1da32f2f8d0930fa4817a88b963c853345241501dc27ee1c4ff97778eccef8fb

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c267bfd760e90a203a744138d59ce5c.exe
Size

3.4MB
MD5

4c267bfd760e90a203a744138d59ce5c
SHA1

5d585e86b727b9d94e8458a298880f1f79815e3a
SHA256

1da32f2f8d0930fa4817a88b963c853345241501dc27ee1c4ff97778eccef8fb
SHA512

49d0f977d441ceca95366a33288b56baf41daf571b635d0908eb4a3a759a2bd91964eb2038bc0fe24708f4e7881d2cce19225f90c1a8a75db61f2f643d827172
SSDEEP

98304:HRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/4aEuC0:Hkj8NBFwxpNOuk2faEuC0

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
2608	v72bg3Wy4jNd6.exe

Executes dropped EXE 2 IoCs

pid	Process
2608	v72bg3Wy4jNd6.exe
1276	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
2952	4c267bfd760e90a203a744138d59ce5c.exe
1276	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2516	sc.exe
2688	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	4c267bfd760e90a203a744138d59ce5c.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe
2608	v72bg3Wy4jNd6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	4c267bfd760e90a203a744138d59ce5c.exe
Token: SeDebugPrivilege	2608	v72bg3Wy4jNd6.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2608	2952	4c267bfd760e90a203a744138d59ce5c.exe	28
PID 2952 wrote to memory of 2608	2952	4c267bfd760e90a203a744138d59ce5c.exe	28
PID 2952 wrote to memory of 2608	2952	4c267bfd760e90a203a744138d59ce5c.exe	28
PID 2608 wrote to memory of 1940	2608	v72bg3Wy4jNd6.exe	32
PID 2608 wrote to memory of 1940	2608	v72bg3Wy4jNd6.exe	32
PID 2608 wrote to memory of 1940	2608	v72bg3Wy4jNd6.exe	32
PID 1940 wrote to memory of 2688	1940	cmd.exe	30
PID 1940 wrote to memory of 2688	1940	cmd.exe	30
PID 1940 wrote to memory of 2688	1940	cmd.exe	30
PID 1940 wrote to memory of 2516	1940	cmd.exe	29
PID 1940 wrote to memory of 2516	1940	cmd.exe	29
PID 1940 wrote to memory of 2516	1940	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\4c267bfd760e90a203a744138d59ce5c.exe
"C:\Users\Admin\AppData\Local\Temp\4c267bfd760e90a203a744138d59ce5c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\v72bg3Wy4jNd6.exe
  "C:\Users\Admin\AppData\Local\Temp\v72bg3Wy4jNd6.exe" QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXDRjMjY3YmZkNzYwZTkwYTIwM2E3NDQxMzhkNTljZTVjLmV4ZQ==
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C sc stop "SysMain" & sc config "SysMain" start=disabled
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940

C:\Windows\system32\sc.exe
sc config "SysMain" start=disabled
1⤵
- Launches sc.exe
PID:2516

C:\Windows\system32\sc.exe
sc stop "SysMain"
1⤵
- Launches sc.exe
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\v72bg3Wy4jNd6.exe

Filesize
151KB

MD5
3160d70ecfcfb4f2bda0e0d86bb94c49

SHA1
a675d99c4e325d14d3826db2aef9a1883266ada0

SHA256
bb5be564d8ace21dcadacd918b4dda19a5bfc934740f08889da16bb09ccfe309

SHA512
f087fe7556cff5eb89963f56e2358a8c920a35013b7945f031a8f6de79f2a8be7de27c05e3e402c48bb8e00d2b9bdce98c5abb0d709513c0fb296bf5fa43ee92

Download Submit
C:\Users\Admin\AppData\Local\Temp\v72bg3Wy4jNd6.exe

Filesize
270KB

MD5
4993e5e6cff145f7acd5574dbd95578f

SHA1
951cce78d9541b439c69110f5a470403c49aca78

SHA256
603ff88370c654cb44eef71073f66bfb85a38b6acfc0988e008948b90ccaeb98

SHA512
7eef8c71200bc23c32c33c2f38fce3965a3e638d25b62e9e3c125c3528cc12ecd7558f02c3a3aee0ab434e393d933b7dc9aa3454c919f10ea0104bd717e60c8c

Download Submit
\Users\Admin\AppData\Local\Temp\v72bg3Wy4jNd6.exe

Filesize
324KB

MD5
e229c5960700f9d214e14e47bab68199

SHA1
0753518077115be726b7178a42469624c5604a10

SHA256
144ee32d50c74ea72ea38a97f50f3354118142d282a5339185f66602c7f4896b

SHA512
1bddd4de2ed617dd99700d27795d354d0e440df3855bab40dc0b9382f3626da48f6e0758656d087000145eaf9561caf2602649403b8ef4c7ed87733ecccf24d9

Download Submit
\Users\Admin\AppData\Local\Temp\v72bg3Wy4jNd6.exe

Filesize
53KB

MD5
342f9a8d3c7dbda2e662e70c36da1127

SHA1
aca8f41dbd670bccc010a656b82c8e519ba124ee

SHA256
4e1148e0551211d47ca1f1e25af2c5e0c74e268394780f78b6975ea246735d88

SHA512
21d634303b3314b7db2d12b49bdcea50ac1f5d432de42a52eae233ef40ef7852017a6a756013bd4a5227c1d40429158b9150e37ed8fd37813c00e21feb01a2e4

Download Submit
\Users\Admin\AppData\Local\Temp\v72bg3Wy4jNd6.exe

Filesize
40KB

MD5
f8b27f15cc2e495de2f098846cac2e30

SHA1
19d9c7eeb2dac406ddaa04ca93c166940276e78a

SHA256
213a144edbe7bfe7bee1cf5fcf65bf21b0a870e8eeccec161f23d6bd2dd92605

SHA512
247362541aff037c24e65904d7e46aa2f09abdca551f3c98027275bc8adf2831aebc2408cffeddfa1ace2eff5a7d9dce9c5d2d907bf128ddea6330a723b9a727

Download Submit
memory/2608-23-0x000000001BD40000-0x000000001BDC0000-memory.dmp

Filesize
512KB

Download
memory/2608-21-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2608-31-0x000000001BD40000-0x000000001BDC0000-memory.dmp

Filesize
512KB

Download
memory/2608-30-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2608-29-0x000000001BD40000-0x000000001BDC0000-memory.dmp

Filesize
512KB

Download
memory/2608-26-0x00000000008F0000-0x00000000008FA000-memory.dmp

Filesize
40KB

Download
memory/2608-24-0x000000001B290000-0x000000001B302000-memory.dmp

Filesize
456KB

Download
memory/2608-25-0x00000000008E0000-0x00000000008E6000-memory.dmp

Filesize
24KB

Download
memory/2608-20-0x000000013F770000-0x000000013FA94000-memory.dmp

Filesize
3.1MB

Download
memory/2952-10-0x0000000000A00000-0x0000000000A32000-memory.dmp

Filesize
200KB

Download
memory/2952-3-0x000000001BA80000-0x000000001BB00000-memory.dmp

Filesize
512KB

Download
memory/2952-4-0x0000000000650000-0x0000000000680000-memory.dmp

Filesize
192KB

Download
memory/2952-22-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2952-0-0x000000013FDF0000-0x0000000140114000-memory.dmp

Filesize
3.1MB

Download
memory/2952-5-0x000000001CFF0000-0x000000001D428000-memory.dmp

Filesize
4.2MB

Download
memory/2952-6-0x0000000000140000-0x0000000000144000-memory.dmp

Filesize
16KB

Download
memory/2952-11-0x00000000006F0000-0x00000000006F4000-memory.dmp

Filesize
16KB

Download
memory/2952-2-0x000000001C020000-0x000000001C310000-memory.dmp

Filesize
2.9MB

Download
memory/2952-1-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2952-9-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/2952-8-0x000000001AD00000-0x000000001AD9C000-memory.dmp

Filesize
624KB

Download
memory/2952-7-0x0000000000690000-0x0000000000696000-memory.dmp

Filesize
24KB

Download