3dcc8c5e9717d6bbfa0d90b444ee27bbd688e3b406990fc7c5ee9dcdf1fe5feb

Analysis

max time kernel
64s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
06/03/2024, 10:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file_release3.rar
Size

17.1MB
MD5

e76238f92fc7f695597b3c10422f6e3a
SHA1

cc9191497835c5ed4414d607f8addb15cb20e560
SHA256

3dcc8c5e9717d6bbfa0d90b444ee27bbd688e3b406990fc7c5ee9dcdf1fe5feb
SHA512

8003165eb9a6cf356fe09f8e8d6e130527baa0423e3d4da99cae279b89acb61882d4e6ce6c8bc16937166db9a4c279a4fa4ef7d8d76e3c6ee779d1655aff0665
SSDEEP

393216:YhzDz1G4AS3g2S8XwXs8Esssv4OEEiz14uyEKA5443ZniYlgLsyK:YhzDzJ3kvStEE1zyEKA5F3ZILsyK

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3456	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.myip.com
2	ipinfo.io
5	api.myip.com
7	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3456	setup.exe
3456	setup.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2300	7zFM.exe
Token: 35	2300	7zFM.exe
Token: SeSecurityPrivilege	2300	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2300	7zFM.exe
2300	7zFM.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 2300	4168	cmd.exe	80
PID 4168 wrote to memory of 2300	4168	cmd.exe	80
PID 2300 wrote to memory of 3456	2300	7zFM.exe	85
PID 2300 wrote to memory of 3456	2300	7zFM.exe	85

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\file_release3.rar
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\file_release3.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\7zOCF820527\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOCF820527\setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOCF820527\setup.exe

Filesize
3.2MB

MD5
d88d76c723261f0aa27f30fbeef0ab1e

SHA1
b34d4bc7fc2be241230ed131bf492c41984f7a00

SHA256
cf7f6f4d528a824902a19fe5b81e15dc47dc8d492e22f49fa3c46ae97556c51f

SHA512
427d243eed52203e5bb4e525efd4462d51a244df78a61ceff424598b5bd3750bdb3518595002e6cd0e08685a1f42e9fd649b4be0b3b8841e57a054208fc5cc04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCF820527\setup.exe

Filesize
3.2MB

MD5
2e7805df1757006d26cee73c2ea2c6c6

SHA1
71de597ea798d02f8aba3c4b7b5cce06dac14f6a

SHA256
b43a12a6436d92bb13197d01fcfd454f6b0906318f597d30daecc908f683e4c7

SHA512
99ec04fa2925af11ce627662c8f36b6f598473b3a86dd8d277d5d4fac58dd64ddd38cb1bedc9a2675f96ee15fb988da697703c934791e69e8a4bc46a772bbe40

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCF820527\setup.exe

Filesize
10.8MB

MD5
8aba18ae43cbd1191d56121589dad759

SHA1
114481047e96bc7f0549891f5b2d806fd9b39fb4

SHA256
2b06620684009f179a68dd482bebbeac84e2dcbde20e067efbf1deb8cca0f5c9

SHA512
508ca086266f9569fe908bb3bd33f3420c70de66236449b31d3729513c2275b1414c3c2c82984bfcc2d780f392fdeb26a9c04025db6ad49519fc4ed083dd1fb7

Download Submit
C:\Users\Admin\Documents\GuardFox\2rRwYhKa7_9QR5AgbyzoFIQe.exe

Filesize
161KB

MD5
90149348341f1ad2218258051885e9b8

SHA1
090f46a0bada7e5903ed819ab71b39a6d242769e

SHA256
249cb2ebe8680fe60c40ddc63df6898fadafa5bf3c6f23022251ea46cc2761cb

SHA512
90cc876518bd6d663e8aa055faa738c6175cc7a7f37cbca5fe81e7a18b14527045e2a4034fbac3c8d800189efe4ecee56bf3f6d47bc4873a6a792dec228443dd

Download Submit
C:\Users\Admin\Documents\GuardFox\67IL_jBEshnyZatQekCxJfw9.exe

Filesize
4.6MB

MD5
248cb822adfb4df04fa5e54b14b1d2ed

SHA1
c21ff86c9aaf8459bc85c1a17e5d07d2c5d15a6e

SHA256
0c3a4a38bbe8a2eeb8776ac1030c69be3ca8fc05c2fe9544055dcbef13bf771b

SHA512
586b350fc18f29a7057f36e7d807a374895db593872d1dc37212321e38109b83bca29390a1f05997a64b1cddc4d4b2ed54e821ce9138b7f595f1fc5d605061fe

Download Submit
C:\Users\Admin\Documents\GuardFox\9zpq3ykoEX2uV45q5zNzHd2S.exe

Filesize
757KB

MD5
fb508747e743990136da1111336ffb8b

SHA1
193b3b1697d65eaa247a33c490638fb565dd0d97

SHA256
ac15b8bb1a88f1ec3fdf9943af645400d23e3a0f73a6445d52c74097918441db

SHA512
36f190f51d3029b8d85d35e2bed8b67c8c66794a4557c08b7c9f544e15b3f5a3f278d41f93d53a0cb64e10cf307216deeef4322712f0b16c668f8a52308041ec

Download Submit
C:\Users\Admin\Documents\GuardFox\AZ1IwWHE7WW2Ldp4fklOQ9UI.exe

Filesize
160KB

MD5
263ac8342632cae7d65d6cc28a58f09f

SHA1
5f263d702ec73f1460e1b67583b18bb0f5d4c780

SHA256
a0ee68d59cc258e5785c0bb8f3deae3725aa9991ae79d16bee95fb257c1cff93

SHA512
fc65a1f0ebf08adf848d6a0374cba8e0304cf39f5a0cfe3cd6e5b97894fa6ffffa9ea487c5416c2af9069e032ba7db68297dde8b77a8999a88fd6b99372334ce

Download Submit
C:\Users\Admin\Documents\GuardFox\G3vHdXtBhOeLjcZycYjGuxAt.exe

Filesize
4.1MB

MD5
37779b951546c3e3a9233e54bc54d86c

SHA1
b8bfeaae78fc52a8867abd22954fb69b2564de0e

SHA256
e6330881d1a55bfc8a4988c2bf11bf105ebcd00ed4ce2efb9a0f3192fa8612aa

SHA512
46e268eded1ca0341bcaaab46f30734981446af57610301b3f5f03bcfbc76163afdd94391493ae514d8396f9137b83ee6b25753190e080845627c1b4780ab962

Download Submit
C:\Users\Admin\Documents\GuardFox\HuPVXX_MhosnJSdGg3tXaF1u.exe

Filesize
248KB

MD5
1e80487867b27adf5c63b57d2d47375f

SHA1
7890eb73d1034076137b543cd05e04972c2eef8e

SHA256
cd91fa6e463eadfab0a9599a1681b1d396352a7d1dc331e96d4fba1f138263f2

SHA512
426f328c1b02c5c8b095e01d1d4c70501bb6e4c6322d8d94dcfaf324b1ed8bf6cbd4491d2b82ad4c32c67bab49e7a8f336006877d2924e1f19f7d555458b847e

Download Submit
C:\Users\Admin\Documents\GuardFox\KQX7BtuSBF3CPgvjMh2B1BXz.exe

Filesize
248KB

MD5
da031655889533dca1e09f639f2914e5

SHA1
583dec3a5f5d3a0d87670dff0b4f545b3636d7ea

SHA256
e0194a7754e9f31d445f4b369589571f91786828868f9a3465d30483181fc245

SHA512
e36514c1efda50e707bdd8562eab89a91af1a044e5ea9ce54e3d23f6af63f7c1c48288ab66159405612024261fab490946ce891bf0ff0f5222fc6cc971f75a3c

Download Submit
C:\Users\Admin\Documents\GuardFox\Ks96pZDEH3unyAnmilifq7Bz.exe

Filesize
248KB

MD5
bf1673f40fd3c6c25ccdc5ff70beb39e

SHA1
cd74b2c2f506cd9bd9f947ed62c89ac9423239b7

SHA256
db9a2d178d2e738c948ec6a5b12ed0d8f9b2694b169c23af0ffe3da659da6419

SHA512
8112d87795f1317886d3c6f51b0634ed2b2900b4107b6a4d8d39112ae93107a0f5bdc2ec9ab655a5d5d19d5285112e9a501f92553d11a30c0bcdb3f86ef11e21

Download Submit
C:\Users\Admin\Documents\GuardFox\L4IEBRPuT8EaLNHXAWdBTRKO.exe

Filesize
248KB

MD5
7863ee386fd3e546a90dcdb4b71d2161

SHA1
d9cb0230a013a126c1f34bc74fbafcbe5def9101

SHA256
ffa4179350385262694c8a5e85016f9867cf9a31cd4681864224c0a984831a81

SHA512
250c511eb5a4e0c9227015fb3bf48d15e3358ebcf921f24171d468ed68f9c3807b649439913b79a52669d58521e776b55cc93606b257482ec188c8e116ffda37

Download Submit
C:\Users\Admin\Documents\GuardFox\YxsjNT_dxQ5JxBrzBf1ncEyA.exe

Filesize
458KB

MD5
b3460fcbf91d8cd82721a5dd28e2d9ab

SHA1
764b0b68e26164ef3ff95b874056f3f852cf6896

SHA256
7ce21eef2f2c2f5ff41cee6d2faf822350d998ddc8efb37258d94243306fef84

SHA512
b1cde0b1fd43cd025e07bf0ab2716a483d5c30b897997e95bf55a18b597adf0e5c6f59603c6fe15361312ece097d768e597e8b473b831f34f0e810eeb8dece54

Download Submit
C:\Users\Admin\Documents\GuardFox\Yy5zQh3lJ8GeXvRDV6v8MMZq.exe

Filesize
2.0MB

MD5
21b11d93dca285ac0cc5a74630b51763

SHA1
ba4ee7c30cac15661595bf0219cf2e29b927996f

SHA256
e60bc3b9694d085eba83b92cebbc844963f4b91505b1f3a75d7588828b75200b

SHA512
55d8b6c3909c38a2e3d64d20e7a56ebe1f75e20c2b8c9afe10633c33b931247bdb51f8a035c19b455bdc8d4dc0debe665225452e93c0216e36616198ed49f985

Download Submit
C:\Users\Admin\Documents\GuardFox\_EJxJneHtL0NsVdUVpxg_Vv5.exe

Filesize
1.7MB

MD5
5019674eb9d5b72df8e0248d71a8e870

SHA1
ad1d938aa36d9cc08d004186ffc4c1303f03e7a6

SHA256
feacaaab04467e17d6ead3979ea003af719f387bb4ec1d7cc336f1a2f466a71d

SHA512
e9a7cd066015051458f73b3e23399265f96190deb241bc1c322ca7176e1f558fc21b10e2e5fda52ee9eb474b6cfe7aede62bbf8fb39d9532b654801dec49c598

Download Submit
C:\Users\Admin\Documents\GuardFox\aWVgTr02avP6BnmlGTUOLOAl.exe

Filesize
1.1MB

MD5
0bf189ba3cf96c0c9e91c69fb343247e

SHA1
97225c55067da12d825a241abaac1a205200c2fa

SHA256
33a0a6eb1b9f2941016f8b33cf62bd2c40c84e63aa88ec5fd7a5ff79948c1718

SHA512
7a2249c9af9b45d852b13de5e6a8e7e2f5d152167c75adf1695ff8ce41a5ec53b82bb06a0edc4ea56a8dc9d194065f7d2c5654c06ef9ca02f6b09e547c6862f6

Download Submit
C:\Users\Admin\Documents\GuardFox\auGy7Ag5sscD3e1fswWh7rBF.exe

Filesize
1KB

MD5
64b9a54f73b0ade7d815586c4302560c

SHA1
408894d6e775cb031103d93df49bd940aa08f262

SHA256
85b1976d445406ca40b370fab57ad85aea8bf1f35ed6b8dd778f1f764536fa69

SHA512
0c27eaffebee7a6aff95592d1634b7fc04935e30f5ce758d79e459d3982cce0b65ab5c3dd6f2bef662bca201a696a651175153b8bd3bc23c4d7c0e88b425b859

Download Submit
C:\Users\Admin\Documents\GuardFox\cP3KN4tMNjW_S4rt_Aq0MkCj.exe

Filesize
470KB

MD5
668206e5fd62a578b327c705182be24d

SHA1
feaae488a69baa750de5b05586143d42ec73b90f

SHA256
bd98091b3dffe6f65b820ce0f13eead25bcf0fe3271f3d7e9764e08c9916f456

SHA512
c674d366d4334e0e5356f861f3d497dc59b8d6d924f817dd2e14094d262caf22f295e48cf53e69b98718bc1021d82c1710c011e7d5580c6423e73c3ae6053243

Download Submit
C:\Users\Admin\Documents\GuardFox\jQu1dHB26eES9LuIW1ZL6GKw.exe

Filesize
190KB

MD5
ed7fa4cd0dc9f6fe8e90912dccc78843

SHA1
7f00c189d795a01c89d170dc3dc25f4d2bd23b16

SHA256
d6ee63f9436378f290d982d60e9d734a8f3b1fd487b15a5df181d6adaf601f6b

SHA512
a7735cf52ae3672bf3e7fc0965a22f39eb8867592d5fe4a71c67affa3ecd8b4ccbc77d1223bbe23a7a0d114108c567ea4a8d39dbb5556246da2bd2af15320f86

Download Submit
C:\Users\Admin\Documents\GuardFox\oUwzToBR_LtEaNvu9fTvkXY1.exe

Filesize
248KB

MD5
7a5f66a4962b81c79337ab5502ffe3e5

SHA1
6cafc485e6a35c16099679e00da37f18db0a3840

SHA256
680ad7b3acc8feb4b7026e649f6d1aa64c6b532cc79740fbbf4b7ebadb664109

SHA512
c37ef42e63a33d6aafd0333c9980b62c30080597fd3e805225c68815b4acd5bf2cd7b3d9b57098c14e9c3ecee6012a746680bc1d0839137c4941fc9e72ea93e2

Download Submit
C:\Users\Admin\Documents\GuardFox\w02upUdNqcSERwNn1YZdhJ3A.exe

Filesize
2.7MB

MD5
9c443627b82357e3707894b9b6f44151

SHA1
9de1815a46c92361fc9f4516f3ad9bd7e215e9af

SHA256
d5ea03a58eb0de787ca042e0b0b42470f4a9955e40bb96320b3f5774604d348e

SHA512
6f01dd4f316599b497d8ed863bb6ce6f1fd5c4dd55c3b326c0388abe1697ace49175b03c8e33e02f14e8daa9006bc0862c8b32696152cdfe2c2c76ab166719a3

Download Submit
C:\Users\Admin\Documents\GuardFox\w3wuPH9zVp_0W4czsjX8R_a8.exe

Filesize
284KB

MD5
578dbdb63e13cccbe7e1b252865d4401

SHA1
11ef1fcf3f04c361f26335fbf907085711970fb1

SHA256
e99ec9364ae470857e31e00c9b144c45397ddee1b814a3486eca5876e65105e6

SHA512
d06158ce7070934cc0c31fc431944e70509d70035ceb1cdafee0104ba8bf868998412bd6db79a8d805a1f8e1977919fb21ec902b55e4deb8de124917efab76c9

Download Submit
memory/3456-19-0x00007FF7D9AD0000-0x00007FF7DA183000-memory.dmp

Filesize
6.7MB

Download
memory/3456-17-0x00007FFA9D3D0000-0x00007FFA9D3D2000-memory.dmp

Filesize
8KB

Download
memory/3456-89-0x000001BAFAEE0000-0x000001BAFAF5F000-memory.dmp

Filesize
508KB

Download
memory/3456-18-0x00007FFA9D3E0000-0x00007FFA9D3E2000-memory.dmp

Filesize
8KB

Download
memory/3456-90-0x000001BAFAE90000-0x000001BAFAE99000-memory.dmp

Filesize
36KB

Download
memory/3456-15-0x00007FFA9E910000-0x00007FFA9E912000-memory.dmp

Filesize
8KB

Download
memory/3456-16-0x00007FFA9E920000-0x00007FFA9E922000-memory.dmp

Filesize
8KB

Download
memory/3456-14-0x00007FFA9FB20000-0x00007FFA9FB22000-memory.dmp

Filesize
8KB

Download
memory/3456-13-0x00007FF7D9AD0000-0x00007FF7DA183000-memory.dmp

Filesize
6.7MB

Download
memory/3456-218-0x00007FF7D9AD0000-0x00007FF7DA183000-memory.dmp

Filesize
6.7MB

Download
memory/3456-12-0x00007FFA9FB10000-0x00007FFA9FB12000-memory.dmp

Filesize
8KB

Download