Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2024 13:41

General

  • Target

    dbc3b7443f9fc4dc0b51b186f9feee29.exe

  • Size

    255KB

  • MD5

    dbc3b7443f9fc4dc0b51b186f9feee29

  • SHA1

    6553b73710f1c5dbf60ca64c0d7e7a535b8ce803

  • SHA256

    51ef5b112e89b59d2a8c7921af0dc5272d059b9c5a1ddbd1bfe4f9a5fcff8e46

  • SHA512

    64472f4d8c31909f5e9eb049778c339fddbfe41f6090bb725d0864056d4d2650663164d03e43e96e528d490d55d78efe826060438a7e077d1a7cac3341e3300c

  • SSDEEP

    6144:91OgDPdkBAFZWjadD4sqFuZ1DfjNBjV2SK2lz+Bul1:91OgLdaZuH5BjV2QSBE

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 4 IoCs
  • Modifies registry class 63 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe
    "C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe
      .\setup.exe /s
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      • System policy modification
      PID:1640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\wxDfast\uninstall.exe

    Filesize

    46KB

    MD5

    8be20144dbd200c6de0c9430ed9280cf

    SHA1

    b81e3aacaaedd66ef0896acabc6983c94758e2b4

    SHA256

    634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6

    SHA512

    fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e

  • C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\bootstrap.js

    Filesize

    2KB

    MD5

    b9165e81934c746e3a33afc6bde86143

    SHA1

    ce38f37d26d5fa6309f4d42cbf470bc4a884b100

    SHA256

    3edbe3448cc74e7862db06fb08a8250c044a6aadbbea35a365560080eaaa3624

    SHA512

    fab8731e561554bf3ac4a32950a4111d3bca7d9223727ed6eccca598777bd697606a11f658eae3d28f6dae16faf40fda7387d0e25cd8f3cb750c871f77178bc8

  • C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\chrome.manifest

    Filesize

    116B

    MD5

    e7e543d1c04192314d3b4f8c38181380

    SHA1

    521b4a98932279d4233dcabbf69b6cf8f77f4254

    SHA256

    63abb8024a686073dff842d91e89232db01254f97b6eb91056789f213a2430cf

    SHA512

    27ed73a9ef90265b6e4f9077a7d37845d32ac856324b208c85eae55a7e34bbfbc4e9378fa757c483ae4ce62dbc9093402a07ed5c09405bb1e8f021e0bbd94327

  • C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\content\bg.js

    Filesize

    8KB

    MD5

    242f79795d732646b17bc0dc54475b67

    SHA1

    d7e3204ecaa652e622a4fdc1f1032be6fbbc1391

    SHA256

    c968eb81998b8c327edad4ef2719d2127c3f8cb297e7810d2ab285306b136160

    SHA512

    6e91cf06da1d121544b3832eb47ca2684c1a74312ab2115084f8aedc550ba1f92fedf12bd0227402a4bfa6c9f47f7b3973440c35031964deba125e0468c65dac

  • C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\content\zy.xul

    Filesize

    225B

    MD5

    a1264ce9ffc47c7442ac3cd92549dbfe

    SHA1

    0a59a196c47015375fe36eaa1459f9eb4776f211

    SHA256

    52f69d71c567894d045311d275ae6f003f3da8e04d63118b0ae9fe1397cf5d45

    SHA512

    83a6c0ef4ef2bb50183fd12bbbfef0df3857e86028690940ee5427f868faa522f042ea449f31f9ae22c432442516e369b602ed17e567826baef4e40fe2927799

  • C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\install.rdf

    Filesize

    714B

    MD5

    d403b95f264fc09ca718ed8c28fc551c

    SHA1

    a5cc7c33761d47d7e5d8d163c2328e65371259a6

    SHA256

    e14455c835deb2535b3cf9b0d96d49d338ef9814c0e29777acea417299f00394

    SHA512

    0651574c5bc47115dbfb79812ffeb4dcca14c9f5aa8284d9ea8b7e453ad828579e17fd7e21141e1518f641b2288231ee25c9e08160f98df3507141500a2c6f25

  • C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\background.html

    Filesize

    4KB

    MD5

    f99e3ce2a4b055651f1d6cae063d6177

    SHA1

    a0c8a2c6ba88062edac44a9989d55e6d8ffe6661

    SHA256

    e8aeae359dab85ff8a66886bfe7484c0831392ffceb281c4b6bde4d4a2ca8cc2

    SHA512

    29cfcdd30d518ee66b8ef42727e5049b039ae5060717dfc2793614c7c5bb31aed811a73871baaeafd671a33ebe0af4146a96d3077d19bee025f4a8d91188fed3

  • C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\bhoclass.dll

    Filesize

    164KB

    MD5

    0fba1e50c5ca7a4cfeac6ab8f1fcfda9

    SHA1

    532b7ba678f2de4b4493c89ac13624622058c54a

    SHA256

    160a3d5b09df4d7e764ad8173ba44aba43aace29df364d788fd069b2530a977f

    SHA512

    339f6ffc41b70fe312fe6b517e8c5931c24a7a4bcd2d84db2923d089aa29ecdfa3e78944f9c0f9580dd92eb26daa45ee4c1453634ad36a5057a12a3088cb34bf

  • C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\content.js

    Filesize

    386B

    MD5

    653e783c90f0ddfeca78491dd1a64b54

    SHA1

    219d72d86277224f55359e37c4b991bad57d52d3

    SHA256

    d6826548fdb82fa48f0a0513d85b72c7c50f917a4301977bd29bfc2703f58366

    SHA512

    656e47b1e0c1b365d5591ee9f43a19d099c25e330342e9d11cdb3d4f916c50446cbdb7c90dfe8c43c63ad070846a8ba99ba44fa25ea460cad202ddd0f78b0c6f

  • C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\hnmcnkenkejknnmjmhnopldmbilbfjbp.crx

    Filesize

    3KB

    MD5

    3b5e21cdaec9856f48e2b59de562dd95

    SHA1

    f4988e726d52c7075a91e49e8c0f45086a88ced1

    SHA256

    d78ffe892929237d69d6a159333e8ea8ddb3fda0f88e8ebcdcb69536f80ea3f3

    SHA512

    980c786073995b2fda073440ffe2f9b8f8e26a843a8b1e6899498c13967c5faa135accb4066cf6ab5b658258efddbb8771e6eb0ce67eec9f159cb92c1d4391bd

  • C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\settings.ini

    Filesize

    662B

    MD5

    a780c9e02de08a2eb5ffbbe8cf1288d5

    SHA1

    ae9db3390008dc61f843e907d1c0d760112f361d

    SHA256

    c2976606e230c9bf32266781b66f3cf5e43b766342db3c97b44b49e574c12e88

    SHA512

    ea8aca3bdb2dbedb7da9fd6b28b25148cb302e3e337624ebd579c37adc82e12653c3e0b9f7985d716ce36d8a4dc2e953c8699603efae38e5fafb6db1e81a7de3

  • \Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe

    Filesize

    61KB

    MD5

    16ef6e914973925977cdc5ef6b8b2565

    SHA1

    4815da2815975b33f5dc94d482e6dbc02588afa6

    SHA256

    6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f

    SHA512

    c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059