e4d9d93d7d0bd77e9ab712b36cbe40e0a33ac158d0177527a55006222349c577

Analysis

max time kernel
151s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6480943af07e313616aabe21c5305eaf.exe
Size

3.7MB
MD5

6480943af07e313616aabe21c5305eaf
SHA1

27455fefee28582558e8fa436a466484d1c7d632
SHA256

e4d9d93d7d0bd77e9ab712b36cbe40e0a33ac158d0177527a55006222349c577
SHA512

c539d686a7075cbb380334c2f1b72a037302fca9fc871fac1581995eb9631ae214a6ce18052d8d5c5c6ed8f79eb9bb7fe359275e34a9c87e87892706042c5368
SSDEEP

98304:F2m4OyJ8X/ND+aTGQQ4BSLWCilhsiL3KG4oi:omHQaT7jS6CibCG4

Score

7^/10

evasion spyware stealer trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 2 IoCs

pid	Process
488	setup.exe
2152	s_install.exe

Loads dropped DLL 3 IoCs

pid	Process
2152	s_install.exe
2152	s_install.exe
2152	s_install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	s_install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	setup.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}\ = "toolplugin"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}\Implemented Categories	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}\Implemented Categories\{00021494-0000-0000-C000-000000000046}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}\InProcServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\toolplugin\\toolbar.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}\InProcServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFEFCDEE-CF1A-4FC8-89AF-189327213627}	setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
2152	s_install.exe
2152	s_install.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe
488	setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 488	4520	6480943af07e313616aabe21c5305eaf.exe	87
PID 4520 wrote to memory of 488	4520	6480943af07e313616aabe21c5305eaf.exe	87
PID 4520 wrote to memory of 488	4520	6480943af07e313616aabe21c5305eaf.exe	87
PID 488 wrote to memory of 2152	488	setup.exe	88
PID 488 wrote to memory of 2152	488	setup.exe	88
PID 488 wrote to memory of 2152	488	setup.exe	88

C:\Users\Admin\AppData\Local\Temp\6480943af07e313616aabe21c5305eaf.exe
"C:\Users\Admin\AppData\Local\Temp\6480943af07e313616aabe21c5305eaf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\setup.exe
  .\setup.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\s_install.exe
    "C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\s_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\317B.tmp

Filesize
321KB

MD5
2fff00bdd4c6e590467689f1b13f1518

SHA1
aa804582d4fd50371319bd18e4d1974e59ff5b34

SHA256
4290f64070999f41c9ec77ed2b43871377f0177c5b5bf0471f6e34c7d51a07bb

SHA512
ffd8d376fede925095cd966db2b96504df19f0074ab707527a94e3d683b80534ba5699140f91a190ed3297cda2c139b95dcc3b6086f8f5f0362b0f360fe0dfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\317C.tmp

Filesize
237KB

MD5
74145e1d71e2c5f26c0d2875fd682b8e

SHA1
d48079ba76ed87f25d5beb75bc5bf9c5aa3cc0be

SHA256
b93adac09cf28ef76a710c430b2dd7a38889e6508bad426455cd356f0af83f47

SHA512
38b902abf344ea515f6a9d2ac513b763ffb6170f9d5374c8f4d36e7a71a15bf74a84c6c017cd8c1d79da54ae10fcc9660f5d62b4ea63eeaf8c4fc5e6f1e90595

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\options.txt

Filesize
118B

MD5
eef91274f5a0a5a3dc745ecebb9d66f1

SHA1
f94de0c1d1182b03fddc716196f13cbce815ff30

SHA256
b8c35bb5d42e1b8ea842e720f01321f290fb1ae7f0519954a4cf6473b796247a

SHA512
2fa24ec1169b59bd8ff2f4eabd4525a41e9aa17003a8ee65bca244ddb5df929f14d6b778dc4408585e551d265ac59cb355d908f61a71cf159172febaf83b1ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\s_install.exe

Filesize
2.9MB

MD5
55056f624f46a16218e19b35cf36fcf2

SHA1
1d46889843b41627eb707ef0a5dd53571852e587

SHA256
717673f90dd0184449489880ce2f691b4a8c2c18e679bc6afe8d117bd5801627

SHA512
561d92d63bea7e112756b9a506562552550486a075272edd0596ca991e39d4aeacb4f841123d471723f4320b582066d642bc9c85728e836d0586e1e97f5672ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\setup.exe

Filesize
666KB

MD5
34a53701f595d002fa8b65655f41e6ae

SHA1
11f29f4c7836011cacbf201b0057c079a831c31e

SHA256
68b403e06f0d9dc2e776f82167fd4bf2e392d271533d091cb826f4dcb3b7b1df

SHA512
180afc8c738dcb09d233700b2e43be3d8d5a14885e7940966ca85e1203baa76a4d9a383299e6da278f0b02c963c9845ab41ba0277f5da4c46230f6bdd4484339

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\tools.dll

Filesize
615KB

MD5
3c3c80039c6d346f75b15d8a08754ce3

SHA1
57e5cdf3ab2b37471613fa343cd113870f26c75c

SHA256
54e34b0c0e294b474630dc0b282c4b8904b3b5697c7891248fc2e0185688d91a

SHA512
c089a7ec8459bd20c319f98cf375f82a49db178fe40d7a0edf3464ee73bff42df47364ee0c8a3a9b4277eba7f35544e139db7948e62ef6e5332689f0c8fe17e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\urxy0c8h.Admin\user.js

Filesize
391B

MD5
ee411ca5f47f3f17be491c7900f59cba

SHA1
a2482c3416ad6ebfe41113edf2e2bc07c9866a1a

SHA256
4d36d11c560cff3224c8725cb3db1d8c88316c8caf16f13ce866970509f7a0ec

SHA512
27ffa809d9030959be3e8f004a3b2bc4902aeb33b5f64781225dca8f4c97075d0b268f6c5335c64f5656eef3063a2d8c5e084f56016b9930f73b6ff01c597351

Download Submit
memory/488-11-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/488-43-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/488-45-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download