Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:38
Static task
static1
Behavioral task
behavioral1
Sample
a72d5fc2211db435af9ab375f832b3cd.exe
Resource
win7-20231215-en
General
-
Target
a72d5fc2211db435af9ab375f832b3cd.exe
-
Size
679KB
-
MD5
a72d5fc2211db435af9ab375f832b3cd
-
SHA1
7314bc8001f4aa904384a198e1df75660b3a5f63
-
SHA256
8eef68e38ffd16167815c1e257779bd65af3accec82cd840905241c197ddcc2c
-
SHA512
750ec66c04916748bdd99455d8507287b4da50949bc5677faadc2f72408a293a0f400a2bf97244693b7955e5afd7d915a5762733fe1432969943c41f3b393cb3
-
SSDEEP
12288:o1P8JUFCBlF32PyN724Ck6TpxGbj8lleYIagaO:o1kJUFCBl52Pe724XSlzIagaO
Malware Config
Signatures
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000c00000001e364-5.dat WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/files/0x000c00000001e364-5.dat Nirsoft behavioral2/memory/1584-14-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral2/memory/1584-15-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral2/memory/2332-26-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral2/memory/4304-46-0x0000000001830000-0x0000000001840000-memory.dmp Nirsoft behavioral2/memory/4304-47-0x0000000001830000-0x0000000001840000-memory.dmp Nirsoft -
Executes dropped EXE 4 IoCs
pid Process 3392 WebBrowserPassView.exe 1584 mspass.exe 2332 ProduKey.exe 2240 MC.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1584-14-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/1584-15-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/2332-23-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/2332-26-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/files/0x0006000000023233-21.dat upx behavioral2/files/0x000a00000002311d-13.dat upx behavioral2/memory/4304-43-0x0000000001830000-0x0000000001840000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1584 mspass.exe 1584 mspass.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1584 mspass.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4304 a72d5fc2211db435af9ab375f832b3cd.exe 4304 a72d5fc2211db435af9ab375f832b3cd.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4304 wrote to memory of 3392 4304 a72d5fc2211db435af9ab375f832b3cd.exe 91 PID 4304 wrote to memory of 3392 4304 a72d5fc2211db435af9ab375f832b3cd.exe 91 PID 4304 wrote to memory of 3392 4304 a72d5fc2211db435af9ab375f832b3cd.exe 91 PID 4304 wrote to memory of 1584 4304 a72d5fc2211db435af9ab375f832b3cd.exe 92 PID 4304 wrote to memory of 1584 4304 a72d5fc2211db435af9ab375f832b3cd.exe 92 PID 4304 wrote to memory of 1584 4304 a72d5fc2211db435af9ab375f832b3cd.exe 92 PID 4304 wrote to memory of 2332 4304 a72d5fc2211db435af9ab375f832b3cd.exe 93 PID 4304 wrote to memory of 2332 4304 a72d5fc2211db435af9ab375f832b3cd.exe 93 PID 4304 wrote to memory of 2332 4304 a72d5fc2211db435af9ab375f832b3cd.exe 93 PID 4304 wrote to memory of 2240 4304 a72d5fc2211db435af9ab375f832b3cd.exe 98 PID 4304 wrote to memory of 2240 4304 a72d5fc2211db435af9ab375f832b3cd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe"C:\Users\Admin\AppData\Local\Temp\a72d5fc2211db435af9ab375f832b3cd.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exe /stext C:\Users\Admin\AppData\Local\Temp\Opera.txt2⤵
- Executes dropped EXE
PID:3392
-
-
C:\Users\Admin\AppData\Local\Temp\mspass.exeC:\Users\Admin\AppData\Local\Temp\mspass.exe /stext C:\Users\Admin\AppData\Local\Temp\MS.txt2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Users\Admin\AppData\Local\Temp\ProduKey.exeC:\Users\Admin\AppData\Local\Temp\ProduKey.exe /stext C:\Users\Admin\AppData\Local\Temp\ProduKey.txt2⤵
- Executes dropped EXE
PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\MC.exeC:\Users\Admin\AppData\Local\Temp\MC.exe2⤵
- Executes dropped EXE
PID:2240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
32KB
MD5eba43e8a28297df4146bef07654f4580
SHA1a5e96a0e8cd441f48dfcc3b97d45b0b466a864fa
SHA256714eb102758c1c0feaf34a7e888026e7c073b893e931ac12ec6f607627b55af9
SHA5122748f1f943767b5f2df5c9bc85f325a85f2d1c55090aa6e2d8e04901777200ba34ea75c4c6c49b473f964280b58f00e591f67a3b56f4e89f958e9f65966825bb
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
37KB
MD512507d0c4b2963ba229e02ff961ec400
SHA16a9b296e5b614457f106cfc8ed6fc24bd75ba9aa
SHA256bbcb52b0538c81d9ced034e2c0435188bcd1d36f09bce76654f494e4d5dcdb0c
SHA5121ad84dc8f90fd2342f4136d7594a0e10ea6ceefa0fd1b64a96a9200af260f76e3be22e1e3d6577c8b6b9a4ac655d0a8e2e2615f52114e1b11fd0773ec4e2bf10
-
Filesize
729B
MD529662ec08f5aa491b2733fa5f4dee30d
SHA1bde21bcab3fc10cd6795a821e4f039fe4ff876e8
SHA256365b0c56b65f24da09586d7cda5f7389666d8ce6585c2deb19c26868f0979d38
SHA512a5216d00c9be46d2a3c8119c4dc17d458ecec36ef03e9de7001911ed423024c3b95e5ec665d5d4f6baadcf56d2afd792ae8a9fe133f31574f82973f391255329
-
Filesize
321KB
MD53b6bcf49057ea94968017b3d14cdf72d
SHA141ca649fdc27e352d2f7f8b4e14f84d21d20ab4b
SHA256989f90eb63cf2c215d81a9838911f990e1bf4a97660c21a988d74f605abfc6e9
SHA512cfe0daaba893458553655b4b30a51fcd25e2be8023c3328f4420dff44909cd66131d41cce39843a1883f56b49a423a821e79fc235b169ff1d2087f72f9a20206
-
Filesize
65KB
MD5ffc52f2b4435fcddaca6e15489a88b75
SHA163ec31a04cf176852344d544ae855da0dac64980
SHA2563f3c8484962b395f304a836ee5e8ee17beaafe982795c9747d8ee98cc6e4ca8f
SHA512389694feccfe6ca352705b9481913fece6d1d47083f235ccdd60c05cfda82606be53845fde0dba8ec3f3748f820a828c9be0ce078c8b9cc853285b23f172841c