bed13bf5b39bcd7ae07fd59ba3faeac74f5c03fddee6b92c8496803118402ad8

Analysis

max time kernel
94s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd8f42e4691316404553101af4b6fd10N.exe
Size

1018KB
MD5

bd8f42e4691316404553101af4b6fd10
SHA1

05d2100f15ed052bac7bf4b1bb71d8d4f2dc2bf4
SHA256

bed13bf5b39bcd7ae07fd59ba3faeac74f5c03fddee6b92c8496803118402ad8
SHA512

55618aad9f4eaa761b5e8440eaddfeeab64896408dde8222b0e56e27ca7f1f1bf2dd7b4a9436fd5eefaafbe87796d692d2ea954204c17e5c89e70c7883e83c50
SSDEEP

24576:bnETX1hQfJuu5x8/elO3gsyZg54pjjAx+:rETX1efJug8OO3y049jAM

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2208	tmppack.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmppack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd8f42e4691316404553101af4b6fd10N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3276	bd8f42e4691316404553101af4b6fd10N.exe
3276	bd8f42e4691316404553101af4b6fd10N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 2208	3276	bd8f42e4691316404553101af4b6fd10N.exe	83
PID 3276 wrote to memory of 2208	3276	bd8f42e4691316404553101af4b6fd10N.exe	83
PID 3276 wrote to memory of 2208	3276	bd8f42e4691316404553101af4b6fd10N.exe	83

C:\Users\Admin\AppData\Local\Temp\bd8f42e4691316404553101af4b6fd10N.exe
"C:\Users\Admin\AppData\Local\Temp\bd8f42e4691316404553101af4b6fd10N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Users\Admin\AppData\Local\Temp\OXKEKDRHLWURHPOLBMVXUOYY\tmppack.exe
  -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\780upb820a\gui\MainProduct.html

Filesize
3KB

MD5
bbccaf41a1428f1a33357a10bc094edb

SHA1
612281956e1b9d895bbc078c271846f881e4c264

SHA256
50fdf1d3cd943aea15616a56391e6f388ea42be11ea3c269412af5b09ef9fbaf

SHA512
af6a25948746cfcdc0421ac1a96d2efa3fceaf9093c3931d25087d9c12258f06a410e7f7d5260d17d6dbdc00dde74df5b25cfda0260ac531a07b7a200ec41bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\780upb820a\gui\events\cav.xml

Filesize
981B

MD5
8a5e1aad7303d8174cf3ba5e3591624c

SHA1
5bc119db938869e24dc18f9f70a5039cefaa9b19

SHA256
a3dc8aa222cb5edb0d18f4526a0b0859647b48b4bdc52a5c9431c4ec6779f538

SHA512
3c5c491234024226e6486f7426ab941a38701e33a0d1c70012cd64080904c2ee3f4f792ed992e3e605357471bc4da30c661b843b6b2501c4bed4041c4a6bc390

Download Submit
C:\Users\Admin\AppData\Local\Temp\780upb820a\wizard.xml

Filesize
5KB

MD5
550a14df20d0eba55a36573b8a6a134f

SHA1
51069bfb0170a87965873b718cd96197b64a3246

SHA256
c86a697d4db9acff79202efa1350db545eb5edfad5820992bcc140bac51a1af5

SHA512
71d5dba9734a40fb37d3cba4cac52d3b0372e1d9eea0e8839117437d85f7b22aae20cc0e02faed239c29bf81624785d04cc62756dde1341f5d61029a94408fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\OXKEKDRHLWURHPOLBMVXUOYY\installer.pak

Filesize
1.3MB

MD5
9161de0c745a2467e8b1efa7fe828986

SHA1
85ae7bf18c3f0cc68a8489363d883594ace964ca

SHA256
fb46408ed5b0aca2c7ad9f33916f09b212c720473ec3222eadd7b66383b4bc21

SHA512
46b211ad8164ff11a4a48c5ad64478c148defe001cf9896354a0b002f9e1936ca251382a1f0ecf78e5a965557ad44716fd73c0456aae57543cb6d180e76ffd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\OXKEKDRHLWURHPOLBMVXUOYY\tmppack.exe

Filesize
561KB

MD5
191daa51ab8e3dbe928711f001dc3adb

SHA1
84d307554c31dd13b5789109505b7394f34c7836

SHA256
a39c78f61f42f22bfb40cfe9f56239bb15d7ea6ca153a5ded61c36997a61fa45

SHA512
1b10db82956d2092bee5b0a3f954b47bbfe669193d04fb586545a8a8167d84dc1a6f8aab8bd0d1695145830c733e0fa3b2505223bd50495a65bae32b04837a51

Download Submit
memory/3276-7-0x0000000002B30000-0x0000000002C79000-memory.dmp

Filesize
1.3MB

Download
memory/3276-73-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/3276-96-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download