de8e6d4b87735db9251283f7ed6e8eb67f2e441f4232c32688194089207bfe01

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7272c8337cd8e1c24bbedc711d5c8c63.exe
Size

7.6MB
MD5

7272c8337cd8e1c24bbedc711d5c8c63
SHA1

5a8fe1dfa771cc0aca1dea34aea6bbbaac2bc57e
SHA256

de8e6d4b87735db9251283f7ed6e8eb67f2e441f4232c32688194089207bfe01
SHA512

816a0a3d09b5745c542dcaef598b4d6f8a06c0052858ed24b6749353aabcb23dbac34366f260807d014b0b2b93e628762b53be211fd050e4287bf830463f4960
SSDEEP

196608:Bbu8/8sQIZqTExhb3N1K2BJuEfjsLIlb6oF5owm5Ndfv:BDzQghbdA4BsE6oF3m35

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1664	servbrow.exe
2532	servbrow.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Ws2Help.dll	7272c8337cd8e1c24bbedc711d5c8c63.exe
File opened for modification	C:\Program Files\7-Zip\Ws2Help.dll	7272c8337cd8e1c24bbedc711d5c8c63.exe
File created	C:\Program Files\VideoLAN\VLC\Ws2Help.dll	7272c8337cd8e1c24bbedc711d5c8c63.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Ws2Help.dll	7272c8337cd8e1c24bbedc711d5c8c63.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Ws2Help.dll	7272c8337cd8e1c24bbedc711d5c8c63.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Ws2Help.dll	7272c8337cd8e1c24bbedc711d5c8c63.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\servbrow.exe	7272c8337cd8e1c24bbedc711d5c8c63.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTcbPrivilege	1664	servbrow.exe
Token: SeChangeNotifyPrivilege	1664	servbrow.exe
Token: SeIncreaseQuotaPrivilege	1664	servbrow.exe
Token: SeAssignPrimaryTokenPrivilege	1664	servbrow.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
536	7272c8337cd8e1c24bbedc711d5c8c63.exe
1664	servbrow.exe
2532	servbrow.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2532	1664	servbrow.exe	99
PID 1664 wrote to memory of 2532	1664	servbrow.exe	99
PID 1664 wrote to memory of 2532	1664	servbrow.exe	99

C:\Users\Admin\AppData\Local\Temp\7272c8337cd8e1c24bbedc711d5c8c63.exe
"C:\Users\Admin\AppData\Local\Temp\7272c8337cd8e1c24bbedc711d5c8c63.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:536

C:\Windows\servbrow.exe
"C:\Windows\servbrow.exe" /Service
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\servbrow.exe
  "C:\Windows\servbrow.exe" /Popup
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\Ws2Help.dll

Filesize
552KB

MD5
f49cf59fb6e0ba2bc33c22a98a9efc9e

SHA1
e7d22f32bbc05c39597e2ddc33f7593b8a4d020a

SHA256
8e39171045f413d96d48d75f6ac0e0e2d97eedb0d6ac775b2217ca890f28a405

SHA512
b9d7ddc25ac59f53be074c30f7e2561fa8a73fbfcaf506ee809bb332a19d2b776db937cd6715461c4940915c74f482cd9a8167554bcd8c780d6534a72d41c842

Download Submit
C:\Windows\servbrow.exe

Filesize
1.3MB

MD5
3aa0b4998f835751d91f0873ae72b5ed

SHA1
53d0e244f8a3c23bd3cd03920b1d684aa8edc2f0

SHA256
427800b79aefa7f5daeff186563c4c32c956ce00e5d6254965fb346eb3a1e2ec

SHA512
101131a2095f1063ac7e284180299544670dc3c99a04f27a549d14c4e8b7411f3931e0c7abfb7bec4d8655ef408bf602b2b4561421a3f7cf12d3df04c2e87020

Download Submit
C:\Windows\servbrow.exe

Filesize
858KB

MD5
bbc97055cfe34cafb35736ea347ff586

SHA1
16495d19223e067a67bb84d704db54ebfda3a7ec

SHA256
24fea832de903a65ff9ec4785275fee9de5d57a97985c86e9f0b4802593394d6

SHA512
896ca2ac2cc13ca561f4e25c54dd01e9ced229f2304ba7f20c2f4dc68dae7485fee4fd16384761180ad62843fcbef05ac95777432e7ce9afb18d19ae55540b5e

Download Submit
C:\Windows\servbrow.exe

Filesize
6.2MB

MD5
b27d9543cc03629f551b9e81a6ba080b

SHA1
1850aae709bd61bba4a84961d31b58e15b97232d

SHA256
b561fcfcd86d4764ff6d1d7a437a9b63abe2b1649df723c735354e43cf3fedb1

SHA512
524784951fac7feffa2e10b1bc99e8656b35771071df096d4ab5feb7a3b7a1618373ca503ae0cfaf6e7fb4c8be1ee3c8e3cd9855f71a84001f484daaef37a235

Download Submit