7a77090a08a808821e1536b3e62a9cc7b51ecdaeb7032c3768387054ccfe01f6

Resubmissions

20/04/2024, 09:30

240420-lghqsaeb4t 7

20/04/2024, 09:24

240420-ldceladd77 7

20/04/2024, 09:23

240420-lclxmsea21 7

Analysis

max time kernel
245s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vacuum.exe
Size

19.4MB
MD5

2266c7c3998d203663eceebfcdf5b489
SHA1

e30ef90317492965c5516fd7a6e3e5c7452524d6
SHA256

dba2a3cfc126aeb845acc92e919843d899cc24fde3895622308584b39ba77d9c
SHA512

88d3916f216fc8eb120cd6cfa43561bb5bd067a532c157a84eec263c38874b58cfcbb84e9247650f09e2f7feaa6d61be5e14cad48cdba1a9fb30ea8320a47fc3
SSDEEP

393216:aoQ0M8qdBLGUW/hSoI2IobkqJHR2tWQrdCp8dx/uaAxJodQ3RInEropazY3BqKxj:xQ78S6bRI2Bbk8R2txZpAxJTCErup3Bl

Score

7^/10

pyinstaller spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1692	caqqwe1.exe
440	caqqwe1.exe

Loads dropped DLL 17 IoCs

pid	Process
3716	vacuum.exe
3716	vacuum.exe
440	caqqwe1.exe
440	caqqwe1.exe
440	caqqwe1.exe
440	caqqwe1.exe
440	caqqwe1.exe
440	caqqwe1.exe
440	caqqwe1.exe
440	caqqwe1.exe
440	caqqwe1.exe
440	caqqwe1.exe
440	caqqwe1.exe
440	caqqwe1.exe
440	caqqwe1.exe
440	caqqwe1.exe
440	caqqwe1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000700000002340c-27.dat	pyinstaller

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4384	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: SeSecurityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe
Token: 33	4384	mmc.exe
Token: SeIncBasePriorityPrivilege	4384	mmc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4384	mmc.exe
4384	mmc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 3716	936	vacuum.exe	88
PID 936 wrote to memory of 3716	936	vacuum.exe	88
PID 3716 wrote to memory of 4320	3716	vacuum.exe	92
PID 3716 wrote to memory of 4320	3716	vacuum.exe	92
PID 4320 wrote to memory of 1692	4320	cmd.exe	94
PID 4320 wrote to memory of 1692	4320	cmd.exe	94
PID 1692 wrote to memory of 440	1692	caqqwe1.exe	95
PID 1692 wrote to memory of 440	1692	caqqwe1.exe	95

C:\Users\Admin\AppData\Local\Temp\vacuum.exe
"C:\Users\Admin\AppData\Local\Temp\vacuum.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\vacuum.exe
  "C:\Users\Admin\AppData\Local\Temp\vacuum.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start /min /b caqqwe1.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\caqqwe1.exe
      caqqwe1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\caqqwe1.exe
        
        caqqwe1.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:440

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI16922\_queue.pyd

Filesize
26KB

MD5
bb3535a61e265d9ea56521b805de1e30

SHA1
b892b71da975fc3d179987d8fa6890f0febe4c17

SHA256
cd8e05021d6b17e2e43af604c1a760f5b71b32cb556d07c0ce0ffe341c35a186

SHA512
5577e7878601505c6aab3838471459d4bedd346f752149bf70a274e048a42b23b71e1d64230bb2e6a1bba115ce360b205e99ddde85a18974c643b003f50d91aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16922\_ssl.pyd

Filesize
152KB

MD5
e1b3495e82d7e3c6baea5c17533940eb

SHA1
465f0c9de0e778b36cfa4780f92bf2b42691e22a

SHA256
1a4c3b75a0a641260d6457e9007f11ba9d3233494b2847e6d8368da7349053e1

SHA512
8060a462d345632e64d173371864f214455bdb37462a264d18d98e0755642d6966fc7502c21db04b804240758b42ad79b4b136cdae5ec578101b66cf4aafb912

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16922\charset_normalizer\md.cp310-win_amd64.pyd

Filesize
10KB

MD5
f33ca57d413e6b5313272fa54dbc8baa

SHA1
4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44

SHA256
9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664

SHA512
f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16922\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Filesize
117KB

MD5
494f5b9adc1cfb7fdb919c9b1af346e1

SHA1
4a5fddd47812d19948585390f76d5435c4220e6b

SHA256
ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051

SHA512
2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16922\libssl-1_1.dll

Filesize
678KB

MD5
bd857f444ebbf147a8fcd1215efe79fc

SHA1
1550e0d241c27f41c63f197b1bd669591a20c15b

SHA256
b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

SHA512
2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_bz2.pyd

Filesize
78KB

MD5
10b1525361440923f3ef04b141cf3f1c

SHA1
b814868694a2a83ced84660b8af0c353f66f6d24

SHA256
2b2920ef7a211e053296aac9965ac569433be0843ea6ba403ab5c9e23604ada5

SHA512
d3d438926b4786df86eed7439e215754967ab0abb544a8782947e78adb8d5be86255e3d067cb0bdb63332173e2bc4d0042642a0093a5ba6851f6ef8fd470e7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_decimal.pyd

Filesize
244KB

MD5
625d593ba82433b041414ca89e4b6f50

SHA1
bb31b6fa9f1b61d1d6f23be39981de8a28c4678a

SHA256
b8b19b84493f1501056cbd25c2dcd72e502d454043fbc5d77b93437b3f69819b

SHA512
fe84fd43b6d6a83d7f70d5d5c930e490ef2152a0b8a2f67f063021eec342e0cb57cb3afa4407a0132a079e870c5cf38d0bf93f681d2b5361e6711c6db31d295b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_hashlib.pyd

Filesize
57KB

MD5
97b37cfd6b49ee97523d97cd067d36e6

SHA1
a8094bdeb30e85a7955f6102b3a0bde495ceba61

SHA256
b0d44ecec14cd64d562281604e9f2e31213bdc24833479f49924c4750f928f96

SHA512
737c72b5391c01a44f2e94d5746757872af22c5b280034bbd1ad7be55e3d962fc724b47d28949706a31f0511519e20f25256a2c2fa1501be1437f3807016609a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_lzma.pyd

Filesize
149KB

MD5
cddacf71702e25d930a952eb57772771

SHA1
3d383a5f36858f5808645b5d5d5190e2fc7d01d4

SHA256
8abf48bdd1e24cb5405aaa7529b63f0a83b080a98dd86223ae615ef8fb74f46a

SHA512
9d05fd1b9f00083ed2f27518a26913eeccfe0e4cf1819f6a1d880f7a2d03f5946a7674716ff72a867a777fd54bfb897a482f47252b372085c1a92d3f80137d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_socket.pyd

Filesize
73KB

MD5
dd1d1c2d2f5f1ffebf169b814d5b7ee7

SHA1
3af5882535c263e1ed7e3ca8f89f904ad6c1960d

SHA256
8515f2e5ec194bc43e3a8b7e924b4e9e09e0adb2fdecb9c8930b0ac20807544a

SHA512
857e7bf0dfc9e42315b3c0a29cd83518be8966689a257c456685db859b42bfb2e44570b5f055adb3295a61c9201df99504cb7cd30ce98b9866c2435df6eb17bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\base_library.zip

Filesize
857KB

MD5
4be939938320504927755ab629d45651

SHA1
0fd416e6e78393e377491ec50bc0e4f161145e7a

SHA256
d421ec9920edf6261d970ffbdb4357360851bd76a66dbd7410ea2afe5eaabd47

SHA512
736e2ca9caa54128c5376140876b12306aeab8afe8186ae2ab8f3c7b27659395fe27bbe63150b97a36956e0e56b17a096f0468cf86ac96df08c03233bd331df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\python310.dll

Filesize
4.2MB

MD5
c98916b26adeb981be257033ff149b47

SHA1
de60fa540ac696ec0bdecfe8848424ac0bc57763

SHA256
217835a7afe449a9f835efe19ffd36e9191c9eca66826df8e813b4ccce2aebbc

SHA512
d09e5e18496239d739a677b0a5777388e22aad93a37b3a2f935d6028d618606e8d26dc3f6a483d46390a4f478ecf1b44a77ab9d7fb9b9432fbe75d2f6e180a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\select.pyd

Filesize
25KB

MD5
e790a9ff2175e6985cd96235d575e7a1

SHA1
171a32ba7c2820fcf524f7e51945b5922768cd2d

SHA256
122be1167bf1315af6f784ff0c96beda96d740b87f24771cf59bd1522158a5a2

SHA512
0f471afb3ff10aa56eee4374221d76604dca4d93be1e0718ebddad2fd71f0d715f5b5df131411f8433978d6be553badee69a43e0be8fe30dc7b72ec0f64c2089

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\unicodedata.pyd

Filesize
1.1MB

MD5
32860cb4f785e434e8292d51add03da9

SHA1
5e9878604ef4c2488a8a0775f9281c66015c3832

SHA256
6bd9381806be2c2ee608cdcf3f6379086918c5f7a9494f81f9d7699e2e8e3c01

SHA512
1c3fc8bbc638e84955000bf567551afd5a74734d3c20fac53dfe969bdd88180bb4615bf6918df9dd7529e220ba6c1a89580dd53733f372ee87b077c1f5aca30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\caqqwe1.exe

Filesize
6.2MB

MD5
dd513d950efe1ae66531647aaffd5d7e

SHA1
a7b7ee391d0acab452e673618688d0c9fe5f36ed

SHA256
7017b44f8a6881899232c1dd6a292324a7aa87077982153c4843a2d085f4621e

SHA512
632dfa44f037d26906cfad39af2b3970aad722f604c492fde4e0b5dfcaeaecb5eedd8cfcff40cecc744fe42634d71f864b865a311a3d0967e4cc9c7124ea8bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmzasde

Filesize
1KB

MD5
ddcd8a2a436b7de3fc616c6a751cabfa

SHA1
f1560f662591cbf3505a9e314dce4f8bdcd6968d

SHA256
62d672510d7b1e23952ca90715528099a86ab80dc7007c0b81514cbf1c4365d2

SHA512
84e72be2bfc13c8876322c1e2366564e2c70297eb54ba55bcbdb3542e3038e4a4dbd9fd62128c09abd74618b3cbead8723427cfce40d1d484336dd535ffa6c9e

Download Submit
memory/4384-79-0x00007FFB71AB0000-0x00007FFB72571000-memory.dmp

Filesize
10.8MB

Download
memory/4384-80-0x000000001D520000-0x000000001D530000-memory.dmp

Filesize
64KB

Download
memory/4384-81-0x000000001D520000-0x000000001D530000-memory.dmp

Filesize
64KB

Download
memory/4384-82-0x000000001D520000-0x000000001D530000-memory.dmp

Filesize
64KB

Download
memory/4384-83-0x00007FF4565C0000-0x00007FF4565D0000-memory.dmp

Filesize
64KB

Download
memory/4384-84-0x000000001D520000-0x000000001D530000-memory.dmp

Filesize
64KB

Download
memory/4384-85-0x00007FFB71AB0000-0x00007FFB72571000-memory.dmp

Filesize
10.8MB

Download
memory/4384-86-0x000000001D520000-0x000000001D530000-memory.dmp

Filesize
64KB

Download
memory/4384-87-0x000000001D520000-0x000000001D530000-memory.dmp

Filesize
64KB

Download
memory/4384-88-0x000000001D520000-0x000000001D530000-memory.dmp

Filesize
64KB

Download
memory/4384-90-0x000000001D520000-0x000000001D530000-memory.dmp

Filesize
64KB

Download
memory/4384-91-0x000000001D520000-0x000000001D530000-memory.dmp

Filesize
64KB

Download
memory/4384-92-0x00007FF4565C0000-0x00007FF4565D0000-memory.dmp

Filesize
64KB

Download
memory/4384-93-0x000000001D520000-0x000000001D530000-memory.dmp

Filesize
64KB

Download
memory/4384-94-0x000000001D520000-0x000000001D530000-memory.dmp

Filesize
64KB

Download
memory/4384-95-0x000000001D520000-0x000000001D530000-memory.dmp

Filesize
64KB

Download
memory/4384-96-0x0000000020B50000-0x0000000021078000-memory.dmp

Filesize
5.2MB

Download
memory/4384-98-0x000000001D520000-0x000000001D530000-memory.dmp

Filesize
64KB

Download