ae7dbd2586471669127e85f994e87b628876aac2b5f7a33738c82dc7cd4fb8b1

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86552866d14bb032a92d3d80b7b31929.exe
Size

878KB
MD5

86552866d14bb032a92d3d80b7b31929
SHA1

66b9006323c3ada3851468bace5c1e0df7dc0b31
SHA256

ae7dbd2586471669127e85f994e87b628876aac2b5f7a33738c82dc7cd4fb8b1
SHA512

27c2eab6cdeb98e314e00a5e4216c1da010f9f2692153b662a04a224c937867ee1150f0ee4b3cbc3f8be313546923020970101b84ed6a6ba5b6829aafda23a27
SSDEEP

24576:e3pRurPdW79gz4ptp/zLzuBDWTS3pTik2q:e3pRWy3pPzmhZTik2

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\ctfmor.exe"	86552866d14bb032a92d3d80b7b31929.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

pid	Process
2932	86552866d14bb032a92d3d80b7b31929.exe
2932	86552866d14bb032a92d3d80b7b31929.exe
2932	86552866d14bb032a92d3d80b7b31929.exe
2932	86552866d14bb032a92d3d80b7b31929.exe
2932	86552866d14bb032a92d3d80b7b31929.exe
2932	86552866d14bb032a92d3d80b7b31929.exe
2932	86552866d14bb032a92d3d80b7b31929.exe
2932	86552866d14bb032a92d3d80b7b31929.exe
2932	86552866d14bb032a92d3d80b7b31929.exe
2932	86552866d14bb032a92d3d80b7b31929.exe
2932	86552866d14bb032a92d3d80b7b31929.exe
2932	86552866d14bb032a92d3d80b7b31929.exe
2932	86552866d14bb032a92d3d80b7b31929.exe
2932	86552866d14bb032a92d3d80b7b31929.exe
2932	86552866d14bb032a92d3d80b7b31929.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2932	86552866d14bb032a92d3d80b7b31929.exe

C:\Users\Admin\AppData\Local\Temp\86552866d14bb032a92d3d80b7b31929.exe
"C:\Users\Admin\AppData\Local\Temp\86552866d14bb032a92d3d80b7b31929.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\olrckem2.default-release\prefs.js

Filesize
5KB

MD5
963b9ae81d998418b9b117e080c91778

SHA1
df14aa6e776c260a3cf62ce68806d4ea6c42249e

SHA256
6ed683f0609f169455426c386799c239313427de2487b95646059235d972e6a9

SHA512
b5dd68bcc72613c80948ef4be1f659b8f95a78679eb512adaeafb1454a7ef77c5439f210957efd1f0071d42ea5f73d415cd15dd1d57d793b6b66311a8260674a

Download Submit
memory/2932-6-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-7-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-14-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-0-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-15-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-8-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-9-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-20-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-3-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2932-2-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-1-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-23-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-26-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-29-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-32-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-41-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/2932-44-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads