c406a9efc810c0adf7af2c9cfbd70f24ff331cba3ccad0d4a212773db263803b

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e0273aa67518aadfc4d2781e7071df0N.exe
Size

47KB
MD5

3e0273aa67518aadfc4d2781e7071df0
SHA1

ad04ae5a347ce8372a4d719d5b5058da93d84f00
SHA256

c406a9efc810c0adf7af2c9cfbd70f24ff331cba3ccad0d4a212773db263803b
SHA512

b2d450ae4cb7eee29378fa733f84d2184fbe96c6d13d438ca2954133750468b067ca341845b3a3d1c73412297d46f672907e2436b40d76ff862682367713d795
SSDEEP

768:f6F85fJTL9dKzMomchzSyohFTRg5EZlHJ:Sq51WzMvcdSywFdjlHJ

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\USR_Shohdi_Photo_USR.rsu	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	C:\Windows\SysWOW64\USR_Shohdi_Photo_USR.rsu	3e0273aa67518aadfc4d2781e7071df0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\Chess.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\uninstall.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\Install\{16435541-C196-4D4E-9379-340CA3D46D1B}\chrome_installer.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\GRAPH.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\jp2launcher.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\uninstall.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\chrome_proxy.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\SCANPST.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Wordconv.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\javaws.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\PurblePlace.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\EXCEL.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\javaws.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\javaw.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\Install\{16435541-C196-4D4E-9379-340CA3D46D1B}\chrome_installer.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.usr	3e0273aa67518aadfc4d2781e7071df0N.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	3e0273aa67518aadfc4d2781e7071df0N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\USR_Shohdi_Photo_USR.exe	3e0273aa67518aadfc4d2781e7071df0N.exe

C:\Users\Admin\AppData\Local\Temp\3e0273aa67518aadfc4d2781e7071df0N.exe
"C:\Users\Admin\AppData\Local\Temp\3e0273aa67518aadfc4d2781e7071df0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Filesize
1.4MB

MD5
a3d55bab11353e7992ed52b659ae8596

SHA1
d0d7e2a38c06a29c2c63ff8a26013dcb96b890ea

SHA256
10225d9dea8d33d8e588c9c4099b6a5d5fe7f35fb021d8ecf3af7fcb64d672a6

SHA512
5b0ac9866e2cbf2dca39d60466c42928a1101ebceb16e1a19b9abe629818d079cc2b10fdf025bfc7b8c55ed8d53d251cbdfa4e56b9d26bcc573bc8d5da692d36

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.6MB

MD5
d47340fba43301260dad145286bec1c2

SHA1
113ba6b9396ef57b6f59ebfe3b6e6b0d28d81478

SHA256
83fd14647613ebe8f0c83e2bcbd9e9ff0b1e9cf34daa2fa7099f5beb9dabf637

SHA512
e643bc088207a9580ce92dfd203196678cc5cb6dd36ac78f6d05ac7936416541984549684832cda610f4a53fb3167359b01fb0497301fbe1778b5a20919e8935

Download Submit
C:\Windows\SysWOW64\USR_Shohdi_Photo_USR.rsu

Filesize
47KB

MD5
3e0273aa67518aadfc4d2781e7071df0

SHA1
ad04ae5a347ce8372a4d719d5b5058da93d84f00

SHA256
c406a9efc810c0adf7af2c9cfbd70f24ff331cba3ccad0d4a212773db263803b

SHA512
b2d450ae4cb7eee29378fa733f84d2184fbe96c6d13d438ca2954133750468b067ca341845b3a3d1c73412297d46f672907e2436b40d76ff862682367713d795

Download Submit
memory/2712-8-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download