Analysis
-
max time kernel
166s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:38
Static task
static1
Behavioral task
behavioral1
Sample
a72d5fc2211db435af9ab375f832b3cd.exe
Resource
win7-20231215-en
General
-
Target
a72d5fc2211db435af9ab375f832b3cd.exe
-
Size
679KB
-
MD5
a72d5fc2211db435af9ab375f832b3cd
-
SHA1
7314bc8001f4aa904384a198e1df75660b3a5f63
-
SHA256
8eef68e38ffd16167815c1e257779bd65af3accec82cd840905241c197ddcc2c
-
SHA512
750ec66c04916748bdd99455d8507287b4da50949bc5677faadc2f72408a293a0f400a2bf97244693b7955e5afd7d915a5762733fe1432969943c41f3b393cb3
-
SSDEEP
12288:o1P8JUFCBlF32PyN724Ck6TpxGbj8lleYIagaO:o1kJUFCBl52Pe724XSlzIagaO
Malware Config
Signatures
-
Nirsoft 3 IoCs
resource yara_rule behavioral1/memory/2580-23-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral1/memory/2244-43-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral1/memory/2580-25-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft -
Executes dropped EXE 4 IoCs
pid Process 2688 WebBrowserPassView.exe 2580 mspass.exe 2244 ProduKey.exe 1648 MC.exe -
Loads dropped DLL 8 IoCs
pid Process 2668 a72d5fc2211db435af9ab375f832b3cd.exe 2668 a72d5fc2211db435af9ab375f832b3cd.exe 2668 a72d5fc2211db435af9ab375f832b3cd.exe 2668 a72d5fc2211db435af9ab375f832b3cd.exe 2668 a72d5fc2211db435af9ab375f832b3cd.exe 2668 a72d5fc2211db435af9ab375f832b3cd.exe 2668 a72d5fc2211db435af9ab375f832b3cd.exe 2668 a72d5fc2211db435af9ab375f832b3cd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0007000000015ea0-15.dat upx behavioral1/memory/2580-23-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/files/0x0007000000016052-30.dat upx behavioral1/memory/2244-39-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/memory/2244-43-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/memory/2668-32-0x00000000009B0000-0x00000000009C8000-memory.dmp upx behavioral1/memory/2580-25-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/2668-63-0x00000000009B0000-0x00000000009D6000-memory.dmp upx behavioral1/memory/2668-60-0x00000000009B0000-0x00000000009D6000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main a72d5fc2211db435af9ab375f832b3cd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2580 mspass.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2668 a72d5fc2211db435af9ab375f832b3cd.exe 2668 a72d5fc2211db435af9ab375f832b3cd.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2688 2668 a72d5fc2211db435af9ab375f832b3cd.exe 27 PID 2668 wrote to memory of 2688 2668 a72d5fc2211db435af9ab375f832b3cd.exe 27 PID 2668 wrote to memory of 2688 2668 a72d5fc2211db435af9ab375f832b3cd.exe 27 PID 2668 wrote to memory of 2688 2668 a72d5fc2211db435af9ab375f832b3cd.exe 27 PID 2668 wrote to memory of 2580 2668 a72d5fc2211db435af9ab375f832b3cd.exe 32 PID 2668 wrote to memory of 2580 2668 a72d5fc2211db435af9ab375f832b3cd.exe 32 PID 2668 wrote to memory of 2580 2668 a72d5fc2211db435af9ab375f832b3cd.exe 32 PID 2668 wrote to memory of 2580 2668 a72d5fc2211db435af9ab375f832b3cd.exe 32 PID 2668 wrote to memory of 2244 2668 a72d5fc2211db435af9ab375f832b3cd.exe 30 PID 2668 wrote to memory of 2244 2668 a72d5fc2211db435af9ab375f832b3cd.exe 30 PID 2668 wrote to memory of 2244 2668 a72d5fc2211db435af9ab375f832b3cd.exe 30 PID 2668 wrote to memory of 2244 2668 a72d5fc2211db435af9ab375f832b3cd.exe 30 PID 2668 wrote to memory of 1648 2668 a72d5fc2211db435af9ab375f832b3cd.exe 36 PID 2668 wrote to memory of 1648 2668 a72d5fc2211db435af9ab375f832b3cd.exe 36 PID 2668 wrote to memory of 1648 2668 a72d5fc2211db435af9ab375f832b3cd.exe 36 PID 2668 wrote to memory of 1648 2668 a72d5fc2211db435af9ab375f832b3cd.exe 36 PID 1648 wrote to memory of 684 1648 MC.exe 33 PID 1648 wrote to memory of 684 1648 MC.exe 33 PID 1648 wrote to memory of 684 1648 MC.exe 33 PID 684 wrote to memory of 564 684 cmd.exe 35 PID 684 wrote to memory of 564 684 cmd.exe 35 PID 684 wrote to memory of 564 684 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe"C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe"1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exe /stext C:\Users\Admin\AppData\Local\Temp\Opera.txt2⤵
- Executes dropped EXE
PID:2688
-
-
C:\Users\Admin\AppData\Local\Temp\ProduKey.exeC:\Users\Admin\AppData\Local\Temp\ProduKey.exe /stext C:\Users\Admin\AppData\Local\Temp\ProduKey.txt2⤵
- Executes dropped EXE
PID:2244
-
-
C:\Users\Admin\AppData\Local\Temp\mspass.exeC:\Users\Admin\AppData\Local\Temp\mspass.exe /stext C:\Users\Admin\AppData\Local\Temp\MS.txt2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Users\Admin\AppData\Local\Temp\MC.exeC:\Users\Admin\AppData\Local\Temp\MC.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F8A1.tmp\TestLunch.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\system32\java.exejava -jar "test.jar"2⤵PID:564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1KB
MD5280d0cbfe3a26c806d64da5440a96b42
SHA1a22bd38174c75b3a1c7a0b8492c7f4cdbbcd1d83
SHA256414ffaf22c19613483164f5b28e5d62816b5321cea6c25dfc32d4074e2b788eb
SHA51209540ab38fd7a69c83dc839896e71f2d0637b31a2ddfe05b0a519fc1669dec186fe5535ebffc8668c6082a6ebb4be85fe862c432eba8d3c81c57bf959ec1b9c8
-
Filesize
37KB
MD512507d0c4b2963ba229e02ff961ec400
SHA16a9b296e5b614457f106cfc8ed6fc24bd75ba9aa
SHA256bbcb52b0538c81d9ced034e2c0435188bcd1d36f09bce76654f494e4d5dcdb0c
SHA5121ad84dc8f90fd2342f4136d7594a0e10ea6ceefa0fd1b64a96a9200af260f76e3be22e1e3d6577c8b6b9a4ac655d0a8e2e2615f52114e1b11fd0773ec4e2bf10
-
Filesize
65KB
MD5ffc52f2b4435fcddaca6e15489a88b75
SHA163ec31a04cf176852344d544ae855da0dac64980
SHA2563f3c8484962b395f304a836ee5e8ee17beaafe982795c9747d8ee98cc6e4ca8f
SHA512389694feccfe6ca352705b9481913fece6d1d47083f235ccdd60c05cfda82606be53845fde0dba8ec3f3748f820a828c9be0ce078c8b9cc853285b23f172841c