204d18ba997e4415cfead4170a96ca9c6ec86b6891252607b58b14313dec53ae

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 10:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

505a06ec9c7496c2bede79b31e3c4454.exe
Size

2.2MB
MD5

505a06ec9c7496c2bede79b31e3c4454
SHA1

4e32887ce49b55853550ef720b673f8402e5f348
SHA256

204d18ba997e4415cfead4170a96ca9c6ec86b6891252607b58b14313dec53ae
SHA512

f8dba99ae6ef0102b6f075ddb843a8ad085dbfa8656fd209c3a7a6cd37b01c5b3f9beb71e9966b35b43d43bbffb0a5823427c327ee4d1fc48758f8bf8866df1b
SSDEEP

49152:wPcNfJLj7dqvhoMQTIYNeDSM3QFEiabkxG:w2Rnd92Ldw0

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000002321e-38.dat	acprotect
behavioral2/files/0x000d00000002312d-145.dat	acprotect
behavioral2/memory/1776-153-0x0000000074140000-0x000000007414A000-memory.dmp	acprotect
behavioral2/memory/1776-218-0x0000000003720000-0x000000000372C000-memory.dmp	acprotect
behavioral2/memory/1776-276-0x0000000074140000-0x000000007414A000-memory.dmp	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	505a06ec9c7496c2bede79b31e3c4454.exe

Executes dropped EXE 1 IoCs

pid	Process
1776	98c9Installer.exe

Loads dropped DLL 47 IoCs

pid	Process
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe
1776	98c9Installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2796-0-0x0000000000DB0000-0x0000000000E19000-memory.dmp	upx
behavioral2/files/0x000600000002321e-38.dat	upx
behavioral2/files/0x000d00000002312d-145.dat	upx
behavioral2/memory/1776-153-0x0000000074140000-0x000000007414A000-memory.dmp	upx
behavioral2/memory/1776-218-0x0000000003720000-0x000000000372C000-memory.dmp	upx
behavioral2/memory/1776-276-0x0000000074140000-0x000000007414A000-memory.dmp	upx
behavioral2/memory/2796-277-0x0000000000DB0000-0x0000000000E19000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Vittalia\uninstall.exe	98c9Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023213-22.dat	nsis_installer_1
behavioral2/files/0x0008000000023213-22.dat	nsis_installer_2
behavioral2/files/0x0008000000023213-25.dat	nsis_installer_1
behavioral2/files/0x0008000000023213-25.dat	nsis_installer_2
behavioral2/files/0x0008000000023213-24.dat	nsis_installer_1
behavioral2/files/0x0008000000023213-24.dat	nsis_installer_2

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1776	98c9Installer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 1776	2796	505a06ec9c7496c2bede79b31e3c4454.exe	90
PID 2796 wrote to memory of 1776	2796	505a06ec9c7496c2bede79b31e3c4454.exe	90
PID 2796 wrote to memory of 1776	2796	505a06ec9c7496c2bede79b31e3c4454.exe	90

C:\Users\Admin\AppData\Local\Temp\505a06ec9c7496c2bede79b31e3c4454.exe
"C:\Users\Admin\AppData\Local\Temp\505a06ec9c7496c2bede79b31e3c4454.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\temp\98c9Installer.exe
  "C:\Users\Admin\AppData\Local\temp\98c9Installer.exe" /KEYWORD=98c9 "/PATHFILES=C:\Users\Admin\AppData\Local\temp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\98c9Installer.exe

Filesize
1.4MB

MD5
7a6790ece081fc7199bdb9a669d38bd1

SHA1
8725f7d2f30a641f77bf595a23b63a12300cfc6d

SHA256
b676826d9afa4822d14c1c2f9e9b2d8a36db1d5d18e4a6ac1191bb0569ea2523

SHA512
a1c2e91fbb3d3ce66e3c3ee41e9ca5278f883f7b3f3742c25101e3f547ae25f7cfae8995fc842fabe07d3c4e046cac5a9e30e077c84b2b6951bd5de99e3345cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\98c9Installer.exe

Filesize
126KB

MD5
ac97a298367234c5c4fd5370e5c37c90

SHA1
35d09f532c11a3945401837beb917bcf5cf3534e

SHA256
c76fec120c94b5fd821609ac1b9459d3e2bcb362982b9f318437835669ec51e9

SHA512
0d3f75acb525c4f01ffb224764c7b5b2c063fe8d7dc9e38a236d99f61eaff79c8c670dd3f51f986658d37d6f7455658fd8de4993afaaf72959dc256d7bfcaa6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AE9.tmp\ButtonEvent.dll

Filesize
4KB

MD5
55788069d3fa4e1daf80f3339fa86fe2

SHA1
d64e05c1879a92d5a8f9ff2fd2f1a53e1a53ae96

SHA256
d6e429a063adf637f4d19d4e2eb094d9ff27382b21a1f6dccf9284afb5ff8c7f

SHA512
d3b1eec76e571b657df444c59c48cad73a58d1a10ff463ce9f3acd07acce17d589c3396ad5bdb94da585da08d422d863ffe1de11f64298329455f6d8ee320616

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AE9.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AE9.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AE9.tmp\nsArray.dll

Filesize
6KB

MD5
f8462e9d1d7fd39789afca89ab6d6046

SHA1
7e9a518e15b7490245d2bef11a73f209c8d8d59b

SHA256
48941e9f5c92a33f1e60a7a844d562dd77ce736fd31b5503c980b49679dfe85e

SHA512
57dee2253abd7d17d53811d5e95237f9434288518fb043645524a517786db2d8a91df86a6da732c620f12ad0e7ea30a923b8d5f3de386c65bd3ff240bc0dff69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AE9.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AE9.tmp\nsFILES.dll

Filesize
76KB

MD5
586e7325f38789c3af9cbc3083fd9f98

SHA1
ef1f480552824fc637671e9144ee5e99689bb14f

SHA256
ce470549f32b62a6e1adbe8bab10b5a8371215e29528e2b2aacbddff472a1cf0

SHA512
0481145e0923f3eba7a9103a4cebb3035785828488042d27fd8a6f918febde23523267e5520325e5604d48dd2d7e58935b06660a9a4241746bcce0afa59e66d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AE9.tmp\nsFILES.dll

Filesize
43KB

MD5
8b987708c216506b66343197dcf1cb91

SHA1
589f67ce104d25f6d0659034adc403b5007a09f4

SHA256
2c23db3b3a6a54551aa9bfeb6a13a41815ad5682865efaf327e2a6cc7ae40e31

SHA512
5f5f848c62f4fc0c2bf32ad6c0ecc0b43ecc42e5ffc7a5d26af7651032b023ce493210dae34bdd081bd21d6bc2302536d0a1a6356c6698612ffc12971cc6d14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AE9.tmp\nsURL.dll

Filesize
5KB

MD5
06ff163443f719a6103e915f29aaa971

SHA1
de771667b0d41f8243ff74b0dca47a2cf1246801

SHA256
a0ee0e894011112f2b945eb1fe59ec849e7adc3827cf793f14865965bae46c94

SHA512
fa6d31e1250aa7f4c76a5a27a9adc4d58bb90b3607cf5e32a0660dea9f25ed800a6172637f748d9f66f63ae5d1d0b0e010414375facd246850190b675aff15fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AE9.tmp\nsURL.dll

Filesize
108KB

MD5
c3e5489ee3750fd9179f0fb4054aafaf

SHA1
d7a3c10648c25a035343f4057b3ee7015ba0b50d

SHA256
0470bf7eab3bc073a3cbc2c1a941379fb1b67cdec19cc201f03062b21d5d726b

SHA512
599f8100f3d6adc2eeff9e0c618098f0e8985c72e60b506d26a53a3dea10135a5e0259cd447794d8e933e551f4ed2db935d1c45085adb4dddc88521e1b22e624

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AE9.tmp\tkDecript.dll

Filesize
49KB

MD5
d0c08bb8e4bdb0b6cc7485987de8e339

SHA1
966199cfbaf37a2bd805c91fe5ef993e4b670cab

SHA256
15143012f410a46b338f149bfa6981c8f288f23680d6ecf06f976c8f93437aea

SHA512
6e8c3909e4993b5b06e4fbe1919065edd1ab44fb5c4c7ad3ee260d9d5f3bd89a51c39e31477adaac7882c64e07a0b0193e243e1226c6bc3a3bd6cf458d73d689

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AE9.tmp\tkDecript.dll

Filesize
54KB

MD5
2653261dc4053518efc7c225044a4739

SHA1
a164fa4e4797cbc9ef5d12f75537594312d585a1

SHA256
1f07d90a8b927b91a204d07fa0911621b780271aecdfb83368adac8957858270

SHA512
5857f631abe4508b510f8d1bad26567eb7c087a91a2ab09b001963c87e0dcf4851ffd957c5517fbbfb89dfd6d303c8cfa2f4d134908831993a4c303140495c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AE9.tmp\tkDecript.dll

Filesize
222KB

MD5
ea79ad436f5e54ee5dc2aba13fe1b15a

SHA1
66e248962bfb1f370796dac393621367638c21b1

SHA256
0ae09d65f5284409e6d9a2d40d7aaa8cbf1dd1815e67a9c12a9557f5de1f7832

SHA512
dbd40403126c6ef6f5747c900809140c8897376f03696247cd8d10431bec7abb0c7191761e8ea551cfde2234059ec087ffbca54510ddf0dc78b8329f598fab2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AE9.tmp\tkDecript.dll

Filesize
58KB

MD5
9578097d04bd719bceff44994a1165ac

SHA1
392c6786c9cfbc7624fc8998be09902f364059e9

SHA256
9420e0ff8a0cb7f466428a590d676949cfba06c5c0286b3bee668de863c053ed

SHA512
11c37f2b0a59d491c1b9ebd30a663f8bdbe74f9283fbff3712710d98ccb62ee507e75a85215b15eff9143c641004bd7720eee4136468ea9151f0a0b0e3c805cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi9AE9.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
C:\Users\Admin\AppData\Local\temp\98c9Installer.exe

Filesize
191KB

MD5
47974b1e26177bd81a3905f917bce63d

SHA1
d716120e65c1c748c1fc071bd04751aa2745843b

SHA256
06278afaf679d60384a74bac68880abbb138b0929042b767cbecbd72dd5fccda

SHA512
54ce3effd73b84f4443c7a778b67bfde02ef9ae01fd8d81ab2a6689a426bb2e1a0c12e61062891028326ea028ae13eb305ca09d4779a035c9888ef79562fae84

Download Submit
C:\Users\Admin\AppData\Local\temp\98c9fondo.bmp

Filesize
206KB

MD5
bfb7e1c5c86c449594a7ce8748d300ec

SHA1
7b58dc0d49f1c6631e2f10491275759ecf207ae2

SHA256
e54552ebc74b557f0838965000e4496ede4a94e271cd1543342e94ea2e189593

SHA512
d3e7f3d822f6ddda3ccb53ffeab0db38333dc9863351d2ce167466527fe38b2abd1a68ed5803cdb40730a5387a8e1669ddd2575986eb7557009da560808738bc

Download Submit
C:\Users\Admin\AppData\Local\temp\98c9header.bmp

Filesize
25KB

MD5
b748b65bcf37d69f8899aa773226e916

SHA1
fb3fbf9393289d1f539a57235e89675360848cfc

SHA256
a09ef4d3c8ce7668593e67f492894bed3d65660612cb71bbaccb2685bb1738b0

SHA512
4e58390303c0cb3ab173337413f96b04b3850fc4fe75740d4170d577b42d112ae00930515a725f858542ab1863e0ea30cd82477313296c36cbcd33aa2789c155

Download Submit
C:\Users\Admin\AppData\Local\temp\98c9installer.ini

Filesize
515B

MD5
f950f14f96ec808bcbd4a7a35376e456

SHA1
53129a8cc7e8954d5a74388bd9c5728cb6443049

SHA256
4cf28a7e289a25ed4ea06362646bbbe4514355fc98f990d7e814714c7503acb1

SHA512
6323be24409f1705310858ed54569c8081e3c35477ef8d1f3f951157d3a7b401e5be537688e806d6482f6c9a462fb61258af861e6e35065c12447e59c4cf004f

Download Submit
memory/1776-47-0x0000000002890000-0x000000000289C000-memory.dmp

Filesize
48KB

Download
memory/1776-278-0x0000000002890000-0x000000000289C000-memory.dmp

Filesize
48KB

Download
memory/1776-218-0x0000000003720000-0x000000000372C000-memory.dmp

Filesize
48KB

Download
memory/1776-153-0x0000000074140000-0x000000007414A000-memory.dmp

Filesize
40KB

Download
memory/1776-267-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1776-41-0x0000000002890000-0x000000000289C000-memory.dmp

Filesize
48KB

Download
memory/1776-288-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1776-276-0x0000000074140000-0x000000007414A000-memory.dmp

Filesize
40KB

Download
memory/1776-287-0x0000000003720000-0x000000000372C000-memory.dmp

Filesize
48KB

Download
memory/1776-174-0x00000000036C0000-0x00000000036E6000-memory.dmp

Filesize
152KB

Download
memory/1776-280-0x0000000003720000-0x000000000372C000-memory.dmp

Filesize
48KB

Download
memory/1776-281-0x0000000003720000-0x000000000372C000-memory.dmp

Filesize
48KB

Download
memory/1776-282-0x0000000003720000-0x000000000372C000-memory.dmp

Filesize
48KB

Download
memory/1776-283-0x0000000003720000-0x000000000372C000-memory.dmp

Filesize
48KB

Download
memory/1776-284-0x0000000003720000-0x000000000372C000-memory.dmp

Filesize
48KB

Download
memory/1776-285-0x0000000003720000-0x000000000372C000-memory.dmp

Filesize
48KB

Download
memory/1776-286-0x0000000003720000-0x000000000372C000-memory.dmp

Filesize
48KB

Download
memory/2796-277-0x0000000000DB0000-0x0000000000E19000-memory.dmp

Filesize
420KB

Download
memory/2796-0-0x0000000000DB0000-0x0000000000E19000-memory.dmp

Filesize
420KB

Download