2b437de25bcf24ea92a1c38c17cbd8addf909aa80ab690bc45a8bcdc00a2720a

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SenPalia.exe
Size

152.7MB
MD5

ebaee8df785d18cb8306397700afd14d
SHA1

472b6736936153417a220f1678b69ea6cc99ce3e
SHA256

7f0098669b93e251c412922e7a314f495ba2f1ace1eec1e77ae68e474f1b260a
SHA512

b65fe4b7237e11e09869da8e309d0079b2bd1f0a2de5a1a1e9988d1f751f01fe231deb4b3f2c1f571b613d64c20f732cd492819dd47f693708d42f9f4669f09f
SSDEEP

1572864:6LBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:6ypCmJctBjj2+Jv

Score

7^/10

execution spyware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1744	SenPalia.exe
1744	SenPalia.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ipinfo.io
24	ipinfo.io

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3400	powershell.exe
452	powershell.exe
3172	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SenPalia.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	SenPalia.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SenPalia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SenPalia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SenPalia.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	SenPalia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	SenPalia.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4932	tasklist.exe
3768	tasklist.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3172	powershell.exe
3400	powershell.exe
452	powershell.exe
452	powershell.exe
3400	powershell.exe
3400	powershell.exe
3172	powershell.exe
3172	powershell.exe
452	powershell.exe
380	SenPalia.exe
380	SenPalia.exe
4032	SenPalia.exe
4032	SenPalia.exe
4032	SenPalia.exe
4032	SenPalia.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeShutdownPrivilege	1744	SenPalia.exe
Token: SeCreatePagefilePrivilege	1744	SenPalia.exe
Token: SeIncreaseQuotaPrivilege	3172	powershell.exe
Token: SeSecurityPrivilege	3172	powershell.exe
Token: SeTakeOwnershipPrivilege	3172	powershell.exe
Token: SeLoadDriverPrivilege	3172	powershell.exe
Token: SeSystemProfilePrivilege	3172	powershell.exe
Token: SeSystemtimePrivilege	3172	powershell.exe
Token: SeProfSingleProcessPrivilege	3172	powershell.exe
Token: SeIncBasePriorityPrivilege	3172	powershell.exe
Token: SeCreatePagefilePrivilege	3172	powershell.exe
Token: SeBackupPrivilege	3172	powershell.exe
Token: SeRestorePrivilege	3172	powershell.exe
Token: SeShutdownPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeSystemEnvironmentPrivilege	3172	powershell.exe
Token: SeRemoteShutdownPrivilege	3172	powershell.exe
Token: SeUndockPrivilege	3172	powershell.exe
Token: SeManageVolumePrivilege	3172	powershell.exe
Token: 33	3172	powershell.exe
Token: 34	3172	powershell.exe
Token: 35	3172	powershell.exe
Token: 36	3172	powershell.exe
Token: SeIncreaseQuotaPrivilege	452	powershell.exe
Token: SeSecurityPrivilege	452	powershell.exe
Token: SeTakeOwnershipPrivilege	452	powershell.exe
Token: SeLoadDriverPrivilege	452	powershell.exe
Token: SeSystemProfilePrivilege	452	powershell.exe
Token: SeSystemtimePrivilege	452	powershell.exe
Token: SeProfSingleProcessPrivilege	452	powershell.exe
Token: SeIncBasePriorityPrivilege	452	powershell.exe
Token: SeCreatePagefilePrivilege	452	powershell.exe
Token: SeBackupPrivilege	452	powershell.exe
Token: SeRestorePrivilege	452	powershell.exe
Token: SeShutdownPrivilege	452	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeSystemEnvironmentPrivilege	452	powershell.exe
Token: SeRemoteShutdownPrivilege	452	powershell.exe
Token: SeUndockPrivilege	452	powershell.exe
Token: SeManageVolumePrivilege	452	powershell.exe
Token: 33	452	powershell.exe
Token: 34	452	powershell.exe
Token: 35	452	powershell.exe
Token: 36	452	powershell.exe
Token: SeShutdownPrivilege	1744	SenPalia.exe
Token: SeCreatePagefilePrivilege	1744	SenPalia.exe
Token: SeDebugPrivilege	3768	tasklist.exe
Token: SeShutdownPrivilege	1744	SenPalia.exe
Token: SeCreatePagefilePrivilege	1744	SenPalia.exe
Token: SeDebugPrivilege	4932	tasklist.exe
Token: SeShutdownPrivilege	1744	SenPalia.exe
Token: SeCreatePagefilePrivilege	1744	SenPalia.exe
Token: SeShutdownPrivilege	1744	SenPalia.exe
Token: SeCreatePagefilePrivilege	1744	SenPalia.exe
Token: SeShutdownPrivilege	1744	SenPalia.exe
Token: SeCreatePagefilePrivilege	1744	SenPalia.exe
Token: SeShutdownPrivilege	1744	SenPalia.exe
Token: SeCreatePagefilePrivilege	1744	SenPalia.exe
Token: SeShutdownPrivilege	1744	SenPalia.exe
Token: SeCreatePagefilePrivilege	1744	SenPalia.exe
Token: SeShutdownPrivilege	1744	SenPalia.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 4912	1744	SenPalia.exe	86
PID 1744 wrote to memory of 4912	1744	SenPalia.exe	86
PID 4912 wrote to memory of 448	4912	cmd.exe	89
PID 4912 wrote to memory of 448	4912	cmd.exe	89
PID 1744 wrote to memory of 2944	1744	SenPalia.exe	90
PID 1744 wrote to memory of 2944	1744	SenPalia.exe	90
PID 1744 wrote to memory of 3172	1744	SenPalia.exe	92
PID 1744 wrote to memory of 3172	1744	SenPalia.exe	92
PID 1744 wrote to memory of 452	1744	SenPalia.exe	93
PID 1744 wrote to memory of 452	1744	SenPalia.exe	93
PID 1744 wrote to memory of 3400	1744	SenPalia.exe	94
PID 1744 wrote to memory of 3400	1744	SenPalia.exe	94
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 2564	1744	SenPalia.exe	98
PID 1744 wrote to memory of 380	1744	SenPalia.exe	99
PID 1744 wrote to memory of 380	1744	SenPalia.exe	99
PID 1744 wrote to memory of 4400	1744	SenPalia.exe	102
PID 1744 wrote to memory of 4400	1744	SenPalia.exe	102
PID 4400 wrote to memory of 1464	4400	cmd.exe	104
PID 4400 wrote to memory of 1464	4400	cmd.exe	104
PID 1744 wrote to memory of 1044	1744	SenPalia.exe	105
PID 1744 wrote to memory of 1044	1744	SenPalia.exe	105
PID 1044 wrote to memory of 1476	1044	cmd.exe	107
PID 1044 wrote to memory of 1476	1044	cmd.exe	107
PID 1744 wrote to memory of 3128	1744	SenPalia.exe	108
PID 1744 wrote to memory of 3128	1744	SenPalia.exe	108
PID 3128 wrote to memory of 3768	3128	cmd.exe	110
PID 3128 wrote to memory of 3768	3128	cmd.exe	110
PID 1744 wrote to memory of 1536	1744	SenPalia.exe	112
PID 1744 wrote to memory of 1536	1744	SenPalia.exe	112
PID 1536 wrote to memory of 4932	1536	cmd.exe	114
PID 1536 wrote to memory of 4932	1536	cmd.exe	114
PID 1744 wrote to memory of 2440	1744	SenPalia.exe	115
PID 1744 wrote to memory of 2440	1744	SenPalia.exe	115
PID 2440 wrote to memory of 4860	2440	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\SenPalia.exe
"C:\Users\Admin\AppData\Local\Temp\SenPalia.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Users\Admin\AppData\Local\Temp\SenPalia.exe
  "C:\Users\Admin\AppData\Local\Temp\SenPalia.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\SenPalia" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1916,i,2775936820654420902,15437176500160667048,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\SenPalia.exe
  "C:\Users\Admin\AppData\Local\Temp\SenPalia.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\SenPalia" --mojo-platform-channel-handle=2100 --field-trial-handle=1916,i,2775936820654420902,15437176500160667048,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\system32\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . *.sqlite"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\system32\where.exe
    where /r . *.sqlite
    3⤵
    PID:1476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\where.exe
    where /r . cookies.sqlite
    3⤵
    PID:4860
- C:\Users\Admin\AppData\Local\Temp\SenPalia.exe
  "C:\Users\Admin\AppData\Local\Temp\SenPalia.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\SenPalia" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1868 --field-trial-handle=1916,i,2775936820654420902,15437176500160667048,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
50c591ec2a1e49297738ea9f28e3ad23

SHA1
137e36b4c7c40900138a6bcf8cf5a3cce4d142af

SHA256
7648d785bda8cef95176c70711418cf3f18e065f7710f2ef467884b4887d8447

SHA512
33b5fa32501855c2617a822a4e1a2c9b71f2cf27e1b896cf6e5a28473cfd5e6d126840ca1aa1f59ef32b0d0a82a2a95c94a9cc8b845367b61e65ec70d456deec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cc16809-da35-48c9-85ff-3a6af5817610.tmp.node

Filesize
131KB

MD5
a1c6cae84506c18847d8ce536057d958

SHA1
6cf40bee0defb1f012474112c2608a192f7fdfb3

SHA256
85f88c6fbc56ed39f4eac43bb1cc8a64b0cc134c44840ed0d76a1ccbefebd29b

SHA512
a69343fc43694baec120290b679e3aaf9bfabb6dbab2dbe810ce88ea8b905be15ea4cbd28bd5a576ae5f9c7494ac1363ebd95cc01ffdb50a2ea32141e9af2bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\749a700b-2368-46a2-b3e8-97713cd82991.tmp.node

Filesize
1.8MB

MD5
3dcc0b484b77179b0f36b06935ad9c66

SHA1
725bb12a8e4582e2564119f2b99be60d56f4aaaf

SHA256
822f8e0e462a819e72f11a4449b38753dc0d5556b1d87652af49fb0e37d61089

SHA512
0efff53325ef8a685a58ae08e12f9cda2d7cda9835312780f200caf611c4acd09ce35865c39f3a673ae42dd0b8f03f70d210a13326fb6876907c9389921baa13

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ylmrssbe.ueg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3172-16-0x00000272E64E0000-0x00000272E6502000-memory.dmp

Filesize
136KB

Download
memory/3172-40-0x00000272E6A00000-0x00000272E6A44000-memory.dmp

Filesize
272KB

Download
memory/3172-45-0x00000272E6510000-0x00000272E653A000-memory.dmp

Filesize
168KB

Download
memory/3172-46-0x00000272E6510000-0x00000272E6534000-memory.dmp

Filesize
144KB

Download
memory/3400-41-0x0000024CEC6F0000-0x0000024CEC766000-memory.dmp

Filesize
472KB

Download
memory/4032-76-0x000002A97F290000-0x000002A97F291000-memory.dmp

Filesize
4KB

Download
memory/4032-87-0x000002A97F290000-0x000002A97F291000-memory.dmp

Filesize
4KB

Download
memory/4032-86-0x000002A97F290000-0x000002A97F291000-memory.dmp

Filesize
4KB

Download
memory/4032-85-0x000002A97F290000-0x000002A97F291000-memory.dmp

Filesize
4KB

Download
memory/4032-84-0x000002A97F290000-0x000002A97F291000-memory.dmp

Filesize
4KB

Download
memory/4032-83-0x000002A97F290000-0x000002A97F291000-memory.dmp

Filesize
4KB

Download
memory/4032-82-0x000002A97F290000-0x000002A97F291000-memory.dmp

Filesize
4KB

Download
memory/4032-81-0x000002A97F290000-0x000002A97F291000-memory.dmp

Filesize
4KB

Download
memory/4032-77-0x000002A97F290000-0x000002A97F291000-memory.dmp

Filesize
4KB

Download
memory/4032-75-0x000002A97F290000-0x000002A97F291000-memory.dmp

Filesize
4KB

Download