ed3cdc71e21e5f846284826f81d9d9abe02d61a8038b80350ea3b7dc843a9b3d

Resubmissions

27/02/2024, 21:02

240227-zvlw9abe32 8

27/02/2024, 21:01

240227-zt7sbsbf3s 1

Analysis

max time kernel
74s
max time network
82s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
27/02/2024, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release_v4.rar
Size

15.5MB
MD5

fd1bf04083511e2f9039adb11f6f0fa2
SHA1

dc22c2de27239653e90c3c37c59b6c3a2177d10c
SHA256

ed3cdc71e21e5f846284826f81d9d9abe02d61a8038b80350ea3b7dc843a9b3d
SHA512

5192f2ace2383716f84f80eca6bf21d3f0c08db5ddf517adf3a7de33cf415a3a7c80b3aa30201538c0769aab85c4dee6943393eca2eb614d2e21db724ea3ff69
SSDEEP

393216:/zYZDaxJ95F9ejuNQwWNPN1tWLsIjx5Z50vWTWSGJ:/zOa3pcjuGXZMLd3L0v9SGJ

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
488	setup.exe
4336	setup.exe
3236	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.myip.com
5	api.myip.com
7	ipinfo.io
8	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
488	setup.exe
488	setup.exe
4336	setup.exe
4336	setup.exe
3236	setup.exe
3236	setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1228	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1228	7zFM.exe
Token: 35	1228	7zFM.exe
Token: SeSecurityPrivilege	1228	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1228	7zFM.exe
1228	7zFM.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
488	setup.exe
4336	setup.exe
3236	setup.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 1228	728	cmd.exe	81
PID 728 wrote to memory of 1228	728	cmd.exe	81

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\release_v4.rar
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:728
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\release_v4.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:352

C:\Users\Admin\Desktop\New folder\setup.exe
"C:\Users\Admin\Desktop\New folder\setup.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4916

C:\Users\Admin\Desktop\New folder\setup.exe
"C:\Users\Admin\Desktop\New folder\setup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4336

C:\Users\Admin\Desktop\New folder\setup.exe
"C:\Users\Admin\Desktop\New folder\setup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\Desktop\New folder\setup.exe

Filesize
15.5MB

MD5
3f51cabd26d9dce9519a8164f947f88d

SHA1
c53191bb51e4539787b8482ac218ce1df373c7b1

SHA256
a948665b62ab4acf12f0c1656ea63884aed4e2475d3578c605df4d5ccc5555b2

SHA512
6167d1a2fca15746b6be7e7da634e507cbc9ac7ce2f49f681220a5a19a7665d2e9910090d10b043012f0ee94def5359d2a5fdf84fede699eddb53cbd2e8db514

Download Submit
C:\Users\Admin\Desktop\New folder\setup.exe

Filesize
15.4MB

MD5
2ed435b6a93078973a1e75ee05da9256

SHA1
805fd6a8514a39fee076e6dba64833b7a05eae24

SHA256
d1275f5f90efdd9647d19f894cf9f9ec8ed47077967de6ddbc9f0cbd8eab5569

SHA512
8c81918b9e261d4c65abd740bbab65b2a03bf5204989628f3e8b72b54878cbac28e0add5d48a80f7c6402f53fdbb1887d4b07d24b887e3a73b5567d80eb8e287

Download Submit
C:\Users\Admin\Desktop\New folder\setup.exe

Filesize
7.9MB

MD5
364d37eab39779acafc3891576d04939

SHA1
9b580be07f8da5158dc170337e65b3929f6d54b0

SHA256
95437e8489bf9c2c699af788d8a7ca6edf2efd6f3fd61b36ab40248a9b8e11e0

SHA512
3ce579eecdf24bb1ae32cef64d4c56158d1709ce2a8131edc183e17d6bf86025f90e5da6cfe68530ae649719fe4a4c91845063ecc29721c08324308fb3fca43f

Download Submit
C:\Users\Admin\Desktop\New folder\setup.exe

Filesize
10.6MB

MD5
6b2abab40ac32d104653857f33ad2f7b

SHA1
7103114c8884fee02947e5cb61ac674c7a2e7e3e

SHA256
153343e74153529e8ab971b09fd70678659339e942e712796f11b48a3565dabe

SHA512
aeb7316c93dbf374257eec186368f126342290c3c257248c2d88601788a56ee32428d0c92067f371019a53f2c070fadbbe8417ef3b9cc7ee5caaa42e98744613

Download Submit
C:\Users\Admin\Documents\GuardFox\3QtCG5MsOwnyy8ZAZ0HGdVhu.exe

Filesize
278KB

MD5
d99abd78790b7f5f4c644bff969945c4

SHA1
87a46f190a0631bfe9ec07792d9360b03b9a12e2

SHA256
319e66822b0f7619639ff1f1f83519b79d85075ea4307465f887e4ed25994ec6

SHA512
6c3214fd5f9244b885bb2a16a5691d857cb6a52d3a3bf1d51b0a2ee809b4f343f54651b5fdc843b45b117154fff185a85acacc175d715cc12149fabf7dfee307

Download Submit
C:\Users\Admin\Documents\GuardFox\4oFHfKrRabUif8qTIYUYEYjA.exe

Filesize
2.0MB

MD5
784450eac1c4e1697800934ebd44a294

SHA1
de0adb7f738598e6aaf6e01bc3ce9166d2c618df

SHA256
e00cc8b9cc90e9faadca335fa17acbbff80d02b7b0e8978d6b5e1db066321285

SHA512
7f6e3046e4362de82711098855fcd69b1b9fc49941e126a35fb36e47e72ea0c93e8f9cd61e82e9324a96a8af48e3abe4151b2551ededcc4647959b187e57c530

Download Submit
C:\Users\Admin\Documents\GuardFox\6ektGXZjglVNfoXr6ZKoFo40.exe

Filesize
243KB

MD5
d579c5a7e5e353deecb839366857ff41

SHA1
ed29eabebf3446a8b73f2fce30f3511c041a8e81

SHA256
2efcf5503ae113a22f39599e7bd606d54058462d8c69326ee361c52488551779

SHA512
11d1b5882c3ae78670144e5bd7c8c79850206f8a00dd5856be4358cc4700dcadc52efe682dcd24ed9d69ca5228e68731e426be9e41b2393ec784494bba7e5978

Download Submit
C:\Users\Admin\Documents\GuardFox\ABgNp3UUzlZKtzgRgdKZwJh5.exe

Filesize
744KB

MD5
ee0580d0d373fc4eca7eba585db765a4

SHA1
d878a360694b418ab419d1c6b994ff618a284659

SHA256
036f52a5fa078d3f8d8e0b3d788aeb46f119dd014bb67381fda8f44705a20ed0

SHA512
915de9d0fdcbe78c8d0bcc6dba1683d57798903460666f5ff634c72a4660fe69a4c57d64ab03d8f92d85a6b33c91da14ee2f1e227b2af9988b220c05581c6004

Download Submit
C:\Users\Admin\Documents\GuardFox\B7RADoqALO1RuVp9jvuXIW_E.exe

Filesize
252KB

MD5
b3d312aceaff49ae3837686d7192b0b7

SHA1
d2f9d09e294c1d830fa2ff376f3a02522fa15031

SHA256
5ed6e47d975f28bdc19caf14deaae171d1f6f8f57f848565bb665c3ef1e92958

SHA512
b3c79062196242631643983daea1a470604c866fd1ff611810ec4ab7c8db0e3c3c06b67f18e2f2e1c18a5611ff9e4798d6af594f23c0a8c7b39bc23296283002

Download Submit
C:\Users\Admin\Documents\GuardFox\DAkBRjtvvfMT5lCueWvFE9ZJ.exe

Filesize
297KB

MD5
9263197aa58e0e5bce76cce8f6323a9c

SHA1
06cf5f4f2c3b8a7cbf8064f15f4e6f988197470b

SHA256
ef798468db36b921f6c2830f5eb95c6e31b5e118f10a0aea9e944960cdf96a16

SHA512
cdf2f98ac3aa9efddb8908ce1101f429bb390617638d3fdd1ad698fa03727c183879d68a4a1ee8b15a12b1f7c840b8d6df1f6fb63a95ff2ce8d0e5a40bd77fab

Download Submit
C:\Users\Admin\Documents\GuardFox\Edjb4RRR3jZOhiVXJ3s6spmj.exe

Filesize
4.1MB

MD5
c5eb9b3f3fbf70ae0eab46a342fa198c

SHA1
fe26c6f495bc60e5b01ca4fee31cd46b2859f958

SHA256
d7d7c122dc00c2f597b54f0ed215a276487573e43a8234d5c38c5d8f25b0b6bb

SHA512
83cf97459921b57954539cbf67853cebfd9ea2ddadfb945c57c918dc97e46a3e35dceb60481ae5e7407159997d88b1167bd12bf6b16f1376bfd868004a231776

Download Submit
C:\Users\Admin\Documents\GuardFox\Hdxg72goh9ccSC32n1xBbkvY.exe

Filesize
5.0MB

MD5
68813e7402910c1f613fc65c759a92ad

SHA1
8a9af0a4a6c1d1683d8badf0a2a9f93962a659dc

SHA256
eb14e6bb33f96e63d91ceef679be9b28c5fe040c500fb171edabbc4603a6f5ba

SHA512
2ee6618293c8b7faa98cc59adc5df5f7a8195dc6283b0d51635b8cf1746cfd366d060a723a37da78c2801aaa301b52175c065100dd94dcb88b3e92e7e52079e1

Download Submit
C:\Users\Admin\Documents\GuardFox\JVMQgRQrbp6TM5WJEvxJch2D.exe

Filesize
3.5MB

MD5
afc05b91ee9eb724b6fae963aac577e6

SHA1
d41a9d7f9ca1a4b33b2dbb22fe51d792400d174b

SHA256
62b9beaee1735e18e0d4b7511a839a0395beaa23b14a8dd010b5448bb188f232

SHA512
957942744e0b9ae4b3bf88432c1c2264bcc5ce65f0b2804566c7d0bf9cbb38b090fcea24da7b0e9c927f7633c50fda89b5b57e60d7bc9b1d08f5207743fbb145

Download Submit
C:\Users\Admin\Documents\GuardFox\QPiijHb1uQjyzqvOI8U6wCgW.exe

Filesize
285KB

MD5
059a930e5f33a348b709f78ffc01e9e4

SHA1
b0595414e0964aa87d465ae7e5aad105c660e1c4

SHA256
17bf11baccfc41056deed1f7658ca2183c34cff636c9372b1ecb812cdb4efea2

SHA512
db1e32f74765ca1eb64b32202cda9a6b4477b2a38729a15ba1e6761c5c38f30d1c44aa9bdbb217df206fa16f6d82c414a00a0f3a52c7e66fcd967887a22041ec

Download Submit
C:\Users\Admin\Documents\GuardFox\T6x_RyS9YRTNUaw9837KTMMV.exe

Filesize
243KB

MD5
1d92b6531231fda6f3a0be22e8ea931d

SHA1
84ea2de7a16c88e7589e26ece5c42a7e3b06eaeb

SHA256
aa0b809a439ba1de9d684a453e1a78a3d32fb00c1c61057f2d80ba2604f6a1f7

SHA512
e1cf96ab3730a435ca6e9c94619ba349c1e5da9f54fd3601eea03999ce1be59913347d460b4fff2c059ca257e238bb9720befadb0c2f4ec0e4f62c912c03ac66

Download Submit
C:\Users\Admin\Documents\GuardFox\UzI89IC8o2io8hYodF9d66hb.exe

Filesize
1.7MB

MD5
e17e75a0b28e5002efd9385e0e250a9e

SHA1
0bec948af16f475edfae75cfda362ee15993f02e

SHA256
d6c37e10b2b68888122e14a10a3f0f345d442a5e1cc90b86db32266e19a2b25c

SHA512
56af50f4bc561b9097d2ab206a655db7c49ad840cbd48aa34a601d177282c194f6c4c6716ee11ceb7132908d270c3831869a663dda8ad1ebebeda43360841ff1

Download Submit
C:\Users\Admin\Documents\GuardFox\fNMuOws2wE8Kyxezw9EJw9EA.exe

Filesize
253KB

MD5
fe6a5d860f6219d8c715bc0c632cfa39

SHA1
6b90dbab88bf47e9514c0cc572110218ea537a4f

SHA256
94ea7e57931224e4b9ff0d5cda33fb14004376c89171d14b084133b0289bac17

SHA512
12238daf4e7486562a7bb18038f399b7a127eb60f649234d47024d6392e9cef7c1ad2bd0a080e84ef03d4e8ca88ac6a6694ee0523fc361e699638c68d01b28d0

Download Submit
C:\Users\Admin\Documents\GuardFox\iD8lZ_BfLMq_KCwGeuNLqonc.exe

Filesize
251KB

MD5
5c666aed70980ea1d08ad44459eaacaa

SHA1
800d5a7826018c9ca3093cca18b41989d086a370

SHA256
b5724d1ea8d2a379e0989ab74ab7719ed93d94dee8638b3dc31e53569cc36107

SHA512
fdf44e1c4ee18a8d67334cce30a22cf391ad48ad95c92f858f35e2090cd5cf5029240a2e7bbe4a7a924d75d5c3c9c616115baeb02af08c2c285e46f53312a5fc

Download Submit
C:\Users\Admin\Documents\GuardFox\q66wViB_afKV2UQ1zys6Q7Tq.exe

Filesize
2.4MB

MD5
b44537218ac2e8e3c3271702059d73c8

SHA1
04bb88767910670d19616031528aa18d16c40789

SHA256
8a1d711b53f063158d84141a2b1b0264d51ee93c2b0d051deb32f5b5a2753bb4

SHA512
785692f5a7854d67f312eb22b7cb0b7856fb2ddd52216f2bb1cb12655fc545f2c100bce93e56e4e535e996bd80157cc967e1464ec403d6ed6a877a25c559e8d4

Download Submit
C:\Users\Admin\Documents\GuardFox\tGKV60vFol3UOZfSzJfK2mNW.exe

Filesize
3.1MB

MD5
2d21ebfcf206ae5631316fd0f7c603db

SHA1
92446cea362d5add4806f32c4b49e20a1b182f87

SHA256
c25a710cb692137bf2bfa758b4dd2bbcc3743c6eedff481581e16d4adbd9db53

SHA512
d44a2bab9482140914240ab4d813af51cc243ac7e1e267cdbe8bf36b79de83bd8d0c581e502c7b05fdcf6fb54dcccc3e5bdb52a4041ac39e37aade918b3ad004

Download Submit
C:\Users\Admin\Documents\GuardFox\xZ97Cls80mpS343abB2Gr4hv.exe

Filesize
3.8MB

MD5
1495b8599e510cca894677a4d7aa6afe

SHA1
86f41c8bfb9aa3743cf6e9a5d92300d7dd261944

SHA256
e4afe4efb43ddb45821e1ab6fa514ea14864396caee15d9f27ffa3b43a55e7bb

SHA512
9de9ab5f5cd5ae9d14e13f7776116b6dce787e851ad8af2489fa238860519e6f362c8282125773b14502946082b70f6b819f0d03fc8de12945314504e8e7d17e

Download Submit
C:\Users\Admin\Documents\GuardFox\yAQsCZBY4FiFwzaAAw1E0VrG.exe

Filesize
2.2MB

MD5
406a6cc6b23a53f5012a199db566f2c8

SHA1
bb352745d6eb6a740e365c73106cf93b4f5de41b

SHA256
0c8c4f2e9e9a36562aaef71109423a6b84e3796f50c7660ed1a6e0ef4e9fee2c

SHA512
cea8c2dafe8fa973d69d2b374db91b76252feac0b5639260a601be9316eb58dfda1e72ff2625b5e05b38044ae3705d0134dd718b7811f64618af4236dc2507f9

Download Submit
memory/488-312-0x00007FFCEE870000-0x00007FFCEE872000-memory.dmp

Filesize
8KB

Download
memory/488-309-0x00007FFCEFD10000-0x00007FFCEFD12000-memory.dmp

Filesize
8KB

Download
memory/488-314-0x00007FFCED920000-0x00007FFCED922000-memory.dmp

Filesize
8KB

Download
memory/488-315-0x00007FFCED930000-0x00007FFCED932000-memory.dmp

Filesize
8KB

Download
memory/488-313-0x00007FFCEE880000-0x00007FFCEE882000-memory.dmp

Filesize
8KB

Download
memory/488-316-0x00007FF75A8A0000-0x00007FF75B181000-memory.dmp

Filesize
8.9MB

Download
memory/488-311-0x00007FFCEFD30000-0x00007FFCEFD32000-memory.dmp

Filesize
8KB

Download
memory/488-310-0x00007FFCEFD20000-0x00007FFCEFD22000-memory.dmp

Filesize
8KB

Download
memory/488-308-0x00007FF75A8A0000-0x00007FF75B181000-memory.dmp

Filesize
8.9MB

Download
memory/488-454-0x0000026288C90000-0x0000026288D0F000-memory.dmp

Filesize
508KB

Download
memory/488-539-0x00007FF75A8A0000-0x00007FF75B181000-memory.dmp

Filesize
8.9MB

Download
memory/3236-550-0x00007FF75A8A0000-0x00007FF75B181000-memory.dmp

Filesize
8.9MB

Download
memory/3236-557-0x00007FF75A8A0000-0x00007FF75B181000-memory.dmp

Filesize
8.9MB

Download
memory/3236-561-0x00007FF75A8A0000-0x00007FF75B181000-memory.dmp

Filesize
8.9MB

Download
memory/4336-542-0x00007FF75A8A0000-0x00007FF75B181000-memory.dmp

Filesize
8.9MB

Download
memory/4336-546-0x00007FF75A8A0000-0x00007FF75B181000-memory.dmp

Filesize
8.9MB

Download
memory/4336-534-0x00007FF75A8A0000-0x00007FF75B181000-memory.dmp

Filesize
8.9MB

Download