e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d

Analysis

max time kernel
119s
max time network
138s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe
Size

6.3MB
MD5

a36d41f2e8210c0da3814b8e9a15500d
SHA1

e3fba49fd246e3580bca587982a0f9ee820a582d
SHA256

e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d
SHA512

66d27c8d3fe43ffd0e3d10b70a6e9fdbf8ccc7d22efd0db98d7113330d85653f6d25a347dc9030f114322ba0cb348c0580ca96fdf7cdfc2873e43eaba1d51b79
SSDEEP

98304:HyBEvyd0JkMzAo/Tsl03kxD7EhHwwsrfYbQa8vCMTXeXgAg:S0JkMzAo/Th0xD7Kts0t8vLX5Ag

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2332	DocumentSaver.exe
1260	Process not Found

Loads dropped DLL 9 IoCs

pid	Process
2188	e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe
2188	e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe
1260	Process not Found
2332	DocumentSaver.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2332	2188	e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe	28
PID 2188 wrote to memory of 2332	2188	e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe	28
PID 2188 wrote to memory of 2332	2188	e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe	28
PID 2188 wrote to memory of 2332	2188	e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe	28
PID 2332 wrote to memory of 2772	2332	DocumentSaver.exe	31
PID 2332 wrote to memory of 2772	2332	DocumentSaver.exe	31
PID 2332 wrote to memory of 2772	2332	DocumentSaver.exe	31

C:\Users\Admin\AppData\Local\Temp\e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe
"C:\Users\Admin\AppData\Local\Temp\e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\DocumentSaver.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\DocumentSaver.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2332 -s 924
    3⤵
    - Loads dropped DLL
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SQLite.Interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\DocumentSaver.exe

Filesize
5.2MB

MD5
cf7eb797b63e8322269eb8281975af53

SHA1
beff0874841fc49e458f9fbfb04664143535bf32

SHA256
710faabf217a5cd3431670558603a45edb1e01970f2a8710514c2cc3dd8c2424

SHA512
a22e79c05cb3848a8810cfa18380b7bd7af31b4b5b5c816710bfd6950f0c2d69c20db78a319ce3134b302033d1209868eff4d46e9fbcf2066a2e10f9c23f64f5

Download Submit
memory/2332-13-0x0000000000020000-0x0000000000554000-memory.dmp

Filesize
5.2MB

Download
memory/2332-14-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

Filesize
9.9MB

Download
memory/2332-15-0x000000001C030000-0x000000001C0B0000-memory.dmp

Filesize
512KB

Download
memory/2332-18-0x0000000000E00000-0x0000000000E62000-memory.dmp

Filesize
392KB

Download
memory/2332-22-0x0000000000BD0000-0x0000000000BF5000-memory.dmp

Filesize
148KB

Download
memory/2332-23-0x000000001D360000-0x000000001D410000-memory.dmp

Filesize
704KB

Download
memory/2332-25-0x000000001C0B0000-0x000000001C3DE000-memory.dmp

Filesize
3.2MB

Download
memory/2332-28-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

Filesize
9.9MB

Download
memory/2332-29-0x000000001C030000-0x000000001C0B0000-memory.dmp

Filesize
512KB

Download