6e4e40e143cb43db3f05e4d296303da14cd987fc4c98d21fe108e958194563f7

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 07:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cd7e025e683ae4b5161993af966f0c81.exe
Size

7.6MB
MD5

cd7e025e683ae4b5161993af966f0c81
SHA1

6b26ed9dd1733917944c8b212df04f4499a32472
SHA256

6e4e40e143cb43db3f05e4d296303da14cd987fc4c98d21fe108e958194563f7
SHA512

cc276ee108d505cea6b4a540bb420aae47266a5b50f9b17b96bd22f378dbaf06e16c4b8af1b4e8a2cf50d59af8fe250787bc7452315f65674d23728fe01623fb
SSDEEP

196608:OGQ9onJ5hrZERMB2WZufOuD9LU/QKyPrkLrEozn+nU0:ZQ9c5hlERo2WmfDZUXIkLQozp

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 16 IoCs

pid	Process
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe
3028	cd7e025e683ae4b5161993af966f0c81.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3028	2340	cd7e025e683ae4b5161993af966f0c81.exe	28
PID 2340 wrote to memory of 3028	2340	cd7e025e683ae4b5161993af966f0c81.exe	28
PID 2340 wrote to memory of 3028	2340	cd7e025e683ae4b5161993af966f0c81.exe	28

C:\Users\Admin\AppData\Local\Temp\cd7e025e683ae4b5161993af966f0c81.exe
"C:\Users\Admin\AppData\Local\Temp\cd7e025e683ae4b5161993af966f0c81.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\cd7e025e683ae4b5161993af966f0c81.exe
  "C:\Users\Admin\AppData\Local\Temp\cd7e025e683ae4b5161993af966f0c81.exe"
  2⤵
  - Loads dropped DLL
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI23402\VCRUNTIME140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23402\_ctypes.pyd

Filesize
123KB

MD5
4d13a7b3ecc8c7dc96a0424c465d7251

SHA1
0c72f7259ac9108d956aede40b6fcdf3a3943cb5

SHA256
2995ef03e784c68649fa7898979cbb2c1737f691348fae15f325d9fc524df8ed

SHA512
68ff7c421007d63a970269089afb39c949d6cf9f4d56aff7e4e0b88d3c43cfaa352364c5326523386c00727cc36e64274a51b5dbb3a343b16201cf5fc264fec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23402\_hashlib.pyd

Filesize
45KB

MD5
496cde3c381c8e33186354631dfad0f1

SHA1
cbdb280ecb54469fd1987b9eff666d519e20249f

SHA256
f9548e3b71764ac99efb988e4daac249e300eb629c58d2a341b753299180c679

SHA512
f7245eb24f2b6d8bc22f876d6abb90e77db46bf0e5ab367f2e02e4ca936c898a5a14d843235adc5502f6d74715da0b93d86222e8dec592ae41ab59d56432bf4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23402\_queue.pyd

Filesize
27KB

MD5
1707a6aeeb0278ee445e86ee4354c86c

SHA1
50c30823b1dc995a03f5989c774d6541e5eaaef9

SHA256
dd8c39ff48de02f3f74256a61bf3d9d7e411c051dd4205ca51446b909458f0cd

SHA512
404b99b8c70de1d5e6a4f747df44f514a4b6480b6c30b468f35e9e0257fd75c1a480641bc88180f6eb50f0bd96bdcafb65bb25364c0757a6e601090ae5989838

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23402\_socket.pyd

Filesize
77KB

MD5
eb974aeda30d7478bb800bb4c5fbc0a2

SHA1
c5b7bc326bd003d42bcf620d657cac3f46f9d566

SHA256
1db7b4f6ae31c4d35ef874eb328f735c96a2457677a3119e9544ee2a79bc1016

SHA512
f9eea3636371ba508d563cf21541a21879ce50a5666e419ecfd74255c8decc3ae5e2ceb4a8f066ae519101dd71a116335a359e3343e8b2ff3884812099ae9b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23402\_ssl.pyd

Filesize
150KB

MD5
fefbb91866778278460e16e44cfb8151

SHA1
53890f03a999078b70b921b104df198f2f481a7c

SHA256
8a10b301294a35bc3a96a59ca434a628753a13d26de7c7cb51d37cf96c3bdbb5

SHA512
449b5f0c089626db1824ebe405b97a67b073ea7ce22cee72aa3b2490136b3b6218e9f15d71da6fd32fba090255d3a0ba0e77a36c1f8b8bea45f6be95a91e388d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23402\base_library.zip

Filesize
768KB

MD5
58b909aacf5726be8457cbfe59cc1cb2

SHA1
68033d042ade5fbd77c2bff4043b5695504cdd31

SHA256
f6536c1f1f557a217481a1a9b8f0073ad607c6f3ef43c4ed9d33f44e3d0a7625

SHA512
fac103e6b70543824f298b21100a894c3caa232f46b18e501980599fafffaad728c770712abfbe84b146cc13d48af02231b068d4988db594e9726afb7460f8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23402\certifi\cacert.pem

Filesize
275KB

MD5
712a0c9e3337edc7f4c6c36a67727866

SHA1
cd0cc7f28f7c8aefea6f54f392c7bd68acacf572

SHA256
53b8854f8fe7fbb5c27c7a5cf08e3a69de641ee1af0d279d95ad9f75b428414a

SHA512
2183f4eaf351e500054039eecabf76df00c1fd66d777ac7cffab841bcbf6a60673d138c550b6e73bc80c5c7a162f399e4a6a62b120841df2902313cb747b14c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23402\libcrypto-1_1.dll

Filesize
3.2MB

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23402\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23402\python38.dll

Filesize
4.0MB

MD5
3cd1e87aeb3d0037d52c8e51030e1084

SHA1
49ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af

SHA256
13f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8

SHA512
497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23402\select.pyd

Filesize
26KB

MD5
08b499ae297c5579ba05ea87c31aff5b

SHA1
4a1a9f1bf41c284e9c5a822f7d018f8edc461422

SHA256
940fb90fd78b5be4d72279dcf9c24a8b1fcf73999f39909980b12565a7921281

SHA512
ab26f4f80449aa9cc24e68344fc89aeb25d5ba5aae15aeed59a804216825818edfe31c7fda837a93a6db4068ccfb1cc7e99173a80bd9dda33bfb2d3b5937d7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23402\sqlite3.dll

Filesize
1.4MB

MD5
ce480e119718e4ece416c7216aef7620

SHA1
f5ef2e1c2bc7f25221cc84461975b536b165fec2

SHA256
9c903beee9b402a167a0e1e66fcd80790840efc4d55753dcf06f1e742777e374

SHA512
2d57d162d8e9a0b35f21e06e0d62378c1c567540618c2635583d5f86cc99e1583924d0ee136c034631c3736e0fa3d8b7fcc3522757134758a3a647d36592d2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23402\unicodedata.pyd

Filesize
1.0MB

MD5
84fb421643cab316ce623aa84395a950

SHA1
4fba083864b3811b8a09644d559186ecb347c387

SHA256
5578c3054f8846be86e686fb73b62b1f931d3ed1a7859b87925a96774371dba4

SHA512
a2132f93b0e4292dc9c32da2a6478769ec4f58be5c36ee2701e2a66154ea1dc2c0684fc7698e7c3ac04f5c1d366cb9633a9366e5a38b7ff7a964ff25ea266f9f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23402\_bz2.pyd

Filesize
84KB

MD5
b89b6c064cd8241ae12addb7f376cab2

SHA1
29e86a1df404c442e14344042d39a98dd15425f7

SHA256
0563df6e938b836f817c49e0cf9828cc251b2092a84273152ea5a7c537c03beb

SHA512
f87b1c6d90cfb01316a17ad37f27287d5ef4ff3a0f7fd25303203ea7c7fa1ed12c1aef486dc9bbb8b4d527f37e771b950fa5142b2bac01f52afbfdbf7a77111d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23402\_lzma.pyd

Filesize
158KB

MD5
6e396653552d446c8114e98e5e195d09

SHA1
c1f760617f7f640d6f84074d6d5218d5a338a6ec

SHA256
5ddba137db772b61d4765c45b6156b2ee33a1771ddd52dd55b0ef592535785cf

SHA512
c4bf2c4c51350b9142da3faeadf72f94994e614f9e43e3c2a1675aa128c6e7f1212fd388a71124971648488bb718ca9b66452e5d0d0b840a0979df7146ed7ae5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23402\_sqlite3.pyd

Filesize
85KB

MD5
7f184284e7786226d3b1de5f02338a48

SHA1
b5b8d1a23780dabe32e994a6a7b348fc56f97c43

SHA256
17fb342ecdacb63160576dec824c9f627ed06a6ba58236110620afaeacb45bb5

SHA512
c3794f8e0eacaa98c756bc6f0ab7ee39ccdc228691298c9b5d14ed834ec06f408d86031bcd62cffb02e349706fee8763ca24d39b13cf7a8feefacc25aab9ed46

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23402\libssl-1_1.dll

Filesize
673KB

MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit