51341701778dbf970f3230914397cdede992cfce8172fadfd3acc867dcc6815a

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 17:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

659ea84594c1ec7a54e84ede5193b6ee.exe
Size

1.6MB
MD5

659ea84594c1ec7a54e84ede5193b6ee
SHA1

74a596ed01f6dbbc964ae3c048d5e3ac0f67184e
SHA256

51341701778dbf970f3230914397cdede992cfce8172fadfd3acc867dcc6815a
SHA512

0053999e44d3d9d580a4b0fb368087de5ecaa833ca328ab86d9c8c9da206d93e695e90c80036b7be2fa3669998cd2962bb941fb5836b6f21ef0ed873e9cd706f
SSDEEP

49152:V/fwUdeRW1s5ycjkcSZEDghtAkf4tJh8TN3r4:VwUdf1GXj6BGt35

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2232	659ea84594c1ec7a54e84ede5193b6ee.exe
2232	659ea84594c1ec7a54e84ede5193b6ee.exe
2232	659ea84594c1ec7a54e84ede5193b6ee.exe
2232	659ea84594c1ec7a54e84ede5193b6ee.exe
2612	659ea84594c1ec7a54e84ede5193b6ee.exe
2612	659ea84594c1ec7a54e84ede5193b6ee.exe
2612	659ea84594c1ec7a54e84ede5193b6ee.exe
2612	659ea84594c1ec7a54e84ede5193b6ee.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	5056	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2612	659ea84594c1ec7a54e84ede5193b6ee.exe
2612	659ea84594c1ec7a54e84ede5193b6ee.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2612	2232	659ea84594c1ec7a54e84ede5193b6ee.exe	87
PID 2232 wrote to memory of 2612	2232	659ea84594c1ec7a54e84ede5193b6ee.exe	87
PID 2232 wrote to memory of 2612	2232	659ea84594c1ec7a54e84ede5193b6ee.exe	87

C:\Users\Admin\AppData\Local\Temp\659ea84594c1ec7a54e84ede5193b6ee.exe
"C:\Users\Admin\AppData\Local\Temp\659ea84594c1ec7a54e84ede5193b6ee.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\659ea84594c1ec7a54e84ede5193b6ee.exe
  "C:\Users\Admin\AppData\Local\Temp\659ea84594c1ec7a54e84ede5193b6ee.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_1122c1bd0"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2612

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pkg_1122c1bd0\autorun.txt

Filesize
137B

MD5
fdad8c34510459435a2ac3a36cdd5709

SHA1
7500a028fcec480f614f81fdfe3480957e852f2d

SHA256
f8d001e9dfc3204541263f2de7af0597ac96f4ad7188329133a1d4e7dcb7f514

SHA512
b6c4ce908eca5951193e7cf86094d52c49fb2d9e2bf2ed00e7f36c3edbfbfe5b19d11ce35c9a51788f346b43249a4e766f1a8026e5a95cc640a457dedacc4859

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_1122c1bd0\wrapper.xml

Filesize
798B

MD5
1d45a29e3511b982a1f91b33c70e964f

SHA1
176a47b489be3f27dc354a2b9dd0b580bb2f3904

SHA256
0a69c29fe16727b18425df8ded1cfe9d07a380b9f23f1beb32f60fefc000b3dc

SHA512
c574719f56a9cc0a3c393001f0774a5826afa5972906d9d9d214a183724a9f7226483a7181a0030e0f801b481a19957761efc170a10850aec786623eb939eb69

Download Submit
memory/5056-76-0x000002D63B840000-0x000002D63B850000-memory.dmp

Filesize
64KB

Download
memory/5056-94-0x000002D643B80000-0x000002D643B81000-memory.dmp

Filesize
4KB

Download
memory/5056-92-0x000002D643B50000-0x000002D643B51000-memory.dmp

Filesize
4KB

Download
memory/5056-60-0x000002D63B740000-0x000002D63B750000-memory.dmp

Filesize
64KB

Download
memory/5056-96-0x000002D643C90000-0x000002D643C91000-memory.dmp

Filesize
4KB

Download
memory/5056-95-0x000002D643B80000-0x000002D643B81000-memory.dmp

Filesize
4KB

Download