0970c65085942cac294377272eadf9a2facf73f5f16bb6986062bbff22a1455c

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64d71d6cb8041fbb44975daa669ed125.exe
Size

4.8MB
MD5

64d71d6cb8041fbb44975daa669ed125
SHA1

c08dabc7e47c9bd4c950b4b37e1cb09cb264f9c7
SHA256

0970c65085942cac294377272eadf9a2facf73f5f16bb6986062bbff22a1455c
SHA512

e3f32899b25d269ffbf2e75e400d6fa785cfc7efce827a16a2b1f563318424eb6cac1b643500756167a816869d2df6240ab23ae95fc77be3cb7c9b2ad9e36d08
SSDEEP

98304:2agnJlfqwra+MAZp5HxBIITBQmg0kgwJjMTciS64qSPdq0fPW2spuro:2Rff2+M+BI6QWkgIScUX23k

Score

7^/10

spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000149f5-21.dat	acprotect
behavioral1/files/0x00060000000149f5-22.dat	acprotect
behavioral1/files/0x00060000000146c0-31.dat	acprotect
behavioral1/files/0x0008000000014390-40.dat	acprotect
behavioral1/files/0x00060000000147ea-48.dat	acprotect
behavioral1/files/0x000a0000000143ec-55.dat	acprotect
behavioral1/files/0x0006000000014af6-58.dat	acprotect
behavioral1/files/0x0006000000014af6-57.dat	acprotect
behavioral1/files/0x00070000000141e6-52.dat	acprotect
behavioral1/files/0x00060000000147ea-47.dat	acprotect
behavioral1/files/0x0006000000014667-46.dat	acprotect
behavioral1/files/0x00060000000146b8-43.dat	acprotect
behavioral1/files/0x00060000000146b8-41.dat	acprotect
behavioral1/files/0x0006000000014abe-36.dat	acprotect
behavioral1/files/0x0006000000014539-34.dat	acprotect
behavioral1/files/0x00070000000142b0-28.dat	acprotect

Loads dropped DLL 13 IoCs

pid	Process
2548	64d71d6cb8041fbb44975daa669ed125.exe
2548	64d71d6cb8041fbb44975daa669ed125.exe
2548	64d71d6cb8041fbb44975daa669ed125.exe
2548	64d71d6cb8041fbb44975daa669ed125.exe
2548	64d71d6cb8041fbb44975daa669ed125.exe
2548	64d71d6cb8041fbb44975daa669ed125.exe
2548	64d71d6cb8041fbb44975daa669ed125.exe
2548	64d71d6cb8041fbb44975daa669ed125.exe
2548	64d71d6cb8041fbb44975daa669ed125.exe
2548	64d71d6cb8041fbb44975daa669ed125.exe
2548	64d71d6cb8041fbb44975daa669ed125.exe
2548	64d71d6cb8041fbb44975daa669ed125.exe
2548	64d71d6cb8041fbb44975daa669ed125.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000149f5-21.dat	upx
behavioral1/files/0x00060000000149f5-22.dat	upx
behavioral1/memory/2548-24-0x00000000749E0000-0x0000000074DFE000-memory.dmp	upx
behavioral1/files/0x00060000000146c0-31.dat	upx
behavioral1/memory/2548-30-0x0000000074770000-0x0000000074793000-memory.dmp	upx
behavioral1/files/0x0008000000014390-40.dat	upx
behavioral1/memory/2548-44-0x0000000074490000-0x00000000746E2000-memory.dmp	upx
behavioral1/files/0x00060000000147ea-48.dat	upx
behavioral1/files/0x000a0000000143ec-55.dat	upx
behavioral1/memory/2548-54-0x0000000074370000-0x0000000074389000-memory.dmp	upx
behavioral1/files/0x0006000000014af6-58.dat	upx
behavioral1/files/0x0006000000014af6-57.dat	upx
behavioral1/memory/2548-59-0x00000000741F0000-0x00000000742FF000-memory.dmp	upx
behavioral1/memory/2548-56-0x0000000074340000-0x000000007436B000-memory.dmp	upx
behavioral1/files/0x00070000000141e6-52.dat	upx
behavioral1/memory/2548-51-0x0000000074390000-0x0000000074421000-memory.dmp	upx
behavioral1/memory/2548-49-0x0000000074430000-0x000000007445B000-memory.dmp	upx
behavioral1/files/0x00060000000147ea-47.dat	upx
behavioral1/files/0x0006000000014667-46.dat	upx
behavioral1/files/0x00060000000146b8-43.dat	upx
behavioral1/files/0x00060000000146b8-41.dat	upx
behavioral1/memory/2548-42-0x00000000746F0000-0x00000000746FF000-memory.dmp	upx
behavioral1/memory/2548-39-0x0000000074700000-0x000000007470C000-memory.dmp	upx
behavioral1/memory/2548-37-0x0000000074740000-0x0000000074756000-memory.dmp	upx
behavioral1/files/0x0006000000014abe-36.dat	upx
behavioral1/files/0x0006000000014539-34.dat	upx
behavioral1/memory/2548-32-0x0000000074760000-0x000000007476C000-memory.dmp	upx
behavioral1/files/0x00070000000142b0-28.dat	upx
behavioral1/memory/2548-65-0x00000000746F0000-0x00000000746FF000-memory.dmp	upx
behavioral1/memory/2548-71-0x00000000741F0000-0x00000000742FF000-memory.dmp	upx
behavioral1/memory/2548-70-0x0000000074340000-0x000000007436B000-memory.dmp	upx
behavioral1/memory/2548-69-0x0000000074370000-0x0000000074389000-memory.dmp	upx
behavioral1/memory/2548-68-0x0000000074390000-0x0000000074421000-memory.dmp	upx
behavioral1/memory/2548-67-0x0000000074430000-0x000000007445B000-memory.dmp	upx
behavioral1/memory/2548-66-0x0000000074490000-0x00000000746E2000-memory.dmp	upx
behavioral1/memory/2548-64-0x0000000074700000-0x000000007470C000-memory.dmp	upx
behavioral1/memory/2548-63-0x0000000074740000-0x0000000074756000-memory.dmp	upx
behavioral1/memory/2548-62-0x0000000074760000-0x000000007476C000-memory.dmp	upx
behavioral1/memory/2548-61-0x0000000074770000-0x0000000074793000-memory.dmp	upx
behavioral1/memory/2548-60-0x00000000749E0000-0x0000000074DFE000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2548	2188	64d71d6cb8041fbb44975daa669ed125.exe	29
PID 2188 wrote to memory of 2548	2188	64d71d6cb8041fbb44975daa669ed125.exe	29
PID 2188 wrote to memory of 2548	2188	64d71d6cb8041fbb44975daa669ed125.exe	29
PID 2188 wrote to memory of 2548	2188	64d71d6cb8041fbb44975daa669ed125.exe	29

C:\Users\Admin\AppData\Local\Temp\64d71d6cb8041fbb44975daa669ed125.exe
"C:\Users\Admin\AppData\Local\Temp\64d71d6cb8041fbb44975daa669ed125.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\64d71d6cb8041fbb44975daa669ed125.exe
  "C:\Users\Admin\AppData\Local\Temp\64d71d6cb8041fbb44975daa669ed125.exe"
  2⤵
  - Loads dropped DLL
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI21882\base_library.zip

Filesize
228KB

MD5
33784c1e50d90e7d333d618a24f041f7

SHA1
53b3e44d213f1d8cc2785248fd5eb2b1bfdc1bf4

SHA256
cdaa3fac604bedab4009d26c10352cf8c8d2f53a4d6e8f22cf44d17de1dae05f

SHA512
58c5ce04159b35b71cb14f2b071783b1b81405ebb1609f7d1942b66e6b0e90bd4e65a800f526998d92113d0e1dfd5e59541cee37dd58ff0b77c0c4d10652bd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21882\libcrypto-1_1.dll

Filesize
139KB

MD5
ad2a855dcf82ae7dcdfca9c46891c355

SHA1
fb16341b8110d5d649da3cd98fb2cf740ba3e4c3

SHA256
dd92272c21ed9b15dea094601eac42cb0b1c6185cfe08b42769ff1686a288da8

SHA512
c8b5c59009cded6526546226c781915ef51bac056f771ae2c8d606de149f3637b2e52da809ee253b0e4c2d076273e8098212718f00aa06bc6ae965c81559bedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21882\libssl-1_1.dll

Filesize
118KB

MD5
d3d00f028277e4a8283177c23c972a9d

SHA1
ff698b836454cd0989870524bee404ba97e53740

SHA256
12819be78c9f472c0028aad4e77f8bbe883aeb5a5f1aec2578454ed8c4a5c386

SHA512
b24e59a35aa076394b141d9b6aad0fde7fb909964675e6219b157d3e61c381d9562c29ec086d47386c3c874494ba6c4c215fdeb9ddbca5ddcf958ff8effa87a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21882\python38.dll

Filesize
1.2MB

MD5
3d3d8ad3c8bde9d26f97af7d04c1a2f1

SHA1
4521ef8af79de76ca6dc40733ea30d89eba1b736

SHA256
20539b920249c21bb7694ee72f62797f31a7c1620beb3d85d41af5e17daf49d7

SHA512
60c15ac333febfdeab3dc2c911c10f7df0f4693f9c8b43b202607f1b3a456230ebe3848a2de8b668252c3a0ce3442c4eec675e023f79ce6d8d2a0d68b89da210

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21882\unicodedata.pyd

Filesize
247KB

MD5
4670a81d9b5b494e6da1002afb3d31b7

SHA1
e4d9955942038c5d3118b40125d7085ba855370d

SHA256
81081c6d825fcdb6a92c61ae5c3c7b10be8e0d76abafee4bc207abd5371ac20f

SHA512
4e3102be913db7cabf6e597fbccc9a360eaf3bb45f6cc4d0748fbd0a9d293c06b87be6e42769f4adbd94622a4e046ae27e3e4443333a0e6aa1a00bed09a058e2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21882\VCRUNTIME140.dll

Filesize
81KB

MD5
2ebf45da71bd8ef910a7ece7e4647173

SHA1
4ecc9c2d4abe2180d345f72c65758ef4791d6f06

SHA256
cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b

SHA512
a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21882\_bz2.pyd

Filesize
42KB

MD5
09c52add7abd44eded770115352f2f41

SHA1
48f44e158bdf2f6a1329fac4df96dc18aa84a88f

SHA256
9255d3f6217ba0e7ad4be558798764ccf6a796b143c6e12ef639692f5198558f

SHA512
ed97478c35b495598ea0e2a9ec35fa75a3cc2ae68abbf74f768d90d5e4b7b637f716c865e4d5a2c8c3b217696598a12abf748c64395d5517c765bb2e2ff52af8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21882\_ctypes.pyd

Filesize
50KB

MD5
f63b6453662fd08af9c442a0bbb85308

SHA1
81721fbd1579a6af44677ed1573d7c5f1ed7ec7e

SHA256
b88ff4a52a6d3529f7d36dfd530bfd206ebf2ac7c171f7d06f9cc3345a57209e

SHA512
1edb1fa0106f7651b34e9e89a2a3f0a27ff0d0f456ba63b4ee3e65d2db073144c792369219e45afb50febd23d80020320aa1d4b37b2d790e839ee70ec13b2ab7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21882\_hashlib.pyd

Filesize
23KB

MD5
8268a89d1d90fdd9a747fea7f1ccbc20

SHA1
1fcb3558e6577a289dac4114c0223156087c77eb

SHA256
7e30c7a03c4df99bbb1d316409ee0aec698c56fc7f87ff6b0f6185173692a525

SHA512
0db082b4a11ab410601fbc165de719853ebadfa140e597f07d3d562db4d5bd44f5af1ed185a866588935a8d49afd7440fee7f51e038bea639153d8bf41e97ecb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21882\_lzma.pyd

Filesize
79KB

MD5
c06a1015d4bceaaabe9b8e8fa9c5590b

SHA1
52b802ac7e6723a2c668f173bb217bb085810d6d

SHA256
bb92c27f5bcdebe81ad2f6404552690349c909d7af460bd7067479cba6881ea7

SHA512
7f12fb2747a9dc73f2719f7e1deb45c0ae482c7ef406d76cdcbd25357b97374405115f21efb79c23ed3976d4fb2067d44773dc7313f63b78d3bd0d41037f3173

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21882\_socket.pyd

Filesize
34KB

MD5
cedd8543545b42279837d0b08c39363b

SHA1
6d593892d452723ba54a2970463537fc33979bed

SHA256
5bb719c09e9c2bb8f6fa9a3b6ff0a932f9291a6263d621b8a96201e9b895260a

SHA512
94a306725417660ea9e3eb9c40bad04140ef22f09a3844ddc4024b1464dd02e2c1fdebddeddb1ba7f215c51b2538690ded1dc374c1fd0c6f1024b45728549046

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21882\_ssl.pyd

Filesize
53KB

MD5
a868bcaa557f6b6093eb4f60e4569c42

SHA1
8654b06e306312becffac03a2fd09deb34dc13d3

SHA256
1289aa6c9244f3832f2953bf5bf5e43d7a258557113aba16e53909773875ec77

SHA512
94c3e55d516d1c846e970774474669ac581e199b231182f579cbed8276f45096960bc67ff30aa2ddc58e775f1d8ff646083ab9371a3077bc3db52318193f4000

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21882\libcrypto-1_1.dll

Filesize
141KB

MD5
87ef076022003365717521040b257118

SHA1
226af72870ab8ce880c83e9fbab3829fbcd0e22c

SHA256
96bac728ec4e3502bca1b87eb8ddeb0ef3741defcc31786dc20554618487afaa

SHA512
4f405b203d525ad80510963d71d2be479861d8eaeefa2dd8d530c052dd30cf6d029ca06f4e76fd36e52146d1b4a2110fc0b6a5a142c9884599710fdf059a040f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21882\libffi-7.dll

Filesize
22KB

MD5
bd6cae5d2914cbd29080c3f37293c944

SHA1
69254f47b2cb0c319dde36f79561dc1bd11aa66d

SHA256
0307d65c5ff0f171f99e26cde1aee5019361be7d4cd72603880ffec3d5e7ce56

SHA512
c1d052ce66331981f8e73fb862cbbd80e20bd2808ba52174d64e8bef6008bca33e71f63d1f36d493da841a254c57e8f17851252fa5073fc68fe0ea91a48f782b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21882\libssl-1_1.dll

Filesize
162KB

MD5
b99585231674c2f58f74a4b2e2f25453

SHA1
48b7866a96e6c4a0ec38e97a168bf76c05394492

SHA256
c419c4b2676f0c9b5d5849c65903b30116d1ec6a405812c625151c256893e718

SHA512
41f1f832c4210944284762ed70338cd602836392efb43faed2753fa32db883184f976339bfe305dff03c5f2c8013ff7f765984670153260326cded40aa63bf6e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21882\python38.dll

Filesize
295KB

MD5
705722dca885d6d595901b4f11f5cbf8

SHA1
1dd0352c8b8ae31ca8ec70a778b0778c49023de3

SHA256
67b60f6981dc103ad3dc694908a36874133808269a24c10dd7823e0aeabb94a7

SHA512
169a170241c1b9af1014df1d4bf8f4d0dd4a3f7fc5a73bc616e9a00e891291fbdc32f06dea8f66e25326ea3da6f30b79fa616f05b5e5df2c6a4325c2e04542e3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21882\select.pyd

Filesize
19KB

MD5
99f9d89add39c6e589d5d4c076e12ca6

SHA1
5a370cb3295fd5e72023ec844a347a9b47640c2b

SHA256
dc95c6e11e197545ce40a56f102c380cfa36d3181497074313c19e2876180fce

SHA512
7b991937d3f14a07d0ce78c561d891d605f61c6169be99bd39cf9d1550ad38459d54602947533678afbc41d58559299bed63c065a07ab0563636b807b0629b28

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21882\unicodedata.pyd

Filesize
277KB

MD5
b25cdf18204d4b6b76d9894b36113e64

SHA1
e74fa6bed5881337321771f78dcd118f8448eb5d

SHA256
d09e4fe7e7a39dcb7066ad22072a36100405a22f1c716f46499f0f78d96116ae

SHA512
016a0a538a85fbdae09e0dc31339ace1262e9c237804a0758b4157c48a831fa3f7b65e0d616992d442378c0986ff0d373e6bffa8b9bb84d5995fbb4633ac6ece

Download Submit
memory/2548-54-0x0000000074370000-0x0000000074389000-memory.dmp

Filesize
100KB

Download
memory/2548-24-0x00000000749E0000-0x0000000074DFE000-memory.dmp

Filesize
4.1MB

Download
memory/2548-51-0x0000000074390000-0x0000000074421000-memory.dmp

Filesize
580KB

Download
memory/2548-56-0x0000000074340000-0x000000007436B000-memory.dmp

Filesize
172KB

Download
memory/2548-42-0x00000000746F0000-0x00000000746FF000-memory.dmp

Filesize
60KB

Download
memory/2548-39-0x0000000074700000-0x000000007470C000-memory.dmp

Filesize
48KB

Download
memory/2548-37-0x0000000074740000-0x0000000074756000-memory.dmp

Filesize
88KB

Download
memory/2548-59-0x00000000741F0000-0x00000000742FF000-memory.dmp

Filesize
1.1MB

Download
memory/2548-44-0x0000000074490000-0x00000000746E2000-memory.dmp

Filesize
2.3MB

Download
memory/2548-32-0x0000000074760000-0x000000007476C000-memory.dmp

Filesize
48KB

Download
memory/2548-30-0x0000000074770000-0x0000000074793000-memory.dmp

Filesize
140KB

Download
memory/2548-49-0x0000000074430000-0x000000007445B000-memory.dmp

Filesize
172KB

Download
memory/2548-65-0x00000000746F0000-0x00000000746FF000-memory.dmp

Filesize
60KB

Download
memory/2548-71-0x00000000741F0000-0x00000000742FF000-memory.dmp

Filesize
1.1MB

Download
memory/2548-70-0x0000000074340000-0x000000007436B000-memory.dmp

Filesize
172KB

Download
memory/2548-69-0x0000000074370000-0x0000000074389000-memory.dmp

Filesize
100KB

Download
memory/2548-68-0x0000000074390000-0x0000000074421000-memory.dmp

Filesize
580KB

Download
memory/2548-67-0x0000000074430000-0x000000007445B000-memory.dmp

Filesize
172KB

Download
memory/2548-66-0x0000000074490000-0x00000000746E2000-memory.dmp

Filesize
2.3MB

Download
memory/2548-64-0x0000000074700000-0x000000007470C000-memory.dmp

Filesize
48KB

Download
memory/2548-63-0x0000000074740000-0x0000000074756000-memory.dmp

Filesize
88KB

Download
memory/2548-62-0x0000000074760000-0x000000007476C000-memory.dmp

Filesize
48KB

Download
memory/2548-61-0x0000000074770000-0x0000000074793000-memory.dmp

Filesize
140KB

Download
memory/2548-60-0x00000000749E0000-0x0000000074DFE000-memory.dmp

Filesize
4.1MB

Download