9fb3189684afe5e097f7cd1122e9228289967361d0d43738c927cce5b5d3a1f8

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fb3189684afe5e097f7cd1122e9228289967361d0d43738c927cce5b5d3a1f8.exe
Size

326KB
MD5

2274f9d8e7fb7825466a3e8a74afaa67
SHA1

f11bf9ec82a7a56bd83bc42198fff51c322c6445
SHA256

9fb3189684afe5e097f7cd1122e9228289967361d0d43738c927cce5b5d3a1f8
SHA512

66aa6c262f0fc44f739e2cbfe2d70d3ad9ab3439e9fcb49d82b2a360c3a692c32b6320c81a0219adf1d39b2ffbc03c6758ca6bb76884dd3fb23d049f0b9055e8
SSDEEP

6144:YaVWdyzOxeA1DfdwX3MmIOFg8vMn9S3N+WAGVkyzzbnicRmEzoC:YMROxdDfOnMmXaW9dVkyLicIs

Score

9^/10

spyware stealer upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 2 IoCs

resource	yara_rule
behavioral2/memory/3516-0-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/3516-65-0x0000000000400000-0x0000000000446000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
4180	setup-stub.exe

Loads dropped DLL 7 IoCs

pid	Process
4180	setup-stub.exe
4180	setup-stub.exe
4180	setup-stub.exe
4180	setup-stub.exe
4180	setup-stub.exe
4180	setup-stub.exe
4180	setup-stub.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3516-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3516-65-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\nsq47AC.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsq47AD.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsq47AC.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsq47AA.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsq47AB.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsq47AA.tmp\	setup-stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
968	4180	WerFault.exe	82

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4180	setup-stub.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4180	setup-stub.exe
4180	setup-stub.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 4180	3516	9fb3189684afe5e097f7cd1122e9228289967361d0d43738c927cce5b5d3a1f8.exe	82
PID 3516 wrote to memory of 4180	3516	9fb3189684afe5e097f7cd1122e9228289967361d0d43738c927cce5b5d3a1f8.exe	82
PID 3516 wrote to memory of 4180	3516	9fb3189684afe5e097f7cd1122e9228289967361d0d43738c927cce5b5d3a1f8.exe	82

C:\Users\Admin\AppData\Local\Temp\9fb3189684afe5e097f7cd1122e9228289967361d0d43738c927cce5b5d3a1f8.exe
"C:\Users\Admin\AppData\Local\Temp\9fb3189684afe5e097f7cd1122e9228289967361d0d43738c927cce5b5d3a1f8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\7zSCBDF4857\setup-stub.exe
  .\setup-stub.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 2228
    3⤵
    - Program crash
    PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4180 -ip 4180
1⤵
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCBDF4857\setup-stub.exe

Filesize
465KB

MD5
e02ec4f1e463e59d089b1f933b2d3b9e

SHA1
d351495cd8053518846ecfb5136f2b0229ae2ab9

SHA256
1dee41f355cb45ea62b531b52ff59ca7fd040491d9bfc170a2f4c3400bdfc958

SHA512
2e4381f983088fdf28b4d323f52d444b960154403dea21d13da1631eba66d0eec53d88dcdcc351f48af18896fd952e0a8b2c79b8bfbe4be28eab4e5925e8e559

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\CityHash.dll

Filesize
43KB

MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\InetBgDL.dll

Filesize
7KB

MD5
d4f7b4f9c296308e03a55cb0896a92fc

SHA1
63065bed300926a5b39eabf6efdf9296ed46e0cc

SHA256
6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83

SHA512
d4acc719ae29c53845ccf4778e1d7ed67f30358af30545fc744facdb9f4e3b05d8cb7dc5e72c93895259e9882471c056395ab2e6f238310841b767d6acbcd6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\UAC.dll

Filesize
18KB

MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\UserInfo.dll

Filesize
4KB

MD5
61ecfcdd332cb31d32c6c019052834a2

SHA1
6de38d0c8991d349d29c208e98c44dbd02682f43

SHA256
910749b3dbf360b06cec386ef2133edf07612f6e5bbf3bdd0a4eaeb27db9ce08

SHA512
e1f8cea77a39628116dd05c8a8c1c149f254265bd4ffa36880251254e3e921619048620e8e61d3f299503528e2d54ccb8e181a075c01c94e3a4916fe1a152393

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\WebBrowser.dll

Filesize
93KB

MD5
dfe24aa39f009e9d98b20b7c9cc070b1

SHA1
f48e4923c95466f689e8c5408265b52437ed2701

SHA256
8ec65a3d8ae8a290a6066773e49387fd368f5697392dfb58eac1b63640e30444

SHA512
665ce32d3776b1b41f95ed685054a796d0c1938dbc237619fa6309d1b52ae3bd44e3cf0a1f53ebf88556f7603111cca6dff1bfc917a911e0a9ce04affd0d5261

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\installing.html

Filesize
1KB

MD5
32de55f44c497811dd7ed7f227f5c28d

SHA1
c111be08e7f3d268e7a2ed160d0c30833f25ae4a

SHA256
6259f3a41a703f13466503e6fbd37ca40e94f565a2f4b4087fbcd87a13bf3ee1

SHA512
48bb6f24b3ee2f4b7052205a3843ea34f917ee192b70261d2438c037b0e17d48bce8beb4c31be4141e9618922a45b6b47745b797e5618f18fe00bfc1625309ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\installing.js

Filesize
2KB

MD5
dfa7861bca754036ab853b3bb02b194d

SHA1
46d7c5ba614b39caa4857fcba4bdedbabb2c67c0

SHA256
2c286b6eefd38f032a385f3ac6a1f794deab3bac0fbff71bd0ba21453f477878

SHA512
c58d96fb2496a84261a5e4b18cf4156a30f9ad161bbabc3652b6b5c24976f1ac432dced31927a9443260cdca0292524d1f691766b7c0731f926d37be11fe0c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\stub_common.js

Filesize
817B

MD5
58b8ac894c64370cfa137f5848aeb88d

SHA1
6a1ac1f88a918a232b79fe798b2de69cf433945f

SHA256
0e28aa770b0afade30be85c6dc1e50344db8f8cdd3fa01989d81a9e20a4990bd

SHA512
ae309518e0f926021e4d9378950c1a375263247d4f79d8a8cc09464cd01653ae5e707d52a4b0c36d532e649c246f4be6b5ba8648f58fb0e3e40c495ae63180ab

Download Submit
memory/3516-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3516-65-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download