de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3

Resubmissions

29-04-2024 19:30

240429-x7vc2sah46 10

29-04-2024 19:28

240429-x65gmaah25 1

29-04-2024 19:25

240429-x49zbsag74 10

29-04-2024 04:45

240429-fdebasaf52 10

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-04-2024 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe
Size

718KB
MD5

1bf24ce8b5e34930932432d626fac06d
SHA1

32276318f55c1118980f98377968de0f78c9227e
SHA256

de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3
SHA512

d3885e43fe5189eb37cdf4518f05c9096685974db4eefd96260e2db8b17cda13b67861cef2247aeb12baed7ca59c892c82f855c5179e54213f861d2c352ce4fa
SSDEEP

12288:tfLmWONlyXjI/kkJzHSomfaeITAl5aqzTuCTTcARinC/4Tf0Yk4FfRUEy2Hzo5:tfLmNlz/XUyZTAl8jOiiifDzo5

Score

10^/10

discovery spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2904 created 1224	2904	Mentor.pif	21

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2904	Mentor.pif
2684	Mentor.pif

Loads dropped DLL 4 IoCs

pid	Process
2288	cmd.exe
2684	Mentor.pif
2684	Mentor.pif
2684	Mentor.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2904 set thread context of 2684	2904	Mentor.pif	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2568	tasklist.exe
2744	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1912	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2904	Mentor.pif
2904	Mentor.pif
2904	Mentor.pif
2904	Mentor.pif
2684	Mentor.pif
2684	Mentor.pif
2684	Mentor.pif
2684	Mentor.pif
2684	Mentor.pif
2684	Mentor.pif
2684	Mentor.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	tasklist.exe
Token: SeDebugPrivilege	2744	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2904	Mentor.pif
2904	Mentor.pif
2904	Mentor.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2904	Mentor.pif
2904	Mentor.pif
2904	Mentor.pif

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2288	2940	de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe	28
PID 2940 wrote to memory of 2288	2940	de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe	28
PID 2940 wrote to memory of 2288	2940	de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe	28
PID 2940 wrote to memory of 2288	2940	de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe	28
PID 2288 wrote to memory of 2568	2288	cmd.exe	30
PID 2288 wrote to memory of 2568	2288	cmd.exe	30
PID 2288 wrote to memory of 2568	2288	cmd.exe	30
PID 2288 wrote to memory of 2568	2288	cmd.exe	30
PID 2288 wrote to memory of 2632	2288	cmd.exe	31
PID 2288 wrote to memory of 2632	2288	cmd.exe	31
PID 2288 wrote to memory of 2632	2288	cmd.exe	31
PID 2288 wrote to memory of 2632	2288	cmd.exe	31
PID 2288 wrote to memory of 2744	2288	cmd.exe	33
PID 2288 wrote to memory of 2744	2288	cmd.exe	33
PID 2288 wrote to memory of 2744	2288	cmd.exe	33
PID 2288 wrote to memory of 2744	2288	cmd.exe	33
PID 2288 wrote to memory of 2724	2288	cmd.exe	34
PID 2288 wrote to memory of 2724	2288	cmd.exe	34
PID 2288 wrote to memory of 2724	2288	cmd.exe	34
PID 2288 wrote to memory of 2724	2288	cmd.exe	34
PID 2288 wrote to memory of 2760	2288	cmd.exe	35
PID 2288 wrote to memory of 2760	2288	cmd.exe	35
PID 2288 wrote to memory of 2760	2288	cmd.exe	35
PID 2288 wrote to memory of 2760	2288	cmd.exe	35
PID 2288 wrote to memory of 2600	2288	cmd.exe	36
PID 2288 wrote to memory of 2600	2288	cmd.exe	36
PID 2288 wrote to memory of 2600	2288	cmd.exe	36
PID 2288 wrote to memory of 2600	2288	cmd.exe	36
PID 2288 wrote to memory of 2464	2288	cmd.exe	37
PID 2288 wrote to memory of 2464	2288	cmd.exe	37
PID 2288 wrote to memory of 2464	2288	cmd.exe	37
PID 2288 wrote to memory of 2464	2288	cmd.exe	37
PID 2288 wrote to memory of 2480	2288	cmd.exe	38
PID 2288 wrote to memory of 2480	2288	cmd.exe	38
PID 2288 wrote to memory of 2480	2288	cmd.exe	38
PID 2288 wrote to memory of 2480	2288	cmd.exe	38
PID 2288 wrote to memory of 2904	2288	cmd.exe	39
PID 2288 wrote to memory of 2904	2288	cmd.exe	39
PID 2288 wrote to memory of 2904	2288	cmd.exe	39
PID 2288 wrote to memory of 2904	2288	cmd.exe	39
PID 2288 wrote to memory of 1912	2288	cmd.exe	40
PID 2288 wrote to memory of 1912	2288	cmd.exe	40
PID 2288 wrote to memory of 1912	2288	cmd.exe	40
PID 2288 wrote to memory of 1912	2288	cmd.exe	40
PID 2904 wrote to memory of 2684	2904	Mentor.pif	41
PID 2904 wrote to memory of 2684	2904	Mentor.pif	41
PID 2904 wrote to memory of 2684	2904	Mentor.pif	41
PID 2904 wrote to memory of 2684	2904	Mentor.pif	41
PID 2904 wrote to memory of 2684	2904	Mentor.pif	41
PID 2904 wrote to memory of 2684	2904	Mentor.pif	41

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe
  "C:\Users\Admin\AppData\Local\Temp\de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c move Evaluation Evaluation.bat && Evaluation.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2568
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2744
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 36973
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "BabesSalvationCarriesBabes" Drawings
      4⤵
      PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 36973\Mentor.pif + Adjacent + Captured + Sacred + Vagina + Lafayette + Surveys 36973\Mentor.pif
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Counting + Francisco + Honda 36973\o
      4⤵
      PID:2480
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\36973\Mentor.pif
      36973\Mentor.pif 36973\o
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2904
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1912
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\36973\Mentor.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\36973\Mentor.pif"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\C2OL53Gw9P62

Filesize
92KB

MD5
bbe71b58e84c50336ee2d3bad3609c39

SHA1
bdd3227b48977e583127425cbc2f86ff4077ba10

SHA256
b25b7e57924b2382d3178696782b51fa62b68fa7e763081d7a53471cccc1ff3c

SHA512
07fcac6778f114fb372dac7ed489624b8e0aed347bc14af77ec36b5201df8b3d99e2a69a384756606030bb146f5c0780f39a274dc5a4b4f6863746ec7fa2ca2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\36973\Mentor.pif

Filesize
14B

MD5
31e58e7820d68b99cbe79fafaa648de8

SHA1
910fe879c305978c20b93b8ac8c25d829233d9bc

SHA256
aa28297aaf8306156db4f96c282b83b4cd80543e680aad6d424de88b22f8ec57

SHA512
2f5c696266f0f5f6a734bc55a23d775b15343ce66d2bcf6503008d406762ad1eb659d914293cb7095deb579366ee3bf05d84e6a038736cf925bf3094f3e45de1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\36973\o

Filesize
526KB

MD5
dd2acdef84b287794876c92c2a735aec

SHA1
1ff96f7a71f808ddaa2fc197b6299532a8fcd0fb

SHA256
3a149e1f3ec43f37fb419affaf175870725b78b8fd5e42019fe6a988823d7282

SHA512
664ad38efc6be0fe5a16d3670c564064d19fc27bc56397da8f798f7bb9bfcccb92e6f4b05d2f399a838dce1bff860b4e678f112b6eb90db9d3e97996f01e1524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Adjacent

Filesize
64KB

MD5
7474db7b5f39b27e7fbce6e370b4bf66

SHA1
d4d7c4d41bded1c9d8959017cfa7846e435d93bd

SHA256
0efd0625b7921c18935c66adb4b3a653a913ecd90ab3b8b1983ff4101479605f

SHA512
3247a749ddde2e80cc2d1b5f9c47d5ce4af2389da59de3360d8cbc60445bd593c5fc3270fb1eb156a344d69cc00b88e02feb6600998f4e7323f4ae3219aa273a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Captured

Filesize
131KB

MD5
88edf7bb55387e597f59684273f66bb3

SHA1
99786b34a5db73c85a43cd4c18a8c085fed5ab89

SHA256
f61189f0f701466dcc3e2f6a8e411e7878cbf9ba6bba49917d612c19b1cc6a23

SHA512
84689a3c6d933710dffc4d80c0b41820a8e5a6309ba6979d07e22a638aa4db143f00ad80388871e444c3edf5332f471ec0db227ea97a3f0df2c9e2cdc5f3dd42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Counting

Filesize
281KB

MD5
a262219e61af791c944a87d07bac0075

SHA1
d74aeaa010271d13e1edc54bc73601e57f020c49

SHA256
0177bcf1e6862c139fae08a9c6027f68989b4f68a239b64fab7449d1c421ddc0

SHA512
116ce3a1349a17f8b14a5c2a35af9008d8ffbdeae5e3b2a22f9cedbb18f2af564cc8b7762b30c643265eb16907df02a5c75fb3d141db0646f46bf777b855febb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Drawings

Filesize
42B

MD5
477a08320d6c6e2f4512d40eb08713b1

SHA1
7be0348f77ae584c1ef6b8de1321473da3f9aa3c

SHA256
027643fd5055f08abd161719191a2ac764cdf555d452da6cb84ecfd557144529

SHA512
1bebae844d70507826ca40d135d12172aba7c23c5ed6cd7f2a3d229dc8e137e641a527b63e1474a4f0e4849568aa6ce6fd3d1276772d75b7f597d6b0a51d01c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Evaluation

Filesize
21KB

MD5
b647cde3038a87c2498edec310305673

SHA1
6fcc09d2c62d284b66926d3605aff5510e7e9453

SHA256
5c67bac057822f53f941200e27d24c5277ac742b78b3c3f5958a74a33c49b38d

SHA512
db701f47fee7344c4331664ce7a0187e6b9e9d47bab386665d64a61ca3a21de24af193dd1b485fdea8a003e4cb859bee73b2ddb7e3304719df1ab3446a367482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Francisco

Filesize
210KB

MD5
1bd18404bd951a8deb7845f75a6399f9

SHA1
748f9977c0e7d628bad8d3d8e827100b6590cb4d

SHA256
16f684e24d64d7102f8ca4feddbbc6764fc405cc3688353baa3c086f98fda1cb

SHA512
b00b38068cbc363e7fd5ff4038610f56828ffe13fb7ab78b6103baf6efeb05d4e9024e7383b8b6c73a010bce87f978e163685df6f3801aaa34f5da940aac6bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Honda

Filesize
35KB

MD5
59c2b53fe828fde64bd2a39a5de07ee9

SHA1
2ed2c83a393b5e30131acaf57893dd46c1084b52

SHA256
6a258a819e64d26e05f34edadd0ef7e11f58cf4d68f60aba82a71f5236e9f9eb

SHA512
28f667142fb539194d66503ecbfe9ee8fdb35dbd9324b4fb27ee0b6d2b76150f0a2751d825cc11314ae42f4d30b8e2c6a941c72a3cf72126391c48a4e3437998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lafayette

Filesize
200KB

MD5
4db90c416a38e4572abf3261e5dacf6a

SHA1
3d721f9c266090469bc46f9f3616d47611492038

SHA256
3ed0263be62819660e0fd37e95ab71b30ab8409348ac4f7ed11bcba0235d570d

SHA512
bd97959b027988a888010553e7fa424a8c38a7cccfd951e1b9222e5e16ce745e2a657b4dbc9238e5e8c84f66f1c238e999eba45e639f00cc928d2e5e5d66c25a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sacred

Filesize
125KB

MD5
c68b90b18096cedb29d5dd73790b6b05

SHA1
00f7a79c3bb847352a8b9ef73a24bcb039890e07

SHA256
f68e29a0f0c076fb5a3539f51168a73692c118cb861f3b814339a1eac86ce923

SHA512
d4df00de092bebe44e13b06587052465b73e67abd5502cac1e50019d7f008e57b74352b0263d986aa95fd7a1d57bb19778661feae5305544e6a33605dd764415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Surveys

Filesize
131KB

MD5
5bf3a39ef1e55247138748c2975a6873

SHA1
60d6c0a87fad62c31824f31c6def118541749698

SHA256
10609820e62098fd90b9344a9ece578451f913433fc8b53dbab9007db210fdb7

SHA512
2d9740527edfb51702f8b7c6c4123f530f559dada973455533f493dee2c5ebdcd1de47d9d47e4b35a2bf850d5c244c9fe59a497ad27f24648a848ca52221129b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Vagina

Filesize
270KB

MD5
75e4a838cff0be8ef793640d1011129c

SHA1
9788327d28e5c5fb43d03856f395a863f7ecf9a0

SHA256
3bbf6b504ffec824edc168cb1a11121a5b360361ee192f5923aa11e9afe985e0

SHA512
19f1a02ded1f1b79823eb6c6a5e4790412dab2a5395ac83e6ec6e5639fce642f45bb7403b995152dee31c2454063ac7da389676b3605fb57d2950440f7bb4a2e

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\36973\Mentor.pif

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit