40657557e6c69e35866b3dc5efdb25911e5d41aa6d0466309d722127769a175b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e73d3001cba0c172ee2a2bbddcc3059.exe
Size

8.9MB
MD5

4e73d3001cba0c172ee2a2bbddcc3059
SHA1

c92b1214fa42937846ba2ee1663bd0f31a1ab818
SHA256

40657557e6c69e35866b3dc5efdb25911e5d41aa6d0466309d722127769a175b
SHA512

329fae8f92660a379f27e11aebdd604516d87a3a9ca200efb9f9c85b13c7774e1aa9d703fa923dd975fb1c00ac275ee310be790730d0b4e939d165f9289032a4
SSDEEP

196608:m0tn/RNrlHAjoG+IY9onJ5hrZER9B2WZufOuD9Lr/QKyyHwOGCTb8ZM0h:JNZxlHOFY9c5hlERf2WmfDZrXDHwv6jM

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 17 IoCs

pid	Process
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe
2964	4e73d3001cba0c172ee2a2bbddcc3059.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2964	2324	4e73d3001cba0c172ee2a2bbddcc3059.exe	18
PID 2324 wrote to memory of 2964	2324	4e73d3001cba0c172ee2a2bbddcc3059.exe	18
PID 2324 wrote to memory of 2964	2324	4e73d3001cba0c172ee2a2bbddcc3059.exe	18

C:\Users\Admin\AppData\Local\Temp\4e73d3001cba0c172ee2a2bbddcc3059.exe
"C:\Users\Admin\AppData\Local\Temp\4e73d3001cba0c172ee2a2bbddcc3059.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\4e73d3001cba0c172ee2a2bbddcc3059.exe
  "C:\Users\Admin\AppData\Local\Temp\4e73d3001cba0c172ee2a2bbddcc3059.exe"
  2⤵
  - Loads dropped DLL
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI23242\VCRUNTIME140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23242\_ctypes.pyd

Filesize
92KB

MD5
7a21d2af317b3eaf9e1a64f1f71c4c31

SHA1
19f3ff8aac744969b67c0ef9a3da770a500f6c35

SHA256
37a3a68dba22b73ab51d882b52d1175fab1ef7d158de5475997e5443bc8b0aa9

SHA512
86052cc5ffdd74b343925361a2453af60335fafe99a430435942f6ce4b55d6b115acd2293662a3fe66afeccfb9900564a65a6cf28690a5f9a065c90b0360e01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23242\base_library.zip

Filesize
92KB

MD5
be9a5fb315b590a29109a264d947de6c

SHA1
0ccedcda70c1f7f70b60fde72da0f0a33c207fbf

SHA256
83296592362b72ac630f4d91bb9478f08015f22ec88c39efbefb6cbe05d40484

SHA512
9c9776aad9b0cd1cbc0a9b90cf3c3667a0d9d89c934d8b0e0d2429377dc13b435f249d1f4138339b11a5df42c24a3c2b4ce94a1a6cb4927078d623ebbc2742d8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23242\python38.dll

Filesize
92KB

MD5
8b22613e0ea42df26b068b6599f924de

SHA1
2ded27c7d7fd2da2c98117cf609b9502edec4eae

SHA256
f04f9b22474913a34686683e41db3284f93023318e2d8421a163834f19bfb5b7

SHA512
568fc75a499c76a6c3df51d4a5c61b3d7c8a0090858f9e1005be4a8d34827816922d726470af7ddb832ab0c832a10d10f1bbb8fbba44cdc537b06181b463bf7a

Download Submit