0d4308b6f8485ce220fd28ec288d35f51b4c4ffe7e5686f9c1bfcdb597abfdb3 | Triage

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21-03-2024 17:31

Sharing

Report Analysis Logs

General

Target

171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
Size

483KB
MD5

b2051458b90bd123d75ff11f68075040
SHA1

c92310ac13276b1210e2ceebfb41ec18ec218cfc
SHA256

0d4308b6f8485ce220fd28ec288d35f51b4c4ffe7e5686f9c1bfcdb597abfdb3
SHA512

4a273fe42bfa7e9362292dd9981d2b122e1248cde27d1214f28e1b1b0efb4ea6a85cfc4c8d09e757edf70876d3bd188ec5764a967d42b62aed7430e82c3f94f9
SSDEEP

6144:gXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZsAX4cNc5Gv:gX7tPMK8ctGe4Dzl4h2QnuPs/Zs9cv

Score

9^/10

collection spyware stealer

Malware Config

Signatures

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2492-13-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2492-28-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2880-9-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2880-15-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2880-25-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2880-9-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2492-13-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2880-15-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2564-18-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2564-20-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2880-25-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2492-28-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

Email Collection

Processes:

171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe

description	pid	process	target process
PID 1844 set thread context of 2880	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
PID 1844 set thread context of 2492	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
PID 1844 set thread context of 2564	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe

pid	process
2880	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
2880	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe

pid	process
1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe

description pid process

Token: SeDebugPrivilege 2564 171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe

description	pid	process	target process
PID 1844 wrote to memory of 2880	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
PID 1844 wrote to memory of 2880	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
PID 1844 wrote to memory of 2880	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
PID 1844 wrote to memory of 2880	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
PID 1844 wrote to memory of 2492	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
PID 1844 wrote to memory of 2492	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
PID 1844 wrote to memory of 2492	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
PID 1844 wrote to memory of 2492	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
PID 1844 wrote to memory of 2564	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
PID 1844 wrote to memory of 2564	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
PID 1844 wrote to memory of 2564	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
PID 1844 wrote to memory of 2564	1844	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe	171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe

C:\Users\Admin\AppData\Local\Temp\171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
"C:\Users\Admin\AppData\Local\Temp\171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
C:\Users\Admin\AppData\Local\Temp\171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe /stext "C:\Users\Admin\AppData\Local\Temp\knrv"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880

C:\Users\Admin\AppData\Local\Temp\171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
C:\Users\Admin\AppData\Local\Temp\171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe /stext "C:\Users\Admin\AppData\Local\Temp\vpwgcza"
2⤵
- Accesses Microsoft Outlook accounts
PID:2492

C:\Users\Admin\AppData\Local\Temp\171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe
C:\Users\Admin\AppData\Local\Temp\171104221475a7d0d19372bf3a71e1aeb30f7e2c384e09d1a3c0bc6502e4fd6092ce5a8492303.exe /stext "C:\Users\Admin\AppData\Local\Temp\fkbzcsloae"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\knrv

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1844-36-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1844-35-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1844-33-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1844-34-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1844-30-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2492-2-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2492-10-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2492-13-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2492-28-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2564-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2564-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2564-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2564-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2564-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2564-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2880-25-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2880-15-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2880-1-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2880-9-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2880-6-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download