64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e

Analysis

max time kernel
125s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 01:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
Size

2.0MB
MD5

0e77c7eaf29e7cc81d6a5870545509a3
SHA1

e56496e200c3246c149b41bd826b9e762fa5e534
SHA256

64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e
SHA512

bf85986eb8b47fc7211a6b6b48121ae0de6718c73612a4059f3bf8570a47b5848a0619c056a9b55df2760f2c5e5f30ca5a19a5d091750af8ad7bb81c5f015e18
SSDEEP

49152:R6K39H/NzGjGzMErFiEntNARL3AVtsk53gEdMJ9O:R6KnjrLntNAR2tPfO

Score

9^/10

spyware stealer

Malware Config

Signatures

Detects executables packed with unregistered version of .NET Reactor 3 IoCs

resource	yara_rule
behavioral1/memory/1916-1-0x0000000000990000-0x0000000000B9E000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0006000000015c9e-33.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2768-43-0x0000000000ED0000-0x00000000010DE000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 1 IoCs

pid	Process
2768	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2768	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
Token: SeDebugPrivilege	2768	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1972	1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe	28
PID 1916 wrote to memory of 1972	1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe	28
PID 1916 wrote to memory of 1972	1916	64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe	28
PID 1972 wrote to memory of 2240	1972	cmd.exe	30
PID 1972 wrote to memory of 2240	1972	cmd.exe	30
PID 1972 wrote to memory of 2240	1972	cmd.exe	30
PID 1972 wrote to memory of 2556	1972	cmd.exe	31
PID 1972 wrote to memory of 2556	1972	cmd.exe	31
PID 1972 wrote to memory of 2556	1972	cmd.exe	31
PID 1972 wrote to memory of 2768	1972	cmd.exe	32
PID 1972 wrote to memory of 2768	1972	cmd.exe	32
PID 1972 wrote to memory of 2768	1972	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe
"C:\Users\Admin\AppData\Local\Temp\64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sXDlkLC2Y.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2240
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2556
- - C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe
    "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe

Filesize
2.0MB

MD5
0e77c7eaf29e7cc81d6a5870545509a3

SHA1
e56496e200c3246c149b41bd826b9e762fa5e534

SHA256
64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e

SHA512
bf85986eb8b47fc7211a6b6b48121ae0de6718c73612a4059f3bf8570a47b5848a0619c056a9b55df2760f2c5e5f30ca5a19a5d091750af8ad7bb81c5f015e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\2sXDlkLC2Y.bat

Filesize
250B

MD5
65c17b98a5ddf0cbd016349e6c0f3295

SHA1
efcecee089d18e5ec0fe0364aff9f44b7b45f72c

SHA256
610f94b974e8f2808a821eb3321fdceaa487a1adab87a873b3679a50384efbcc

SHA512
cc5aae5727d87a6a817afcb609187e687bd08d5aeabb79293dc1032fec36c196294f6c51f6c5b2a6755fbc969ca978b16b0a738719df15cce1888f4ca2a6ae14

Download Submit
memory/1916-13-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-17-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/1916-4-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-6-0x00000000004F0000-0x0000000000516000-memory.dmp

Filesize
152KB

Download
memory/1916-7-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-8-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-10-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/1916-12-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/1916-0-0x000007FEF5673000-0x000007FEF5674000-memory.dmp

Filesize
4KB

Download
memory/1916-3-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-15-0x0000000000960000-0x0000000000978000-memory.dmp

Filesize
96KB

Download
memory/1916-18-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-21-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-23-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-22-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-20-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/1916-2-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-1-0x0000000000990000-0x0000000000B9E000-memory.dmp

Filesize
2.1MB

Download
memory/1916-40-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-43-0x0000000000ED0000-0x00000000010DE000-memory.dmp

Filesize
2.1MB

Download