8c704dd49e9493c8629487e92adbe7d4794073ee19aa2bf0137b5646b1998056

Resubmissions

07/01/2024, 17:58

240107-wj5y7sced9 10

07/01/2024, 17:50

240107-we4kksbehl 10

Analysis

max time kernel
83s
max time network
103s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
07/01/2024, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GENERATOR 2.0/GENERATOR 2.0.exe
Size

50.7MB
MD5

9224655def30664e25eb075940a4c6bc
SHA1

05bb602202941413b7544883f2bf19ac2ed8b517
SHA256

c3b66ee7b2bb35e24c67bf0fa8825a045b715c0050ba4fc2507e7c8d885a99b4
SHA512

bfbbcf2a551ce0e982385c07d7bb15e747fc647b5bbf5591ff413b4b9f17ff11cb361bc8831c436ba8c33f91cf68c092da5e67470d7876fdafd04037188cd88e
SSDEEP

1572864:7XGMK4XR3bLSCU/+6yPlhvhoQtHlBzW+eHfmmWu24HOGPn:7gYRPSC++6y9Ji46dn24uG

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GENERATOR 2.0.exe	GENERATOR 2.0.exe

Loads dropped DLL 64 IoCs

pid	Process
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe
952	GENERATOR 2.0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	api.ipify.org
2	api.ipify.org
4	api.ipify.org
12	api.ipify.org
17	api.ipify.org

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4028	tasklist.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
952	GENERATOR 2.0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
952	GENERATOR 2.0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 952	1192	GENERATOR 2.0.exe	81
PID 1192 wrote to memory of 952	1192	GENERATOR 2.0.exe	81
PID 952 wrote to memory of 4736	952	GENERATOR 2.0.exe	83
PID 952 wrote to memory of 4736	952	GENERATOR 2.0.exe	83
PID 952 wrote to memory of 4076	952	GENERATOR 2.0.exe	85
PID 952 wrote to memory of 4076	952	GENERATOR 2.0.exe	85
PID 4076 wrote to memory of 4028	4076	cmd.exe	86
PID 4076 wrote to memory of 4028	4076	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\GENERATOR 2.0\GENERATOR 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\GENERATOR 2.0\GENERATOR 2.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\GENERATOR 2.0\GENERATOR 2.0.exe
  "C:\Users\Admin\AppData\Local\Temp\GENERATOR 2.0\GENERATOR 2.0.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI11922\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\_asyncio.pyd

Filesize
63KB

MD5
806e47cb0146c81aeaa8bf3b55789801

SHA1
6ee2c47f892480846c98acea03915e744e24f217

SHA256
55cbeaa0a6d5678b4ff611b5166829b1a07b84b97e72e35263216703d98332ef

SHA512
a8090290c571cf94c0dc09c91156149c05d1883081cd5b0d69230b6ea8bc4052e518c00004b35964f5464c67e757e3993feeef980fa99ffb3e612b2384629ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\_bz2.pyd

Filesize
82KB

MD5
afaa11704fda2ed686389080b6ffcb11

SHA1
9a9c83546c2e3b3ccf823e944d5fd07d22318a1b

SHA256
ab34b804da5b8e814b2178754d095a4e8aead77eefd3668da188769392cdb5f4

SHA512
de23bb50f1d416cf4716a5d25fe12f4b66e6226bb39e964d0de0fef1724d35b48c681809589c731d3061a97c62b4dc7b9b7dfe2978f196f2d82ccce286be8a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\_ctypes.pyd

Filesize
121KB

MD5
78df76aa0ff8c17edc60376724d206cd

SHA1
9818bd514d3d0fc1749b2d5ef9e4d72d781b51dd

SHA256
b75560db79ba6fb56c393a4886eedd72e60df1e2f7f870fe2e356d08155f367b

SHA512
6189c1bd56db5b7a9806960bc27742d97d2794acebc32e0a5f634fe0ff863e1775dcf90224504d5e2920a1192a3c1511fb84d41d7a2b69c67d3bdfbab2f968fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\_lzma.pyd

Filesize
155KB

MD5
2ae2464bfcc442083424bc05ed9be7d2

SHA1
f64b100b59713e51d90d2e016b1fe573b6507b5d

SHA256
64ba475a28781dca81180a1b8722a81893704f8d8fac0b022c846fdcf95b15b9

SHA512
6c3acd3dcae733452ad68477417693af64a7d79558e8ec9f0581289903c2412e2f29195b90e396bfdcd765337a6dea9632e4b8d936ac39b1351cd593cb12ce27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\base_library.zip

Filesize
1.4MB

MD5
81cd6d012885629791a9e3d9320c444e

SHA1
53268184fdbddf8909c349ed3c6701abe8884c31

SHA256
a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd

SHA512
d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\libcrypto-3.dll

Filesize
1.5MB

MD5
8fc2c034d58573e79dc769b2a40b3999

SHA1
02fe1ed24b5b371865d6a46e2f70500bde2d0fb3

SHA256
30241e03de6372c108c419430f2917e7cf3ff8708575ef64e325a89e01de1cd7

SHA512
0264e086a2379e2dccf215d5dca9c29c5d0096166b83ec374eb5822b9e02d1b9e28eaa5b40a4c70bc84fec035c6fbe462f3d58786ae9ceb816206f64875f5d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\libssl-3.dll

Filesize
771KB

MD5
bfc834bb2310ddf01be9ad9cff7c2a41

SHA1
fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c

SHA256
41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1

SHA512
6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\log5.png

Filesize
186KB

MD5
2cefa470e58a82a2441f5808baa2b0ee

SHA1
4e4a98e82ef6500a9e79e6c4b56c2b6a0a638e64

SHA256
8add5f11f0a1ef27f34a1f3f407a3afedc892c8f04870db4f89c0a3abc1114a2

SHA512
5840237b8d92c358f44db74492672694cc58bf0d609eaeb45c36825c5d586d652bd031b5fcafb6340ff9ea32a9238bba78256742493af8c7188877cd6ee6e5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\pyexpat.pyd

Filesize
193KB

MD5
bfe46323faea201f6d18d60723e06852

SHA1
f93afeebb3ea1e6d1cc8ab3618c9d4c88eaa7475

SHA256
35134cca2dcf7c2b7e592b677833322b6b72a6a88afcd3935afe5907a282e89e

SHA512
7342c309c98b7ef0d8e7d02e6a31afbd765b077b9061a185b160842b24af3fb629d5757001ae647b8c660defd41b765bbb6175cca431d569ff9bd580fd8f7913

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\python3.dll

Filesize
65KB

MD5
ff319d24153238249adea18d8a3e54a7

SHA1
0474faa64826a48821b7a82ad256525aa9c5315e

SHA256
a462a21b5f0c05f0f7ec030c4fde032a13b34a8576d661a8e66f9ad23767e991

SHA512
0e63fe4d5568cd2c54304183a29c7469f769816f517cd2d5b197049aa966c310cc13a7790560ef2edc36b9b6d99ff586698886f906e19645faeb89b0e65adfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\python311.dll

Filesize
2.9MB

MD5
c59c40d3665d5a2a51156137bbe13cb9

SHA1
d639fa2525dba464328cd5aa26231e212e0a5ff4

SHA256
4aea137d8efc05052cf49745f389bae5aa03e780c05b051b33407bea1426e2db

SHA512
5a4ff93d881ec12a3069436a60dbc309c3350418ebe3fa365ce7709feeb72b81f52dbeaa34b93273bf7f3a8628b97c4a6b2c021b7472bc4fc921e05a9515e9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\python311.dll

Filesize
2.1MB

MD5
098357a23f798cf3ed20a6e2fc39ccbb

SHA1
2aac8fd594ea2d7e3d513bc2d0927e7c9051fcbf

SHA256
c6623f0faeb83ec4c20fe7db89ce2a01aa0ec0e4b220a3bb389061880fb77a93

SHA512
f69623c0d2cd158eaae4568776816fd3b259434eab55b1b3e0746c3b3fcfb5ecfda316b90ac173aff51d93f50a522a978dabe87933c7c4c7d08ecee12c413138

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\select.pyd

Filesize
29KB

MD5
0b55f18218f4c8f30105db9f179afb2c

SHA1
f1914831cf0a1af678970824f1c4438cc05f5587

SHA256
e7fe45baef9cee192c65fcfce1790ccb6f3f9b81e86df82c08f838e86275af02

SHA512
428ee25e99f882af5ad0dedf1ccdbeb1b4022ac286af23b209947a910bf02ae18a761f3152990c84397649702d8208fed269aa3e3a3c65770e21ee1eec064cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\sqlite3.dll

Filesize
773KB

MD5
df9c54ca498a688676f25eb161dbff6c

SHA1
a9f965ec5d97d87da43c18eb32a69109012a2e15

SHA256
08f55b49f65e08a4c3a599c8a5148b43be8eca8663e3afbd450085ed042139a9

SHA512
6273f7142777b93055838a19900e267720493c2f07841880919df389b89c5fa0c370f0f77a5ac0f644912cf3f919e342816f1e9369fbd70fb8faea630933fd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\tcl86t.dll

Filesize
386KB

MD5
08088c81dcc23e7b98009f3faba7e247

SHA1
cbeedaafccbbb35b93a67d4d868ccd296e085f42

SHA256
5dabdcacfb047695b8feb3f5c6e2454f74145c99ccc7624b81aaf59b8d61f10c

SHA512
81543b3102fc75e8fd1368d84613c69d366fcbc4e0d16b811a08a63bb5ef3813ec86aa5a15fb7161af2e6203253c4b29be27a3408945157a502e5ef0ee949ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\texte.txt

Filesize
12KB

MD5
6f4b58496501defa12f7b9157ad57b00

SHA1
5f4bcc137fa31f6a07561c2d2e49071f39b5020e

SHA256
0c76cd2741c4d6bafe61ea83aa6a1e56439e6d319e537071506218d914933b22

SHA512
cc07c2205f389ffbef3327efc39e3830ca09f48870006c45a3902ac006b492a22a36dc4b0d5592e0a37e034d1a89f907c2a9af2cd8bd8435a112c2dc576f2abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\texte2nomfamille.txt

Filesize
1KB

MD5
33640b05ccc550bd6825d1c00a2e5707

SHA1
5a630bd459997c46ca007c1650396fa95848cfcb

SHA256
cf7c92f4d07399d991126be0e770572cc7af994bac452cbd0dee0ba13aa41f39

SHA512
ef26e13b516a5dd57a4ed665ce5e9e2d73ab1cef256e46abf03231cce7b6b7627aa7bc5b24673e899e902e8cfee0f056cf5f9075f1c8f6a9f35ab508b8e6499e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\tk86t.dll

Filesize
92KB

MD5
c5dc6abbdfcb1aa3738eba3c759242aa

SHA1
9f25b8aaf5d48d4a03096491da8b9834965a0bef

SHA256
fa6ddb5538d272d7e9cd5e9703350e8c145f3687bd68fd20ac748a6c15328ea5

SHA512
c65a490d978ee43976256ab0eb76f51abf9be02eb0ab50f33745631d955448d148046467c764303c15cdce463be6a59cdc2b367c80923b54165f9c4f1a476f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11922\unicodedata.pyd

Filesize
92KB

MD5
eaab5a302979cfbe8c7b151eff8d554c

SHA1
04ef5481e52cca4a25e6a1396769753b4c598423

SHA256
2b5d1088a7e5ec8b0c4cd98c8e7f3befb8ed0ba362af2e8a069b50b3b93114a7

SHA512
93ee6ce32b795a9ceb697fc52aa816554a0ab060ff4a5ab7db82cc9d79ecc63791fa2f5a1e9aeb96da3b8682b45f03a5c6a282d5759eaa1f0b8f61b53a66c9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\crcook.txt

Filesize
29B

MD5
155ea3c94a04ceab8bd7480f9205257d

SHA1
b46bbbb64b3df5322dd81613e7fa14426816b1c1

SHA256
445e2bcecaa0d8d427b87e17e7e53581d172af1b9674cf1a33dbe1014732108b

SHA512
3d47449da7c91fe279217a946d2f86e5d95d396f53b55607ec8aca7e9aa545cfaf9cb97914b643a5d8a91944570f9237e18eecec0f1526735be6ceee45ecba05

Download Submit
memory/952-1204-0x00007FFCC3D10000-0x00007FFCC4200000-memory.dmp

Filesize
4.9MB

Download
memory/952-1205-0x00007FFCC3100000-0x00007FFCC3641000-memory.dmp

Filesize
5.3MB

Download
memory/952-1206-0x00007FFCC2820000-0x00007FFCC2A83000-memory.dmp

Filesize
2.4MB

Download
memory/952-1207-0x00007FFCC25B0000-0x00007FFCC2815000-memory.dmp

Filesize
2.4MB

Download
memory/952-1208-0x00000197D7900000-0x00000197D7910000-memory.dmp

Filesize
64KB

Download