e4d9d93d7d0bd77e9ab712b36cbe40e0a33ac158d0177527a55006222349c577

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6480943af07e313616aabe21c5305eaf.exe
Size

3.7MB
MD5

6480943af07e313616aabe21c5305eaf
SHA1

27455fefee28582558e8fa436a466484d1c7d632
SHA256

e4d9d93d7d0bd77e9ab712b36cbe40e0a33ac158d0177527a55006222349c577
SHA512

c539d686a7075cbb380334c2f1b72a037302fca9fc871fac1581995eb9631ae214a6ce18052d8d5c5c6ed8f79eb9bb7fe359275e34a9c87e87892706042c5368
SSDEEP

98304:F2m4OyJ8X/ND+aTGQQ4BSLWCilhsiL3KG4oi:omHQaT7jS6CibCG4

Score

7^/10

evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1936	setup.exe
2740	s_install.exe

Loads dropped DLL 10 IoCs

pid	Process
2248	6480943af07e313616aabe21c5305eaf.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
2740	s_install.exe
2740	s_install.exe
2740	s_install.exe
2740	s_install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	s_install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}	setup.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}\InProcServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\toolplugin\\toolbar.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}\InProcServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}\ = "toolplugin"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}\Implemented Categories	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}\Implemented Categories\{00021494-0000-0000-C000-000000000046}	setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	setup.exe
1936	setup.exe
2740	s_install.exe
2740	s_install.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe
1936	setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2248	6480943af07e313616aabe21c5305eaf.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1936	2248	6480943af07e313616aabe21c5305eaf.exe	28
PID 2248 wrote to memory of 1936	2248	6480943af07e313616aabe21c5305eaf.exe	28
PID 2248 wrote to memory of 1936	2248	6480943af07e313616aabe21c5305eaf.exe	28
PID 2248 wrote to memory of 1936	2248	6480943af07e313616aabe21c5305eaf.exe	28
PID 2248 wrote to memory of 1936	2248	6480943af07e313616aabe21c5305eaf.exe	28
PID 2248 wrote to memory of 1936	2248	6480943af07e313616aabe21c5305eaf.exe	28
PID 2248 wrote to memory of 1936	2248	6480943af07e313616aabe21c5305eaf.exe	28
PID 1936 wrote to memory of 2740	1936	setup.exe	29
PID 1936 wrote to memory of 2740	1936	setup.exe	29
PID 1936 wrote to memory of 2740	1936	setup.exe	29
PID 1936 wrote to memory of 2740	1936	setup.exe	29
PID 1936 wrote to memory of 2740	1936	setup.exe	29
PID 1936 wrote to memory of 2740	1936	setup.exe	29
PID 1936 wrote to memory of 2740	1936	setup.exe	29

C:\Users\Admin\AppData\Local\Temp\6480943af07e313616aabe21c5305eaf.exe
"C:\Users\Admin\AppData\Local\Temp\6480943af07e313616aabe21c5305eaf.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\setup.exe
  .\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\s_install.exe
    "C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\s_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\options.txt

Filesize
118B

MD5
eef91274f5a0a5a3dc745ecebb9d66f1

SHA1
f94de0c1d1182b03fddc716196f13cbce815ff30

SHA256
b8c35bb5d42e1b8ea842e720f01321f290fb1ae7f0519954a4cf6473b796247a

SHA512
2fa24ec1169b59bd8ff2f4eabd4525a41e9aa17003a8ee65bca244ddb5df929f14d6b778dc4408585e551d265ac59cb355d908f61a71cf159172febaf83b1ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\s_install.exe

Filesize
217KB

MD5
a2694a9ee5b78aab724cb19b05bc80c9

SHA1
ae3f4aabb9a184f6628c356f77d6321d3598e6a7

SHA256
7ed7706289ad98eb02e1b0ee7ee902cc22f9afc651a149486d270798b048946d

SHA512
2d3a816466fecb9958b4e9f5de79ceea787a43ce352daa4c6200be73a0507cb9a58f4740ff68a3aa87bdef5bfdbb33cfcc0837b5c57b5ac8d00997e6538d56bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\s_install.exe

Filesize
288KB

MD5
1e9381164c15c397f2b282333666d13b

SHA1
c56d09bec6e34a5186df45163c428730652b2c0d

SHA256
6c4b27e8883850b6374fcb49063c42a3f02ac350f6dc807b9c1ffaca201a10fa

SHA512
65e74fe483aecadfc1e9392ca6b0e711774050f91552d9d9223a671b623c482a15cdf75bad5d9a10260b7573ca80869fd66f29bc8de65169e053355d0378643a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\setup.exe

Filesize
204KB

MD5
59b566516e3c99bee8252f42821f4b16

SHA1
9fd8715f0264e88d22dc519082207b0c91227466

SHA256
6bc35ad5c9497a45be8abfc159073796fd0c92573b39fa7d62c16b604a34aa6f

SHA512
18c77df776c203438bd5836b1dfdc09114f24dbd776251a50a039bbc5273e174f70235a1200632e7a86244c40b0e5bd36c2f8dc1c789d8685d278ce2e8b8817a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\tools.dll

Filesize
277KB

MD5
55a57d02fc0d3c626012d0fad914e2ce

SHA1
c9cb9803e985c620ff5f98dc3e16e481791aa69e

SHA256
b9873919fdc1e847c4c943b41dacb0c7f82744c874794a0de3fe01c13830526b

SHA512
f13137246dd29da72378c6f98b8a46d8550733e642269b50b2c499f563aaed4e86346168e6c14fec59f77cfa2adbff177a9db4bab29e77cb0f2860598d753bba

Download Submit
\Users\Admin\AppData\Local\Temp\FE2D.tmp

Filesize
316KB

MD5
52cbef2f06d9586363c5f82d00b42626

SHA1
3fe1066fc8f28a89b34ae69587a569b58e6783b1

SHA256
2727634e3aae331d777cebcd9e2195963bacb81aea3434ae79ce5ded2d631c8f

SHA512
944481e75d86402027de8d3c428b3b34bc3b41e518e07359504db18f30b334576b93cae2dfe4001d86f4f3b4d28012d14c7b06942275c17d07400b7f82e96187

Download Submit
\Users\Admin\AppData\Local\Temp\FE2E.tmp

Filesize
237KB

MD5
74145e1d71e2c5f26c0d2875fd682b8e

SHA1
d48079ba76ed87f25d5beb75bc5bf9c5aa3cc0be

SHA256
b93adac09cf28ef76a710c430b2dd7a38889e6508bad426455cd356f0af83f47

SHA512
38b902abf344ea515f6a9d2ac513b763ffb6170f9d5374c8f4d36e7a71a15bf74a84c6c017cd8c1d79da54ae10fcc9660f5d62b4ea63eeaf8c4fc5e6f1e90595

Download Submit
\Users\Admin\AppData\Local\Temp\WZSE0.TMP\s_install.exe

Filesize
311KB

MD5
931ab601b314327a6ea6af564f9d6dbd

SHA1
83eff98db69b28cc4975a76674352903fec91586

SHA256
b396a047b07d75223005606067c700d7a4303dfcb4aa3f894c63ac14da42c304

SHA512
8025b6cb04f8148e62a42526936932f3a6c2de69132cee49e1d1bbbdb4d311c4f1028063efc25db5aa660bf3d81aeed6378f4d9df0605300a2d579997d93ad20

Download Submit
\Users\Admin\AppData\Local\Temp\WZSE0.TMP\s_install.exe

Filesize
355KB

MD5
be19379c701cdd2f01117cabb483eae4

SHA1
581cd277977dd04573283dab7d60e6266b9a6174

SHA256
6c979ef93ba8cf76853312941585cb87f229bac4bdf63813c9adde0c374076f6

SHA512
d74eae795da50936dfa600989930fee2794403e9b97d476213853057549488a5e67d328c3d5f43a3c30d5a2d597b87e7c8a734e540e883e4727ee31c1faf0cd1

Download Submit
\Users\Admin\AppData\Local\Temp\WZSE0.TMP\s_install.exe

Filesize
304KB

MD5
733f3ac046ead15afc5ad411faaaaed0

SHA1
6d1d4028ecef45bcf10fbd65db663278157344a6

SHA256
49c005e7d853892eaea7b1e3aa39de7a6598db1b94510f4c3cdcec172aedc6c2

SHA512
81ddf77a1f9c3e774b2a79254250cc2f124696fcb0fdbefad2044643dcd5cea35f7e5e4545cd88cf30de9d6fd9b3394a52d56f6bf91601c51b65a69d2d3356e6

Download Submit
\Users\Admin\AppData\Local\Temp\WZSE0.TMP\setup.exe

Filesize
220KB

MD5
993f50fcaa5cac58d4e2d05f6f376df8

SHA1
5cf3c13cf35322ad29dbf046fda23477c8d5b1ea

SHA256
3ad4b443e343ee6f53c6c698bb89fa00109e8b9237bd6e33130f38e8849912e3

SHA512
350b27f0a158401529229f3a7e4d2578fcf0a0356a5a9868e1af35e18d557a4545ae4134b9d308793641d70dd264cee794a3b257860990ab2bd442894a8e5a97

Download Submit
\Users\Admin\AppData\Local\Temp\WZSE0.TMP\setup.exe

Filesize
666KB

MD5
34a53701f595d002fa8b65655f41e6ae

SHA1
11f29f4c7836011cacbf201b0057c079a831c31e

SHA256
68b403e06f0d9dc2e776f82167fd4bf2e392d271533d091cb826f4dcb3b7b1df

SHA512
180afc8c738dcb09d233700b2e43be3d8d5a14885e7940966ca85e1203baa76a4d9a383299e6da278f0b02c963c9845ab41ba0277f5da4c46230f6bdd4484339

Download Submit
memory/1936-47-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download