6bbd73fb9dbfa61e7e17f94f19087009bdeed47619c7fcdaa790afbd82f020fa

General

Target

7fd7835215946026612456572996b4a4.exe
Size

14.4MB
MD5

7fd7835215946026612456572996b4a4
SHA1

64b5f2d6a5fd2a36e70436af29deae0ceafbb457
SHA256

6bbd73fb9dbfa61e7e17f94f19087009bdeed47619c7fcdaa790afbd82f020fa
SHA512

d88e622f96631e639f44b516f3c89f1c3547840a3091b3535e0baed921e81e42d37ad1848732e79580ca3cf4347b83a1102678e45474692f3ddc19507f04886f
SSDEEP

393216:/X7QMidQuslSq99oWOv+9fgTz+qk7/MOw:/LQ3dQuSDorvSYTz+b/A

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7fd7835215946026612456572996b4a4.exe	7fd7835215946026612456572996b4a4.exe

Loads dropped DLL 46 IoCs

pid	Process
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe
3580	7fd7835215946026612456572996b4a4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	api.ipify.org
42	api.ipify.org
67	api.ipify.org
72	api.ipify.org

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
764	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	tasklist.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 3580	2536	7fd7835215946026612456572996b4a4.exe	32
PID 2536 wrote to memory of 3580	2536	7fd7835215946026612456572996b4a4.exe	32
PID 3580 wrote to memory of 4196	3580	7fd7835215946026612456572996b4a4.exe	31
PID 3580 wrote to memory of 4196	3580	7fd7835215946026612456572996b4a4.exe	31
PID 3580 wrote to memory of 1596	3580	7fd7835215946026612456572996b4a4.exe	30
PID 3580 wrote to memory of 1596	3580	7fd7835215946026612456572996b4a4.exe	30
PID 1596 wrote to memory of 764	1596	cmd.exe	28
PID 1596 wrote to memory of 764	1596	cmd.exe	28

C:\Users\Admin\AppData\Local\Temp\7fd7835215946026612456572996b4a4.exe
"C:\Users\Admin\AppData\Local\Temp\7fd7835215946026612456572996b4a4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\7fd7835215946026612456572996b4a4.exe
  "C:\Users\Admin\AppData\Local\Temp\7fd7835215946026612456572996b4a4.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3580

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
1⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
1⤵
PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI25362\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25362\_ctypes.pyd

Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25362\base_library.zip

Filesize
381KB

MD5
458d5340d12d505c4c628975989baf6f

SHA1
e12818269368b5c4b4cb4dfe9efe475d90de331f

SHA256
0c4c575478eab0073bfc25320b69b4148db9fff9b61f4d49f4f5f38860bf7dab

SHA512
e1636baf35c70c2dd9bf4b2e18ae32035b5b98d8e7669a6de06253018776a0730ab84f48503be93dda2b774a783602337ab74802aee81faca5b06a94d8e06163

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25362\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25362\python310.dll

Filesize
382KB

MD5
919b118acf0ba002e0710c420fdb220f

SHA1
36a948a7d6c0233d545c515b5b6791037add3824

SHA256
42638439b3a42a01982d191876a3275723c571357f8c746098a49709fa59f05f

SHA512
ddc0fbd423abb70b3a537285395b2297110985e5635627cf8257d692871fb683a96af82a62ce001e451f7244197e4edbb2c8892ed7713e048bf140c1fa871ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25362\python310.dll

Filesize
381KB

MD5
d97be19eb8331f972ea4fb46690c00ab

SHA1
a091d9b2b99f64b69f195196a81e789ca59c7343

SHA256
e5bdd25a391f67962dafa38ae099bf119012c60f9780d0b6f77c27e8d6fc7693

SHA512
e4c546edb87ea720d29e97ca7f940843ccd0aecadb695eb7a7f2133fcafecdcff0f9d31c4dfe4e0079ecc826564aed69ba45dd87ebf4c6c2959ed582c6932596

Download Submit

Analysis

Sharing