7ced2a74467a6c893720a90362b09991fea0eba0f682556fd15f08a9fd7a9ac9

Analysis

max time kernel
335s
max time network
340s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
02-05-2024 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1714654664.9576216_setup.exe
Size

3.5MB
MD5

9c773ca35120d278e934beaa281ee353
SHA1

b9d6b488006eb05f85d790b12144309ab2d4be67
SHA256

7ced2a74467a6c893720a90362b09991fea0eba0f682556fd15f08a9fd7a9ac9
SHA512

9a33b36ca3215dbd2e37ad343bb627173f3985bc44162552354b5eec5f725fac0b1db985a7df2fef7fcf046f2b3b2e5473c377344470395e4f1284f4e2c6bebf
SSDEEP

98304:42b6HbvKrNUkWvjPJ6taLV18tRN8dru7C3mXWVwnw:42OHbSrikO12aX8twdeC3Vo

Score

10^/10

evasion spyware stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

1714654664.9576216_setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	1714654664.9576216_setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ipinfo.io
4 api.myip.com
5 api.myip.com
6 ipinfo.io

flow	ioc
7	ipinfo.io
4	api.myip.com
5	api.myip.com
6	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

1714654664.9576216_setup.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	1714654664.9576216_setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	1714654664.9576216_setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1714654664.9576216_setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1714654664.9576216_setup.exe

C:\Users\Admin\AppData\Local\Temp\1714654664.9576216_setup.exe
"C:\Users\Admin\AppData\Local\Temp\1714654664.9576216_setup.exe"
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2228-1-0x0000000140509000-0x000000014050A000-memory.dmp

Filesize
4KB

Download
memory/2228-0-0x0000000140000000-0x0000000140547000-memory.dmp

Filesize
5.3MB

Download
memory/2228-10-0x0000000140000000-0x0000000140547000-memory.dmp

Filesize
5.3MB

Download