397ff48f9ae2034c72bb9428427fbf6eca8df5b215723ba31094cf323f32df5e

Analysis

max time kernel
101s
max time network
27s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57113e6cabcb9b9683243e402ab09710N.exe
Size

8.4MB
MD5

57113e6cabcb9b9683243e402ab09710
SHA1

fce100b45b4700974c481a3e7487545851bc6661
SHA256

397ff48f9ae2034c72bb9428427fbf6eca8df5b215723ba31094cf323f32df5e
SHA512

da3042489a758f3b785bc28a303260a140ec7e730e10f14715acacd9804bff132c1f2be439fd2597a11e14aafb2e2cfaa25b5ef283c5770c216d55e9e7981c2f
SSDEEP

196608:KuqYM3svK25H5gABbvqlFl2J1GJySPHnlN5NRq9PeLra6ykCShF:KuPMKK25HvhvqlFJySHnlJIuaPQ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2456	af_proxy_cmd_rep.exe
2704	af_proxy_cmd_rep.exe
2692	HssInstaller.exe
2652	HssInstaller64.exe

Loads dropped DLL 23 IoCs

pid	Process
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
2456	af_proxy_cmd_rep.exe
2456	af_proxy_cmd_rep.exe
2456	af_proxy_cmd_rep.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
2704	af_proxy_cmd_rep.exe
2704	af_proxy_cmd_rep.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
2012	Process not Found
2652	HssInstaller64.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	57113e6cabcb9b9683243e402ab09710N.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	57113e6cabcb9b9683243e402ab09710N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	57113e6cabcb9b9683243e402ab09710N.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1244	57113e6cabcb9b9683243e402ab09710N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1244	57113e6cabcb9b9683243e402ab09710N.exe
1244	57113e6cabcb9b9683243e402ab09710N.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2456	1244	57113e6cabcb9b9683243e402ab09710N.exe	30
PID 1244 wrote to memory of 2456	1244	57113e6cabcb9b9683243e402ab09710N.exe	30
PID 1244 wrote to memory of 2456	1244	57113e6cabcb9b9683243e402ab09710N.exe	30
PID 1244 wrote to memory of 2456	1244	57113e6cabcb9b9683243e402ab09710N.exe	30
PID 2456 wrote to memory of 2704	2456	af_proxy_cmd_rep.exe	32
PID 2456 wrote to memory of 2704	2456	af_proxy_cmd_rep.exe	32
PID 2456 wrote to memory of 2704	2456	af_proxy_cmd_rep.exe	32
PID 2456 wrote to memory of 2704	2456	af_proxy_cmd_rep.exe	32
PID 1244 wrote to memory of 2692	1244	57113e6cabcb9b9683243e402ab09710N.exe	34
PID 1244 wrote to memory of 2692	1244	57113e6cabcb9b9683243e402ab09710N.exe	34
PID 1244 wrote to memory of 2692	1244	57113e6cabcb9b9683243e402ab09710N.exe	34
PID 1244 wrote to memory of 2692	1244	57113e6cabcb9b9683243e402ab09710N.exe	34
PID 1244 wrote to memory of 2692	1244	57113e6cabcb9b9683243e402ab09710N.exe	34
PID 1244 wrote to memory of 2692	1244	57113e6cabcb9b9683243e402ab09710N.exe	34
PID 1244 wrote to memory of 2692	1244	57113e6cabcb9b9683243e402ab09710N.exe	34
PID 1244 wrote to memory of 2652	1244	57113e6cabcb9b9683243e402ab09710N.exe	36
PID 1244 wrote to memory of 2652	1244	57113e6cabcb9b9683243e402ab09710N.exe	36
PID 1244 wrote to memory of 2652	1244	57113e6cabcb9b9683243e402ab09710N.exe	36
PID 1244 wrote to memory of 2652	1244	57113e6cabcb9b9683243e402ab09710N.exe	36

C:\Users\Admin\AppData\Local\Temp\57113e6cabcb9b9683243e402ab09710N.exe
"C:\Users\Admin\AppData\Local\Temp\57113e6cabcb9b9683243e402ab09710N.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Roaming\Hotspot Shield\report\af_proxy_cmd_rep.exe
  "C:\Users\Admin\AppData\Roaming\Hotspot Shield\report\af_proxy_cmd_rep.exe" -P -H hash -O -T it -o 7 -u "http://rptx.anchorfree.net/wr-install.php?dm_ver=0&ver=3.33&ch=510&state=initiated"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Roaming\Hotspot Shield\report\af_proxy_cmd_rep.exe
    "C:\Users\Admin\AppData\Roaming\Hotspot Shield\report\af_proxy_cmd_rep.exe" -H hash -O -T it -o 7 -u http://rptx.anchorfree.net/wr-install.php?dm_ver=0&ver=3.33&ch=510&state=initiated
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2704
- C:\Users\Admin\AppData\Local\Temp\HssInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\HssInstaller.exe" -iswow64
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\HssInstaller64.exe
  "C:\Users\Admin\AppData\Local\Temp\HssInstaller64.exe" -installdriver -c ndis6
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hotspot Shield\html\HssWelcomePage.html

Filesize
6KB

MD5
62667b2892588f68e441ddbff883051a

SHA1
3c542d2b8e6f88d2b2b238ac1c0408a46de8a98e

SHA256
a36d7361214dd47cce7be4b7a7816f8a84758241952a3999ae96a2b5761ee890

SHA512
cd6393c6181655fd263f52fc3f41abeb60f2f6dc4cb847ac0bff77df7cab55318153a7e1b7b535775281635b4af461fda685939fb849e4ca6b9887e627909c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hotspot Shield\html\lang\English.js

Filesize
14KB

MD5
28eeb04c43fd1613611061d468947c23

SHA1
6763f84ef67731236d3aaf19275a71d16b42b212

SHA256
3e5f2965ad61a2eaa80044a7365bcb0c248a318b95ebfb2c9448d3f157736a80

SHA512
af730bbfe3dab6f1b0629b1fc8d92515ae6db7f5efd4cb35ac6f740aa8512fe59289721707844dc8443b88ce604913c061d4031f3dc59724d8dec01ef9464531

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hotspot Shield\html\lang\Internationalization.js

Filesize
8KB

MD5
eb275f9a017b54f3e4a6d5fd790d0164

SHA1
8732c8e079eda85345b7d50b5c4ab8043f4a920a

SHA256
9e7980681c4bc9c2296a437aba15858bc3eb5df5782be37e88a67275199f19a4

SHA512
eb5570adca253caf01c6023c7b4587fbfbc0fb2da1cab47242c3a807c7ff754dec9e30c7ac7d58225afd28ca5b05887ceeb932ae5bfe7e69b7c26cd219d87640

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hotspot Shield\html\lang\Japanese.js

Filesize
12KB

MD5
7b05c522a7176e197d8f966dfe8cdc4d

SHA1
9fcfa794070c35d0339fa166c1eae46adb0068fc

SHA256
2e450a2d7f2249e7592e5b300f22a2e13544482e6abc56e18240d6a588f65437

SHA512
0e1f8bdacc371ab49476cc38fcf00a20b4e31a6afb130516d9085327f9670078716047b610f85b922058d60757d8138eaec87e095522c30b280ebfcf2e81ff91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hotspot Shield\html\scripts\HssWelcomePage.js

Filesize
5KB

MD5
64515a4b603ad58c7b31bfc6d63f6be3

SHA1
7bd6ad427a7b22b31134004172bfe084b78c6e39

SHA256
8d83ceafaaef249d504a8a127a628690ea382cc5d7a54caf71bedd2350406ffb

SHA512
3b22696c8daf425fe439af97040d54cd60a169a10617e97889cd23598904cb46c1cf3b7752182509db013475ffad086860bffab396881878ccaaba3973c2552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hotspot Shield\html\scripts\Toolbars.js

Filesize
4KB

MD5
afce92de677bd2acb7b137f85fc44d8d

SHA1
961c88fdd5cd7d8262d74928cf1ebc4080661132

SHA256
386fb876b065b82e935a66dca519c312ba5c96c664b069117f022a8c6653f616

SHA512
39bb70d37b8308d07060630ae52672df9f7dce7f6b67ebfcbc450aabfe2e76ad07408388f9469a9a4a3cbe43f1947c6ca9ba0e55f16a35bb84d86a61cf1aa953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hotspot Shield\html\scripts\common.js

Filesize
7KB

MD5
222977c3bdfa7222564d51f88d7a69e2

SHA1
b242469dd2447600cc17f8d571ac6fc41f7fa214

SHA256
c39f59a35686a1bfa6ee1ba104e9a2e2197270d324cb4a2259dfc0c0cd746c17

SHA512
dd7068e82301de97ad884ff7c016ec77dc90813a4de05200f8b4334bf21a2c4cae29bfa8b0f925024a81f84c21de3837b156e7cd5b592adf260aefe823f93ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hotspot Shield\html\scripts\nsidefs.js

Filesize
2KB

MD5
d5e28cf648c49ea1bd0e5af64f40260b

SHA1
80a6f7dbd8e0b8072c2a9c692b10c1ddfa754586

SHA256
e2bce29513c8a09c127a3b05b2148b5fe6e788f9060e6c60dfb781676aa86ddb

SHA512
6d5b6aadc825fbdb889dec058445734f428e322a61a55a049e26977c6eb46113fead834c0101b6c558e21cd41a0c9c8ee11e23eeb327c0c778aacdada0fdab10

Download Submit
C:\Users\Admin\AppData\Local\Temp\HssInstaller.exe

Filesize
357KB

MD5
548c9b52b6c3e070779a64938057bdce

SHA1
d6023754d0f3296dfeced8443c3e1111b5d4907b

SHA256
a6560bc5d0039539bb156c404ba6723732f77ac0bd67f5ff2ec4cf11226298ba

SHA512
f8a157b177a813164e416640d4bcf14adb3cc961d2e928eeea70b76994c01cdecc7b3bf5bc4914afe16a10372561cbc6f9aa6cfa8bda87726dca02ce2c294cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hssinst.dll

Filesize
21KB

MD5
856365cc5249af28388514765cf37377

SHA1
a515a9b9fae3e55220fcbb1d6d4e07ed9c47fe0b

SHA256
86991a8c30cab5a96b4554726f4cc22820413010773416f92f56c8eb7339f5cd

SHA512
ba592fc5b367f50ee44b5ec8a7c35b9de77052cc4cef7f5eef0aad896ea8e0cb435932e45b64cd04f496ebebbe9375fe7514cbc013d1d8647f371fdf54c2a7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB7EB.tmp\ExecDos.dll

Filesize
9KB

MD5
1b6f8e5a5aaaefbb8780cb245c3771c4

SHA1
134d11153e9f998ba2dcd52de7a432d6aaf14352

SHA256
3a934717fbadbc907d0650cd4095474380603fcfb403a02ca7d3dd5ade277d57

SHA512
949e7110f844dc2f6a921b6db7e0d98eca21b629468dd44afa040dc2ce09345673b00f7541ba295731da3518e71dc0cd24e9948b2642cb71fd8ea2c312170311

Download Submit
C:\Users\Admin\AppData\Roaming\Hotspot Shield\report\af_proxy.dll

Filesize
934KB

MD5
3388d55bc7d9eb92982d342299910494

SHA1
1aa8fb72c4fc2f2d7e9e3824a11092701662efb9

SHA256
ac0c99a3ae9be803993d7ec8e346d62477425f591eb7c4854d4a0a3c0a1c2a45

SHA512
51742f95f3b710229e13e429fd737a114e8f10ca7c73ad6307059dd6ade58da7a7e470274467f91ba63654c738fd87eb255573f9bc851a8df4b034297df04f7f

Download Submit
C:\Users\Admin\AppData\Roaming\Hotspot Shield\report\zlib1.dll

Filesize
73KB

MD5
c7d4d685a0af2a09cbc21cb474358595

SHA1
b784599c82bb90d5267fd70aaa42acc0c614b5d2

SHA256
e96b397b499d9eaa3f52eaf496ca8941e80c0ad1544879ccadf02bf2c6a1ecfc

SHA512
fed2c126a499fae6215e0ef7d76aeec45b60417ed11c7732379d1e92c87e27355fe8753efed86af4f58d52ea695494ef674538192fac1e8a2a114467061a108b

Download Submit
\Users\Admin\AppData\Local\Temp\HssInstaller64.exe

Filesize
216KB

MD5
b4feda373d0253d801fce3867325178b

SHA1
6d081fbcaf2c09b81ec5ded445aa6f2c05295447

SHA256
5985b9c01541f9477a8828adc5e2cc5e23f5053b60a28335c3e32a7f0f5d17c3

SHA512
7900ba58a96aff5100b632685897d1e3553cab7c25727ced6a45bb8208e8893c92a954168854a93d2e8e65d805a71d2846c9c7d9be3c6c490ad2973b0219e6de

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB7EB.tmp\AfnsWBC.dll

Filesize
191KB

MD5
8b347f1954b13dd3be84421f95ae7038

SHA1
f7dd4f7c3829121d435591d5600b2631a2c20d55

SHA256
069ddd10aa52449d98da96f612ec02af2dfed3b999cf04e419415d905f2b238f

SHA512
104e0010d75e7bb6377c0a7483b8d9ab0941d72ac61800b4580b1ad9cadeefd0f823807b14ea9ce96fc85d5537c8b7efa3bc1c4f954a6a077c53069ef67d0bb1

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB7EB.tmp\System.dll

Filesize
11KB

MD5
b9f430f71c7144d8ff4ab94be2785aa6

SHA1
c5c1e153caff7ad1d221a9acc8bbb831f05ccb05

SHA256
b496e81a74ce871236abcd096fb9a6b210b456bebaa7464fa844b3241e51a655

SHA512
c7ce431b6a1493fd7d1fe1b1c823ad22b582c43c8eb2fb6a471c648dd9df9953277c89932c66afd598d43ea36f4a8602e84cd175115266943071cbc8ce204099

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB7EB.tmp\UserInfo.dll

Filesize
4KB

MD5
351b802508ee5462cbf7f35454a9dca6

SHA1
7b9a1bc758e10af02124143680f636853b421da1

SHA256
39275ee1767aac3ae0929a3e67a84a921610b45d5cfff3db1641893504d5c78d

SHA512
6b0a4a500597fefaceb5eab79737d4f8dd253bb6bf8c263699314deda417763857b4407457d877b28f7a9c1f40a241d378ccae80c68541ff3f102eac8a6ff8d2

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB7EB.tmp\nsDialogs.dll

Filesize
9KB

MD5
7823fc560926dcd8741de6f0b900083f

SHA1
93dc0a704bc0b8f90668548e36daf459be0ae10a

SHA256
ca869d6c6752aa4a8a6c874a694b543442992d7e854d0c48a1b60bca01a8c8c6

SHA512
c79509cd306638ea9badec64ed9f7d0690e46fcab7ac77f25134065b628e76d2812f2d874ea2cc4283685c567b613a39d27b9fc4a6de2d4b9d30131f3161c4e9

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB7EB.tmp\nsProcess.dll

Filesize
6KB

MD5
783f9ced5ffcb3dc0972f9eb2d4cfba8

SHA1
999523b7f11e4ba08a6f23cb9a40e5323c4a6a25

SHA256
a99c45c1c9522f99955618cbe4212091b2018e5b1bd4231687970589a2ea015e

SHA512
1cb88a698aad36af30a2ae3e07167eddcafda7f31bb1e90fd8dd8f419efa72b356a6e9a2d53d850c211a2a5a974b8503ceb1c794eea3218e008f6d2e3213b40f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB7EB.tmp\nsisos.dll

Filesize
5KB

MD5
b1e1f665d57874de41df72dda21bc6a9

SHA1
4898d7b41b48ef6350b0b6730805f201e52e4cb4

SHA256
0619ec35b9632b28d84e39343b6dbc5ef9732c85f1ca97c05aee744d22b7e930

SHA512
9f3a5fcab235d15d2f477ec335d08a490c889842c227aed49179dab4fc909221c66d9d6110b465da8a4a4b07cac07192e22b1fd62d96e2494baf510858ea004a

Download Submit
\Users\Admin\AppData\Roaming\Hotspot Shield\report\af_proxy_cmd_rep.exe

Filesize
339KB

MD5
4b4cf64895d2fca31952a2b8b89080dd

SHA1
ca69c2779ef12d405e0de134b071a2db63c01a89

SHA256
2f5ca87b9a847dcebb52fe61249fe98cb400d4ab33250cecb4d414a35e40da1d

SHA512
4b705df027f1f46fb043156fca7d66d882fddc5805029f6c55459ccd65a38fadb7777c2becbfe3d2f6d9014109936aaa0996160773342e277df704cf5cdf420f

Download Submit
memory/2456-44-0x0000000061B80000-0x0000000061B98000-memory.dmp

Filesize
96KB

Download
memory/2704-245-0x0000000061B80000-0x0000000061B98000-memory.dmp

Filesize
96KB

Download
memory/2704-247-0x0000000061B80000-0x0000000061B98000-memory.dmp

Filesize
96KB

Download