96dd5b0abe337b23d4caa746a29c196af3508fa103d16a1f180e13730cdb773b

Analysis

max time kernel
55s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64.exe
Size

401KB
MD5

3e682955546fe3b6b1296a509ff80f65
SHA1

da050e533305cd03b0235af1cbccfd3ff611d4c3
SHA256

96dd5b0abe337b23d4caa746a29c196af3508fa103d16a1f180e13730cdb773b
SHA512

dcb1dc90e85179e39dfcc773f9f790e230d9b563cb50dedac1f2e5d0106797bd8fd2b8c9a14b68134eb0b5b7aff66de1b6f6c46a69f9d98542070fa168d87436
SSDEEP

6144:cDGeTb5E+Z7EAXrvPRIxK0zBL/TIDC2dL3RltnfoBglM7zMUdsvk3zhAt76zkiz4:cDGelZ7FXrPy4ix+LBltsgK7zXIqbkT

Score

9^/10

spyware stealer

Malware Config

Signatures

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4808-0-0x0000017F14B60000-0x0000017F14BCA000-memory.dmp	WebBrowserPassView
behavioral2/files/0x000d000000023af1-5.dat	WebBrowserPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral2/memory/4808-0-0x0000017F14B60000-0x0000017F14BCA000-memory.dmp	Nirsoft
behavioral2/files/0x000d000000023af1-5.dat	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	64.exe

Executes dropped EXE 1 IoCs

pid	Process
4464	WebBrowserPassView.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4464	WebBrowserPassView.exe
4464	WebBrowserPassView.exe
4464	WebBrowserPassView.exe
4464	WebBrowserPassView.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4464	4808	64.exe	83
PID 4808 wrote to memory of 4464	4808	64.exe	83
PID 4808 wrote to memory of 4464	4808	64.exe	83

C:\Users\Admin\AppData\Local\Temp\64.exe
"C:\Users\Admin\AppData\Local\Temp\64.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Public\WebBrowserPassView.exe
  "C:\Users\Public\WebBrowserPassView.exe" /stext C:\Users\Public\WebBrowserPassView.txt
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\WebBrowserPassView.exe

Filesize
391KB

MD5
8b2597e2844a621b45f2616952b074b2

SHA1
c93b6da0726154b989674219e2c0238559d73f62

SHA256
119a6e9c8246102cd4cc8c6926d9c9ef66646079ff361dd73cf43e869081f0c6

SHA512
552f7675b39cbf74dc3b5b1571cec5b6c6b3e2b8ef287126f5b48d6d5940b12680149f835fd53e04286aece3dc8dc7c51e76d17b48150d0d4ddf4e3f0d6cabd2

Download Submit
C:\Users\Public\WebBrowserPassView.txt

Filesize
4KB

MD5
e255c36d21183acb0a1a38b1344443f0

SHA1
9fd09dd85a76f8211e9ba81929a1f10d3c499917

SHA256
00459ae0cad2abd0641bc5e9fb35d08bccec2d498173adc35810ae820eb55b47

SHA512
0e1319f62957c7b3bf1d6573bf24a0bb1cbaf8a0665de6584483885f8c340545cacf36800436892073979a02f3739526569b8c01f862ca9a4b3940c31ad51d4a

Download Submit
memory/4808-0-0x0000017F14B60000-0x0000017F14BCA000-memory.dmp

Filesize
424KB

Download
memory/4808-9-0x00007FFD0ACC0000-0x00007FFD0B781000-memory.dmp

Filesize
10.8MB

Download
memory/4808-19-0x00007FFD0ACC0000-0x00007FFD0B781000-memory.dmp

Filesize
10.8MB

Download