d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe
Size

1.2MB
MD5

c7063a446a39404c6381dc8567bc4ab8
SHA1

bd75680dfc9773c3dbadf4249f33cbce1fae2e45
SHA256

d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841
SHA512

712be2ed1546e50b42bae968d89cc87891a9fa11975605f5d9b2618ce94b157af0d035d15ac88dedf4d6e9ff5e89d5622df1dbf01537c9bd6320faaf61eba7d3
SSDEEP

24576:FqDEvCTbMWu7rQYlBQcBiT6rprG8awl3LLa8hYozG8nwT45:FTvC/MTQYxsWR7awl3LCo

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 976 set thread context of 1096	976	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe	87
PID 1096 set thread context of 3404	1096	svchost.exe	56
PID 1096 set thread context of 3844	1096	svchost.exe	101
PID 3844 set thread context of 3404	3844	credwiz.exe	56
PID 3844 set thread context of 4316	3844	credwiz.exe	102

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	credwiz.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	credwiz.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
1096	svchost.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
976	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe
1096	svchost.exe
3404	Explorer.EXE
3404	Explorer.EXE
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe
3844	credwiz.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3404	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 1096	976	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe	87
PID 976 wrote to memory of 1096	976	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe	87
PID 976 wrote to memory of 1096	976	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe	87
PID 976 wrote to memory of 1096	976	d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe	87
PID 3404 wrote to memory of 3844	3404	Explorer.EXE	101
PID 3404 wrote to memory of 3844	3404	Explorer.EXE	101
PID 3404 wrote to memory of 3844	3404	Explorer.EXE	101
PID 3844 wrote to memory of 4316	3844	credwiz.exe	102
PID 3844 wrote to memory of 4316	3844	credwiz.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe
  "C:\Users\Admin\AppData\Local\Temp\d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\d780eab8b7e55c651f5e5ec5a0bc1fc70184b2958a23bf6501c81e0a82e52841.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1096
- C:\Windows\SysWOW64\credwiz.exe
  "C:\Windows\SysWOW64\credwiz.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autA316.tmp

Filesize
266KB

MD5
d229f44fabf4723753b5a35c8de150b6

SHA1
8c78c72d879e0db9f74aff7fb3d64af16cfc4652

SHA256
ebd9fbeec2ae2be3ffd2729bec667cefe6f165312382ff33f9fa8b66412dc5e2

SHA512
81c44b1da2e4623694a48322f6322293f038b9586a48536b82175d8052c19c14a8589ae7c03b38199f012402262c5078edd0c9c9abe0c30c2690be1aab032d03

Download Submit
memory/976-13-0x0000000001690000-0x0000000001694000-memory.dmp

Filesize
16KB

Download
memory/1096-24-0x0000000000FD0000-0x0000000000FF3000-memory.dmp

Filesize
140KB

Download
memory/1096-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1096-16-0x0000000001800000-0x0000000001B4A000-memory.dmp

Filesize
3.3MB

Download
memory/1096-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1096-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1096-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1096-19-0x0000000000FD0000-0x0000000000FF3000-memory.dmp

Filesize
140KB

Download
memory/1096-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3404-27-0x000000000D120000-0x000000000EDF8000-memory.dmp

Filesize
28.8MB

Download
memory/3404-20-0x000000000D120000-0x000000000EDF8000-memory.dmp

Filesize
28.8MB

Download
memory/3404-31-0x0000000002E00000-0x0000000002EC6000-memory.dmp

Filesize
792KB

Download
memory/3404-32-0x0000000002E00000-0x0000000002EC6000-memory.dmp

Filesize
792KB

Download
memory/3404-39-0x0000000002E00000-0x0000000002EC6000-memory.dmp

Filesize
792KB

Download
memory/3844-22-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/3844-21-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/3844-25-0x0000000002930000-0x0000000002C7A000-memory.dmp

Filesize
3.3MB

Download
memory/3844-26-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/3844-28-0x0000000002800000-0x00000000028A2000-memory.dmp

Filesize
648KB

Download
memory/3844-29-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/3844-30-0x0000000002800000-0x00000000028A2000-memory.dmp

Filesize
648KB

Download
memory/4316-40-0x0000019A8AEA0000-0x0000019A8AF85000-memory.dmp

Filesize
916KB

Download