6492dac1d123d1de20756741192a6901dbb2d88966b9434b055566d0a31760a2

Analysis

max time kernel
146s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
23-06-2024 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1719158494.319805_WWW2_64.exe
Size

4.2MB
MD5

4234a87227ae02a017a7fe64bb732bbe
SHA1

f14926af80b812905dfee9fbcbf23b3f859365ad
SHA256

6492dac1d123d1de20756741192a6901dbb2d88966b9434b055566d0a31760a2
SHA512

9c56bba97dcca40291c2afec345a260623ebdf40b42c998c081cf7e8821b7bba525bfdf4c08ed537fc251c78d2346d58089aeb9eefe77735873cae40d2203c9f
SSDEEP

98304:65SHb/0TC4UKZw7ASfLlkfeK7a7LX+taAYTuJpdGrB:6M/M/JSfLWALX+RYTuzdGrB

Score

10^/10

evasion spyware stealer themida

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	1719158494.319805_WWW2_64.exe

Downloads MZ/PE file
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000100000002aad0-109.dat	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
21	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.myip.com
4	ipinfo.io
7	api.myip.com
8	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	1719158494.319805_WWW2_64.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1719158494.319805_WWW2_64.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1719158494.319805_WWW2_64.exe
File opened for modification	C:\Windows\System32\GroupPolicy	1719158494.319805_WWW2_64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1664	1719158494.319805_WWW2_64.exe
1664	1719158494.319805_WWW2_64.exe

C:\Users\Admin\AppData\Local\Temp\1719158494.319805_WWW2_64.exe
"C:\Users\Admin\AppData\Local\Temp\1719158494.319805_WWW2_64.exe"
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\SimpleAdobe\2GKWWeTv71_ZgorTBROaltnj.exe

Filesize
2.0MB

MD5
ceffc45d75de5dbf0626b210eff1e870

SHA1
ec8cc99faf027df7caa84b9dda62e788086b1f01

SHA256
6d17a074fbfbb4310d79a2eedb86ede46d58d279ad7a7188e0997a6b28df44d6

SHA512
39e2a044a4bfc08d3fbd9d465c855f4444150c0c5210a56b1d6d27acee92b118ee56d7f9a2d304d4594933f559a89d6862cae8ca43a47632132cfe03112cf592

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\4M33CeE5nfQU1rd_j1NV6HLa.exe

Filesize
5.8MB

MD5
6c149b39619395a8ba117a4cae95ba6f

SHA1
3ef8be98589745ecce5522dd871e813f69a7b71b

SHA256
c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8

SHA512
866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\EL4qA80P2nDHu0eoP3SeYX77.exe

Filesize
3.9MB

MD5
3ffef3be0ce2e9ec92109ad8231e8efd

SHA1
3f4b7523e4497b51d687678e5e04612fa2ef0b0c

SHA256
9b3084aae2c7e9abd86304bfdaa1602b33318b165c99a0e12e074f5e3e73f6a5

SHA512
5d41afb26bdfdef89030f3fcb89995917fcc53a960e74fa87a2f3fcd86ed4c79f413350e740360bf33ed74342408feb6a8e47408d19b366f63a2f69576c4c5b2

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\KWjblQ9QOStACiYYH0rtWTA7.exe

Filesize
2.4MB

MD5
033e16b6c1080d304d9abcc618db3bdb

SHA1
eda03c02fb2b8b58001af72390e9591b8a71ec64

SHA256
19fcb719130f0edd27552e014d5b446e85faabe82611311be6dbe28d33463327

SHA512
dbed8360dadb8d1733e2cf8c4412c4a468ade074000906d4ea98680f574ed1027fc326ccb50370166d901b011a140e5ee70fb9901ff53bf1205d85db097f1b79

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\WfTgta5WPjijfB155uWBHHZw.exe

Filesize
5.6MB

MD5
92ab10cad21bc837acee5ee7759affe5

SHA1
ea60dcd299801cc77f3b20999545d17822941d17

SHA256
73bb79e71e054b467fde75c5e47d0cd07cb2a5b716958e77db10b45563f21312

SHA512
4dc39c5e2038095fd942d9d2c001e10ec0015d4e8901a189cbedc164edfa54a8f2cd8e37bb332af7b852f11f91e6af98221a14a801641536b35dbada8a61ac43

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\YnSvsKhbiLOUOxgxlOlruJrn.exe

Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\_OoFSf_wXXkzvnMktDTYroeB.exe

Filesize
1.1MB

MD5
eeb4b01cd2d0e34bbed8946c865ffa9e

SHA1
c6e32035dd97a8ddcf7a34a1e15120a372a1c650

SHA256
7febd24ccb03455d2f784440b37be066b6b7673983d03c519b1c5fd21930ea26

SHA512
68fd69a567a7ffe37105cd8e29f5817832743b466d7f7ed2af31c5268537b2db3796d81db37b350ad71bfe5b367f37d5b44448a9d31c6a387682c2c18cd17d8f

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\aD6EeaWc0ANl1UcIU8pjAMdj.exe

Filesize
4.2MB

MD5
fb0fb326ec9ca21a16cd9ea0335f7863

SHA1
128669f4a9bb6207fe64264e3e3b3e395c1ea725

SHA256
924eb3fb14811ea44ccdeb1771d07addecceac3df96f694b2e9c4fd54b9a03ab

SHA512
00eb6858049583e3849640ea338a729db8eaa25904b269ac4e1fe2d23076cdc7e8b813b1710b923ca667a7f3f9a3178bc2fe9fdc604bc2576d473a078d985dd8

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\aspR8VuNtToCuGKBbyNGSSvH.exe

Filesize
7.3MB

MD5
ae3c55889a0134f93a382b12e19bfbd3

SHA1
2159c278d0e1f484a38838432579492305600dd9

SHA256
80256f9510b768db09a2c2f38304fb7a7f7131fd0aa41011938865e4ce83c177

SHA512
079ed9a6029a99ac093618822aad2f2db6a6ca40c029df60a84e7d90cc11d91dfe139b84f101f437017115cd7a4ade97fdbfff24d3b98efa0db8d1f508da018c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\gIDaYJQ46yTDctqmTrP0hUeD.exe

Filesize
489KB

MD5
25c5455d10f6dac8ee249bf2f6c32ca2

SHA1
b639abf80fd638449d29425f46b435335f131fbe

SHA256
497976ce4728220581fbeb34ffd94119da5bffee7ac70a4ccbcd30b1bd913ea2

SHA512
8008492c302496f2e3cefca5a435e16477d5c2fb9add6bbf963407636c0cb041a27590b8284443c5703414eda874332aebe94326b815b015cd645038d8bedc47

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\gMC6A6SQ33iFgmfhOagSNS4i.exe

Filesize
4.2MB

MD5
3735bd77716b298fa25df1a600917b6b

SHA1
a39b2a40c50b3fe3bbd35b4b57c43c5ce4bdc31d

SHA256
a0337360889331207ddb76818e012ea45c5b80bcdf81e913c9df40ae94fbd9cd

SHA512
6bcd1ba25871fd3526e806ec0c21b0624c98900be4c294fe0129763a8ff25775d4be3f7ca9630ba0f50e939a12e60b87151df5c6d2507570ff1f3c363a45af65

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\pceUgwNB1y0YfqLCqhRMQKLF.exe

Filesize
3.1MB

MD5
2e4383bdf02d9658512afeff4b9a634f

SHA1
fb519e90aad74705a133fc5c32f5e2e4a194f48f

SHA256
f53ae4631a31583c2c979601780b7ff6ff5ab30ff8b740c839d722766718211e

SHA512
309bf2391f7792fa09161b8c0ce652a2d1e5596ab15655eef693a100d5f94df4778ea2cc86643bf80eb353969657ae4160b40e2acc72e88fdd370dda30b714ad

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\zEfo2aaTGtY8Jlw7voPE_fRy.exe

Filesize
4.7MB

MD5
1570c3c8a9782660e2e96a584d620c68

SHA1
4710a5198ddfb7a6af032ea783136b03bd7bea19

SHA256
8a2b3b8e6b4b4dd888503f88003177f842b8601a43397a8abb5827e866ab2c70

SHA512
e66186ae33d9858ca6bccb399c8dbba1d36f5799c5a11415dc163637987105bd9753eb703959dffc0319c713b56fc174182bf3e88de7137b34ec7cae8404de2f

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/1664-0-0x00007FF72C805000-0x00007FF72CA17000-memory.dmp

Filesize
2.1MB

Download
memory/1664-6-0x00007FF72C6A0000-0x00007FF72CE47000-memory.dmp

Filesize
7.7MB

Download
memory/1664-15-0x00007FF72C6A0000-0x00007FF72CE47000-memory.dmp

Filesize
7.7MB

Download
memory/1664-2-0x00007FF72C6A0000-0x00007FF72CE47000-memory.dmp

Filesize
7.7MB

Download
memory/1664-14-0x00007FF72C805000-0x00007FF72CA17000-memory.dmp

Filesize
2.1MB

Download
memory/1664-1-0x00007FFA572D0000-0x00007FFA572D2000-memory.dmp

Filesize
8KB

Download