7834c9c965e64862326bc64f5b81eae81718b230483f1dfcffa25c2d824d8cc7

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7834c9c965e64862326bc64f5b81eae81718b230483f1dfcffa25c2d824d8cc7.exe
Size

149KB
MD5

43eb1ebf94850c08c0f4bdb842586cc7
SHA1

6e19ce4203e50647668a64553e663156454de876
SHA256

7834c9c965e64862326bc64f5b81eae81718b230483f1dfcffa25c2d824d8cc7
SHA512

7f9e1eef7c0cad98a30716f1807a3111b6131ec869a9d00d6471f67e88944c871228256fa7c502f15b338483c388d21f9786b1293e820a4bf39c1dfa66bff617
SSDEEP

3072:VLzmQtOI1bffh740dJ56VNpVN+YhSdZWO1pwTDSTzTwEKptPSwQz:D1GVNpVN+YhSdZWO1pwTDSTzsEKLh

Score

9^/10

spyware stealer

Malware Config

Signatures

Detect binaries embedding considerable number of MFA browser extension IDs. 1 IoCs

resource	yara_rule
behavioral1/memory/1280-1-0x0000000000A60000-0x0000000000A8C000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs

resource	yara_rule
behavioral1/memory/1280-1-0x0000000000A60000-0x0000000000A8C000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects executables packed with ConfuserEx Mod 1 IoCs

resource	yara_rule
behavioral1/memory/1280-1-0x0000000000A60000-0x0000000000A8C000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral1/memory/1280-1-0x0000000000A60000-0x0000000000A8C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	7834c9c965e64862326bc64f5b81eae81718b230483f1dfcffa25c2d824d8cc7.exe

C:\Users\Admin\AppData\Local\Temp\7834c9c965e64862326bc64f5b81eae81718b230483f1dfcffa25c2d824d8cc7.exe
"C:\Users\Admin\AppData\Local\Temp\7834c9c965e64862326bc64f5b81eae81718b230483f1dfcffa25c2d824d8cc7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1280-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/1280-1-0x0000000000A60000-0x0000000000A8C000-memory.dmp

Filesize
176KB

Download
memory/1280-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/1280-3-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download