82124a1a1031c492b955125e0a17ed8ca233590a538ece164b088de9804ef54e

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d66bd97a1aaff1dd5afba1b8f617cff7.exe
Size

222KB
MD5

d66bd97a1aaff1dd5afba1b8f617cff7
SHA1

1a00ea4cfc61e69154733853cbab317c61980f5c
SHA256

82124a1a1031c492b955125e0a17ed8ca233590a538ece164b088de9804ef54e
SHA512

574c42990ecfe881c55432e0cb3fd55c63de2fef1d0456982ed3768ba1a929b72761edc0257e89cdf9c9fb9cd758c0daf6f79e81c5894d1e6902109a6ff44217
SSDEEP

3072:CKiG5vJC0Q+A/y+8j8NaBrQIw3LTj6/ed7186o8A3l1RLnYT0wOBZICg7n6FZpof:tiGVJ15+W8cYyU71zo8A3l1RnpkCgDS

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
272	d66bd97a1aaff1dd5afba1b8f617cff7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	272	d66bd97a1aaff1dd5afba1b8f617cff7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 272 wrote to memory of 1740	272	d66bd97a1aaff1dd5afba1b8f617cff7.exe	29
PID 272 wrote to memory of 1740	272	d66bd97a1aaff1dd5afba1b8f617cff7.exe	29
PID 272 wrote to memory of 1740	272	d66bd97a1aaff1dd5afba1b8f617cff7.exe	29

C:\Users\Admin\AppData\Local\Temp\d66bd97a1aaff1dd5afba1b8f617cff7.exe
"C:\Users\Admin\AppData\Local\Temp\d66bd97a1aaff1dd5afba1b8f617cff7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 272 -s 1360
  2⤵
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp50C1.tmp

Filesize
256KB

MD5
4869c6062e255ff67fddb4e54b580d37

SHA1
2ec6ba0a3490984c4939422b63e79a45f121e031

SHA256
8e982e0cad378ac2f4db4d6c11fa5a1c2bb19add80c803c9cbb976ca118720d0

SHA512
1987b6e3b5b1e123d4e6c44ca470e42115d7988605915c83f526bd2c5eaa7fc1caceef466cdfca49e620098f22ff37d4b79532cb94c186ce8eb81374ba4274cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50F3.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5147.tmp

Filesize
92KB

MD5
f3e902fee4f09763285dd6f6c79a360e

SHA1
b059c0b3f571f6076855e9dd4fa1ba3dde983d4a

SHA256
78f00e01db0672f2f13ff0d35bd653faa1478986da04d3cbc0aac739db083db5

SHA512
c4bc3955dbfd7c9f4f0021df6f079c36a94dea02ac56911dd46fe0781a9e212b3cec795b4aa7b68f9cfbaf281e7e8f450672ad54c2cdb52a92f0c1de42a9fa58

Download Submit
memory/272-0-0x0000000001050000-0x0000000001090000-memory.dmp

Filesize
256KB

Download
memory/272-1-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/272-2-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/272-3-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/272-4-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/272-7-0x000000001AFD0000-0x000000001B050000-memory.dmp

Filesize
512KB

Download
memory/272-114-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download