96dd5b0abe337b23d4caa746a29c196af3508fa103d16a1f180e13730cdb773b

Analysis

max time kernel
92s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 07:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

64.exe
Size

401KB
MD5

3e682955546fe3b6b1296a509ff80f65
SHA1

da050e533305cd03b0235af1cbccfd3ff611d4c3
SHA256

96dd5b0abe337b23d4caa746a29c196af3508fa103d16a1f180e13730cdb773b
SHA512

dcb1dc90e85179e39dfcc773f9f790e230d9b563cb50dedac1f2e5d0106797bd8fd2b8c9a14b68134eb0b5b7aff66de1b6f6c46a69f9d98542070fa168d87436
SSDEEP

6144:cDGeTb5E+Z7EAXrvPRIxK0zBL/TIDC2dL3RltnfoBglM7zMUdsvk3zhAt76zkiz4:cDGelZ7FXrPy4ix+LBltsgK7zXIqbkT

Score

9^/10

spyware stealer

Malware Config

Signatures

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1956-1-0x000001DB54DE0000-0x000001DB54E4A000-memory.dmp	WebBrowserPassView
behavioral2/files/0x000700000002326f-6.dat	WebBrowserPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral2/memory/1956-1-0x000001DB54DE0000-0x000001DB54E4A000-memory.dmp	Nirsoft
behavioral2/files/0x000700000002326f-6.dat	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	64.exe

Executes dropped EXE 1 IoCs

pid	Process
1732	WebBrowserPassView.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1732	WebBrowserPassView.exe
1732	WebBrowserPassView.exe
1732	WebBrowserPassView.exe
1732	WebBrowserPassView.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1732	1956	64.exe	82
PID 1956 wrote to memory of 1732	1956	64.exe	82
PID 1956 wrote to memory of 1732	1956	64.exe	82

C:\Users\Admin\AppData\Local\Temp\64.exe
"C:\Users\Admin\AppData\Local\Temp\64.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Public\WebBrowserPassView.exe
  "C:\Users\Public\WebBrowserPassView.exe" /stext C:\Users\Public\WebBrowserPassView.txt
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\WebBrowserPassView.exe

Filesize
391KB

MD5
8b2597e2844a621b45f2616952b074b2

SHA1
c93b6da0726154b989674219e2c0238559d73f62

SHA256
119a6e9c8246102cd4cc8c6926d9c9ef66646079ff361dd73cf43e869081f0c6

SHA512
552f7675b39cbf74dc3b5b1571cec5b6c6b3e2b8ef287126f5b48d6d5940b12680149f835fd53e04286aece3dc8dc7c51e76d17b48150d0d4ddf4e3f0d6cabd2

Download Submit
C:\Users\Public\WebBrowserPassView.txt

Filesize
4KB

MD5
8651f1ecc401fe73c45d06863467d144

SHA1
0150ba4649afe382ae1705552473bba7beb990f4

SHA256
51827e101e890667e6d9b8aa7b804d56b53cadc110b5b8b834229788c29a65e8

SHA512
c0b371d9080c0e82adae100a9400bb7bd239cfe243c072dde0f9310524b92d16a10db9117403d8af227cef9def552dba7c04da3b3bd46a88836acc071cb9890f

Download Submit
memory/1956-0-0x00007FFE7E333000-0x00007FFE7E335000-memory.dmp

Filesize
8KB

Download
memory/1956-1-0x000001DB54DE0000-0x000001DB54E4A000-memory.dmp

Filesize
424KB

Download