717a538fb964b9a605e796

SHA512
f4be10aa4d30d63b06b853a1deccc0131fada6bda559bded3279582dbe2b460c8f3d728b888f3001a655aa00f3a22c5381fe73d9ad75d29f3529e4d08814dcde

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCA86.tmp\System.dll

Filesize
17KB

MD5
62008374a494afeea2ee2ae9eee4c8c0

SHA1
94808fcf0748c437f4d7ffa4d540e054cb014fab

SHA256
9c4affddfa97b268b07c00ac28a2fe617dda806bf55088ccf348da149ee76c1a

SHA512
f584ed647b69ff8ff80450be8f0b267ebb3c97826dbf01d078165ea94b43afd1f00fc58b91d9e8f4d78465d70312c1b1a6ac66583ebdc009b0ce471a6cf149a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCA86.tmp\WelcomeScreen.htm

Filesize
5KB

MD5
54bbb668f02441624af5d536ad9dfd05

SHA1
6a4a1e9522658a725c3f4d2864a2087d33368db6

SHA256
ed7a47c63626fb0ad11635421592b3e805937ea04a94ca39f6864edceed708fc

SHA512
b7cd133b796af24a17345ba578bd03ea1de659f83f7b7d2b29bcf44ccbca376611d35fd0ec435083c8719f2e35cbab2d1afb2d9fdec89a3ef4302fcd715d439c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCA86.tmp\webapphost.dll

Filesize
39KB

MD5
b687b16e150adbbe8de4c06b1186e0ad

SHA1
fbeaa5de5c3f8764eded7d1758ba5cefb0916cfb

SHA256
89e3d503fa1204aeba6c6eb5c7577ec6a8e64bd1f0e4163d7da3c236c29acda2

SHA512
b0e676f308ac353519287ad1000bf774fd7614d07fe85b5c561f0b2847966a2e614795711f4a2dd4406a4d5e212c38d6cf92e6bc0b7c023e6d30cbe961ec96c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCA86.tmp\webapphost.dll

Filesize
66KB

MD5
74e044f1a31d73f275123d0b52f36e67

SHA1
f68d0853af5ce87b7efa1b4cadc2f641016ed60c

SHA256
89510fd71b5aa551211b9b3bae6309164ba769e4a5bf87e48de156af67f5df66

SHA512
b3141600a27fba8a1b64f8bcefb3a4f05692daabcc569a172ebf645a409d0f6750d4b024228dc3f2db04f0c544bd1d396514abfd5dd99af52fda9f90ab9a4649

Download Submit