ec71ef930f4d62ae6867a89ff441606686f1897d1f9e13f00e17682b47b437d5

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e5b899a84a13a01d510f1acf6ca1d45.exe
Size

576KB
MD5

7e5b899a84a13a01d510f1acf6ca1d45
SHA1

ed228c86cc2b5ea5ee9d44529922e5226dcd9b6e
SHA256

ec71ef930f4d62ae6867a89ff441606686f1897d1f9e13f00e17682b47b437d5
SHA512

cb31201f66edf97b2df0b3b84ac4d52295c18aba30277a26d399bbdba953afc2f761c76dfa00f2109f42d3beaf552003af882485b2cfa5874e9dd8790db9ce50
SSDEEP

12288:oQUa/MA8yiWmDUy9L3BRDhizGJ4JCUD3dzr3/ZX7du227cB:oQf/hF4/hihJCMNz7/ZrduJYB

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2868	7e5b899a84a13a01d510f1acf6ca1d45.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2868-0-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/2868-1-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/2868-2-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/files/0x0008000000016a93-122.dat	upx
behavioral1/memory/2868-149-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/2868-150-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/2868-151-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/2868-152-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/2868-155-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/2868-156-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/2868-157-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/2868-159-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/2868-160-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/2868-161-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/2868-162-0x0000000000400000-0x0000000000523000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~2\is259395966.log	7e5b899a84a13a01d510f1acf6ca1d45.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2572	2868	WerFault.exe	27

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	7e5b899a84a13a01d510f1acf6ca1d45.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2868	7e5b899a84a13a01d510f1acf6ca1d45.exe
2868	7e5b899a84a13a01d510f1acf6ca1d45.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2572	2868	7e5b899a84a13a01d510f1acf6ca1d45.exe	32
PID 2868 wrote to memory of 2572	2868	7e5b899a84a13a01d510f1acf6ca1d45.exe	32
PID 2868 wrote to memory of 2572	2868	7e5b899a84a13a01d510f1acf6ca1d45.exe	32
PID 2868 wrote to memory of 2572	2868	7e5b899a84a13a01d510f1acf6ca1d45.exe	32

C:\Users\Admin\AppData\Local\Temp\7e5b899a84a13a01d510f1acf6ca1d45.exe
"C:\Users\Admin\AppData\Local\Temp\7e5b899a84a13a01d510f1acf6ca1d45.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1564
  2⤵
  - Program crash
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ish259395701\bootstrap_30617.html

Filesize
156B

MD5
1ea9e5b417811379e874ad4870d5c51a

SHA1
a4bd01f828454f3619a815dbe5423b181ec4051c

SHA256
f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a

SHA512
965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\css\buttons.css

Filesize
1KB

MD5
e10ba3c9c951f5555528c9b291334879

SHA1
e231be4624910387aaae4301d856dab528f8522c

SHA256
79c7ec30943936a9d69a189a6ae84e2380ee4fac47ecae493f482b8ffb2bc04b

SHA512
fc7da92f2d507ab7be815fb946621b0a88052e38328106834079f26dc8a064f77044750ac8930c11774f6d08c725fe0d2e5d385a6ff713a6e814f94eb2d5b04f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\css\main.css

Filesize
3KB

MD5
46ff4e4e5941d983748163508c68e0fd

SHA1
dc5aa126f4963b55a5ecaece97321a46305bdefd

SHA256
5ddcf70b76a420c8c05fefb9da49b71f70497bf16a3fb51e370c693828379dbe

SHA512
cb02f96535a1eb2c397a843cbee7743f138d4e1b4669b386b621af19f15b298ce4c043c9c42218d7d59ce6497891061baf79880c38585ce415c7db8428e7b927

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\css\sdk-ui\browse.css

Filesize
318B

MD5
10c359bc980927bb66b215407ece3e66

SHA1
4a2fc034bf7b4e84d832b6bbd9413d2055b9ec62

SHA256
5b12769a75d1c755a284a73e1b8422f73d6223c23b72e5bce698c17f50185aa8

SHA512
ed707c6bbf5023aa147571d9d186e8348b11da6fb462de69e4135480f2e10081c416c80745411752797401660221e2040e624b5a6d3e1a57ba59cdcc009eb16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\css\sdk-ui\button.css

Filesize
417B

MD5
37e1ff96e084ec201f0d95feef4d5e94

SHA1
4ec405f2668d5d93260525ad916abafa2414cb72

SHA256
8e806f5b94fc294e918503c8053ef1284e4f4b1e02c7da4f4635e33ec33e0534

SHA512
1a8a27a92abe35edaa2c950b130579c92f0d0d87b09971843c39569cf06d407b8e896751e73452676bfad45a363f0b6dd00cb6c5faf33966880539e106b19f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\css\sdk-ui\checkbox.css

Filesize
190B

MD5
64773c6b0e3413c81aebc46cce8c9318

SHA1
50f84ef8331341b48981af82313b146863eba526

SHA256
b09504c1bf0486d3ec46500592b178a3a6c39284672af8815c3687cc3d29560d

SHA512
03e96bef74c0b3a31124c3d3c1bb78af1053a8719ca373c6b9316d63bac9545c1f4ecc2d747eb64341d8da31bc0f23da094e19c3e07ed46f65c28dc88e13bd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\css\sdk-ui\progress-bar.css

Filesize
508B

MD5
9211fa399bd53f6eb1fc3666cec2613e

SHA1
d54732e3a8812edcec20b1b1875e39ae5d6075ef

SHA256
cb5b1e6936638f2366d2f9d84d758210462fb8d43aa3941575147ea843059447

SHA512
92bdb6ccdd37b1cf619194d076253b916f1f1fa3b38a82c46a449fecc2615aa42b5533fbd8d7d81bc69fcc8b5a07335f893450410e9e67237e7ca77083e79e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\images\Bg.jpg

Filesize
13KB

MD5
7979c0c1720c8020cd6b2c4c439c8dc1

SHA1
61848c9ffa2cc889cf7053340f8f1f6e2493a2fb

SHA256
8e95caad4d58b89dc56bc0b01d116e440606f5bb84d0b6c65b9f4ed9d236e183

SHA512
21591737e83b409bc41b8851abba6ef429bf2f836d34b5807420a223c5676c2009e79eb0b2cf1c698c5900613fe3643bae6667385264e120c853055ad7ad641b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\images\Software.png

Filesize
29KB

MD5
037277cc7c83e5ce275dbcd95f6b44ea

SHA1
2e0e2dcc43580f4e02676401247937a84eb4428a

SHA256
7231dd694f3e5c3ee42eb52164ff09bb631482d0606a240bcdfc4f501ccace06

SHA512
26d60b0ba537698fa9ef1f1e41e6b41207308caffd5f1a32946fa9631ecbc1d73fd8983f64aa5da7f35421c29d4208e04c14091f724dd45e79e131d77104ee4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\images\back-button.png

Filesize
1KB

MD5
c5d63a3d40ff748895cf763749e8b931

SHA1
b3b4248e492727690c2adc7306a8ea0cd675b2ef

SHA256
226abf53c68832d2f353baf5f6c4b22464571cf247e4b811b9e736a0712250e1

SHA512
57a8d996b853b0b756840079f47b10c0a5f56cd6ad330dfd82e8609e4f10cea26a7934e1635cf0db0ca4801600b6b25f71f443f4158a8b77c08b3cd75fe25774

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\images\close_button.png

Filesize
1KB

MD5
77804bd31b703f61b2c3de518cd25d38

SHA1
b9968e5cb49d8607eca39d1bb77dd6c7ec78ed0b

SHA256
ded6fa33bf68caa6e168dc52ad9665fc3045e4d78f4ae4025f4232d6ec3628c6

SHA512
fd1e64e5cedd50a68ce264c5c67e5d69189c56a49c5f1e47dfc7edd33b11115412b4ba9bdff0ea853221f2b8331e4326ad0196731b8fbddc9cb8df98c3dce8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\images\finish-button.png

Filesize
1KB

MD5
bde927ddfe21e4acbe1331b93b019883

SHA1
1f7d30c90a8f07917ec043a11f29028949fb7fd9

SHA256
54517f639ff9017fd8c8805151e52c7fff17240c84e7b02d6d63cf468b2043a2

SHA512
773c2aac75dd68f7f34185e9ef0d1b6e2bff2e720800339bfd223fe79f6dd96852cd5863a22c1f67903d69564594bd0709fcb0554967cf01c23a99ec007d2d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\images\icon.png

Filesize
6KB

MD5
de79607318368d7d82fefaef312c6fea

SHA1
6b6f07d0cebe9eb54d0a125f83ec52533ccaea8b

SHA256
be8ae8078450d28c47580f1a04ade46e1eb2b6fb8344c5e97ab739f1d9e97e42

SHA512
f9d974dbb5dc55920dae6314633fe14930d35fd7ae41f2e0ddb33d3833d9f362bf15545825c5019bcb9e24c53160256934289c9fbad5c6034bfa11d8c773b0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\images\loader.gif

Filesize
21KB

MD5
360281e85620142c3329848262da263d

SHA1
032ae1e422af859d78d172e918573fb0f55318de

SHA256
6c7d0d5402ebcf34cb6280473b4dac5966aae2a4bdadf80c796245663e2d9b55

SHA512
48ea37754839abce73898d29c6cb1ede20ac980dcd0b8c0f1274a690ea0bb44659129aba7581bd473ab7a735b7b9d08d6d041973bced4fe3fc0b70b3a73ec2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\images\next-button.png

Filesize
1KB

MD5
480bc7cc2b6e44d314da14ce58fc8681

SHA1
50611ec8622ee27aa65b53005e89bb705c3f4aa6

SHA256
614e34e75b472829cd43fb6be97327ef86c3fc7247d0a4044fae7ecb152efddf

SHA512
97236ee3797fe5815a736293798c968cce6b8197748cb5e64f3c81fbd6b8846ed90ce925ceababb3c0213144173b94ef27de0ecb80a706e8d093046bdad49a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\images\progress-bg.png

Filesize
2KB

MD5
32a6846fe53388eb03be3ada2221297f

SHA1
1c1baec7b7fe7a420ccf68d3112384b44f8ba89e

SHA256
5c6d20c98c106bc6df49447b9939a90ba6a5e3c20d89ca0621677a7501bdb127

SHA512
79c4f3a72467b61c27d6e93415bae3fc61a9fde62aae4202ba8ed1de6328f5facc48092bfe57db70338a0a4b50f571d501eed04aed8b047d20aa28ee7446ce98

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259395701\images\skip-button.png

Filesize
1KB

MD5
db6ed921d71eb71d0f2e472655163128

SHA1
fd05f5b1d3f7c22d2e552e5710a87c8377df5e9d

SHA256
1499b6c109c092920c6f19b4a213d7d35771d4410c7df2fe4d23ecbe5e257450

SHA512
cc46822bd1fb16dd9254fb6c9d5df23d30ee1a8fa0ec6954812ae0136a6f4cca7f78044fa5b0ffd87896a44c92aaa7520db4b0164cf2c7828abd3140c21ab866

Download Submit
\Users\Admin\AppData\Local\Temp\ICReinstall_7e5b899a84a13a01d510f1acf6ca1d45.exe

Filesize
576KB

MD5
7e5b899a84a13a01d510f1acf6ca1d45

SHA1
ed228c86cc2b5ea5ee9d44529922e5226dcd9b6e

SHA256
ec71ef930f4d62ae6867a89ff441606686f1897d1f9e13f00e17682b47b437d5

SHA512
cb31201f66edf97b2df0b3b84ac4d52295c18aba30277a26d399bbdba953afc2f761c76dfa00f2109f42d3beaf552003af882485b2cfa5874e9dd8790db9ce50

Download Submit
memory/2868-150-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2868-153-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2868-2-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2868-1-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2868-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2868-149-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2868-125-0x0000000004210000-0x0000000004220000-memory.dmp

Filesize
64KB

Download
memory/2868-151-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2868-152-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2868-3-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2868-154-0x0000000004210000-0x0000000004220000-memory.dmp

Filesize
64KB

Download
memory/2868-155-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2868-156-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2868-157-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2868-159-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2868-160-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2868-161-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2868-162-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download