204d18ba997e4415cfead4170a96ca9c6ec86b6891252607b58b14313dec53ae

Analysis

max time kernel
142s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 10:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

505a06ec9c7496c2bede79b31e3c4454.exe
Size

2.2MB
MD5

505a06ec9c7496c2bede79b31e3c4454
SHA1

4e32887ce49b55853550ef720b673f8402e5f348
SHA256

204d18ba997e4415cfead4170a96ca9c6ec86b6891252607b58b14313dec53ae
SHA512

f8dba99ae6ef0102b6f075ddb843a8ad085dbfa8656fd209c3a7a6cd37b01c5b3f9beb71e9966b35b43d43bbffb0a5823427c327ee4d1fc48758f8bf8866df1b
SSDEEP

49152:wPcNfJLj7dqvhoMQTIYNeDSM3QFEiabkxG:w2Rnd92Ldw0

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000900000001539d-40.dat	acprotect
behavioral1/files/0x0006000000018b4d-148.dat	acprotect
behavioral1/memory/2292-150-0x0000000074F10000-0x0000000074F1A000-memory.dmp	acprotect
behavioral1/memory/2292-227-0x0000000074F10000-0x0000000074F1A000-memory.dmp	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2292	98c9Installer.exe

Loads dropped DLL 43 IoCs

pid	Process
2052	505a06ec9c7496c2bede79b31e3c4454.exe
2052	505a06ec9c7496c2bede79b31e3c4454.exe
2052	505a06ec9c7496c2bede79b31e3c4454.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe
2292	98c9Installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2052-2-0x0000000001030000-0x0000000001099000-memory.dmp	upx
behavioral1/files/0x000900000001539d-40.dat	upx
behavioral1/memory/2292-42-0x00000000003F0000-0x00000000003FC000-memory.dmp	upx
behavioral1/files/0x0006000000018b4d-148.dat	upx
behavioral1/memory/2292-150-0x0000000074F10000-0x0000000074F1A000-memory.dmp	upx
behavioral1/memory/2292-227-0x0000000074F10000-0x0000000074F1A000-memory.dmp	upx
behavioral1/memory/2052-270-0x0000000001030000-0x0000000001099000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Vittalia\uninstall.exe	98c9Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000a00000001225c-20.dat	nsis_installer_1
behavioral1/files/0x000a00000001225c-20.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2292	98c9Installer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2292	2052	505a06ec9c7496c2bede79b31e3c4454.exe	28
PID 2052 wrote to memory of 2292	2052	505a06ec9c7496c2bede79b31e3c4454.exe	28
PID 2052 wrote to memory of 2292	2052	505a06ec9c7496c2bede79b31e3c4454.exe	28
PID 2052 wrote to memory of 2292	2052	505a06ec9c7496c2bede79b31e3c4454.exe	28
PID 2052 wrote to memory of 2292	2052	505a06ec9c7496c2bede79b31e3c4454.exe	28
PID 2052 wrote to memory of 2292	2052	505a06ec9c7496c2bede79b31e3c4454.exe	28
PID 2052 wrote to memory of 2292	2052	505a06ec9c7496c2bede79b31e3c4454.exe	28

C:\Users\Admin\AppData\Local\Temp\505a06ec9c7496c2bede79b31e3c4454.exe
"C:\Users\Admin\AppData\Local\Temp\505a06ec9c7496c2bede79b31e3c4454.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\temp\98c9Installer.exe
  "C:\Users\Admin\AppData\Local\temp\98c9Installer.exe" /KEYWORD=98c9 "/PATHFILES=C:\Users\Admin\AppData\Local\temp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\temp\98c9fondo.bmp

Filesize
206KB

MD5
bfb7e1c5c86c449594a7ce8748d300ec

SHA1
7b58dc0d49f1c6631e2f10491275759ecf207ae2

SHA256
e54552ebc74b557f0838965000e4496ede4a94e271cd1543342e94ea2e189593

SHA512
d3e7f3d822f6ddda3ccb53ffeab0db38333dc9863351d2ce167466527fe38b2abd1a68ed5803cdb40730a5387a8e1669ddd2575986eb7557009da560808738bc

Download Submit
C:\Users\Admin\AppData\Local\temp\98c9header.bmp

Filesize
25KB

MD5
b748b65bcf37d69f8899aa773226e916

SHA1
fb3fbf9393289d1f539a57235e89675360848cfc

SHA256
a09ef4d3c8ce7668593e67f492894bed3d65660612cb71bbaccb2685bb1738b0

SHA512
4e58390303c0cb3ab173337413f96b04b3850fc4fe75740d4170d577b42d112ae00930515a725f858542ab1863e0ea30cd82477313296c36cbcd33aa2789c155

Download Submit
C:\Users\Admin\AppData\Local\temp\98c9installer.ini

Filesize
515B

MD5
f950f14f96ec808bcbd4a7a35376e456

SHA1
53129a8cc7e8954d5a74388bd9c5728cb6443049

SHA256
4cf28a7e289a25ed4ea06362646bbbe4514355fc98f990d7e814714c7503acb1

SHA512
6323be24409f1705310858ed54569c8081e3c35477ef8d1f3f951157d3a7b401e5be537688e806d6482f6c9a462fb61258af861e6e35065c12447e59c4cf004f

Download Submit
\Users\Admin\AppData\Local\Temp\98c9Installer.exe

Filesize
1.5MB

MD5
3ec5d14bd9c196ca3c96697735f7247b

SHA1
894163af7264eb23ace232cfda80632cac5c391b

SHA256
7477a75f95c9c08aa174d0d137059d2e753827cc7a72fdb9a4f8014fd56ccf63

SHA512
d0b51023d414f26f01ecd973a737927c618f49981cacbed5e76ca7143b50966248c50520f2c4d8d82d5157a55213f89ef96989b8ca75fa740873b4aab4d4a10c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9CCD.tmp\ButtonEvent.dll

Filesize
4KB

MD5
55788069d3fa4e1daf80f3339fa86fe2

SHA1
d64e05c1879a92d5a8f9ff2fd2f1a53e1a53ae96

SHA256
d6e429a063adf637f4d19d4e2eb094d9ff27382b21a1f6dccf9284afb5ff8c7f

SHA512
d3b1eec76e571b657df444c59c48cad73a58d1a10ff463ce9f3acd07acce17d589c3396ad5bdb94da585da08d422d863ffe1de11f64298329455f6d8ee320616

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9CCD.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9CCD.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9CCD.tmp\nsArray.dll

Filesize
6KB

MD5
f8462e9d1d7fd39789afca89ab6d6046

SHA1
7e9a518e15b7490245d2bef11a73f209c8d8d59b

SHA256
48941e9f5c92a33f1e60a7a844d562dd77ce736fd31b5503c980b49679dfe85e

SHA512
57dee2253abd7d17d53811d5e95237f9434288518fb043645524a517786db2d8a91df86a6da732c620f12ad0e7ea30a923b8d5f3de386c65bd3ff240bc0dff69

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9CCD.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9CCD.tmp\nsFILES.dll

Filesize
179KB

MD5
7f74996a4bf2ff85bcce4d9183c8c5fe

SHA1
5def8ca9b766686e66d84d07398e2c6338c3fa36

SHA256
a51470865754c14bdd149b2b713213e48ab51b2c3a601912813cfd6312b410cf

SHA512
617c5f81505cf9400f572631c99fdd37359f15bbf7a4c71e20738c37dcced1b5506dce5371b0f791ba59a6686d61b0281b2ee4131435bfd300a051c585c2928d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9CCD.tmp\nsURL.dll

Filesize
108KB

MD5
c3e5489ee3750fd9179f0fb4054aafaf

SHA1
d7a3c10648c25a035343f4057b3ee7015ba0b50d

SHA256
0470bf7eab3bc073a3cbc2c1a941379fb1b67cdec19cc201f03062b21d5d726b

SHA512
599f8100f3d6adc2eeff9e0c618098f0e8985c72e60b506d26a53a3dea10135a5e0259cd447794d8e933e551f4ed2db935d1c45085adb4dddc88521e1b22e624

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9CCD.tmp\tkDecript.dll

Filesize
222KB

MD5
ea79ad436f5e54ee5dc2aba13fe1b15a

SHA1
66e248962bfb1f370796dac393621367638c21b1

SHA256
0ae09d65f5284409e6d9a2d40d7aaa8cbf1dd1815e67a9c12a9557f5de1f7832

SHA512
dbd40403126c6ef6f5747c900809140c8897376f03696247cd8d10431bec7abb0c7191761e8ea551cfde2234059ec087ffbca54510ddf0dc78b8329f598fab2e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9CCD.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
memory/2052-270-0x0000000001030000-0x0000000001099000-memory.dmp

Filesize
420KB

Download
memory/2052-2-0x0000000001030000-0x0000000001099000-memory.dmp

Filesize
420KB

Download
memory/2292-227-0x0000000074F10000-0x0000000074F1A000-memory.dmp

Filesize
40KB

Download
memory/2292-257-0x0000000002D50000-0x0000000002D5C000-memory.dmp

Filesize
48KB

Download
memory/2292-258-0x0000000002D50000-0x0000000002D5C000-memory.dmp

Filesize
48KB

Download
memory/2292-267-0x0000000002D50000-0x0000000002D5C000-memory.dmp

Filesize
48KB

Download
memory/2292-175-0x00000000030C0000-0x00000000030E6000-memory.dmp

Filesize
152KB

Download
memory/2292-150-0x0000000074F10000-0x0000000074F1A000-memory.dmp

Filesize
40KB

Download
memory/2292-269-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2292-268-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2292-42-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2292-272-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2292-274-0x0000000002D50000-0x0000000002D5C000-memory.dmp

Filesize
48KB

Download
memory/2292-275-0x0000000002D50000-0x0000000002D5C000-memory.dmp

Filesize
48KB

Download
memory/2292-276-0x0000000002D50000-0x0000000002D5C000-memory.dmp

Filesize
48KB

Download