72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4

Analysis

max time kernel
93s
max time network
21s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Size

704KB
MD5

9e73edecc13d48a931257849c4036190
SHA1

b77db7ce9338c08be219f77d789da76124bfcb89
SHA256

72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4
SHA512

f2d37ab09d5cebf1fb4922bfef9748bac1b12f9e47a135bb3f07c24f040dcf38762b725feb26baa6920da49c73e48a4ca405ea316e67f97b687b0cce937a348e
SSDEEP

12288:leSh8aHgOgcpd5dhwnrb5yMdjKFqhgWGLOpEl6hjjhQynq14Jk3GzhmoIgwBvdXm:lZh8aAOxpduuFqhPVRQynZJwGFmooXq

Score

7^/10

collection spyware stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1768	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1768	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
1768	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe

C:\Users\Admin\AppData\Local\Temp\72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe
"C:\Users\Admin\AppData\Local\Temp\72d4242770645b7a8fca782709e19d5497e53c55fd40be8d840b1af0b10236c4N.exe"
1⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Quepje.tmp

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shcqo.tmp

Filesize
92KB

MD5
882ec2bb4bf46a0ee80134f7b7b5d2d7

SHA1
4f76f5db450eb1a57199f5e0bb4bb6a61b4a5d7a

SHA256
a101a238346d9df0fe89b33f45436042d92878d75c5528ad0b8e201b91db0402

SHA512
eed22fb4d714d6c438760378912286d41f4f1e1ad27d62240fd9fc3c304831567e552e2ffe2524a0869d57a0fd7c6494a1fbf1e0d8eb78f58a052be3a3c4caaf

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\AF7011DB9BA75DE3E4434379E8037F31\64\sqlite.interop.dll

Filesize
1.7MB

MD5
d3f0fe99d31783cff15c1bae1f89734b

SHA1
1b706eb0e4bda293dfbb0d08c7a2b652d6ad425b

SHA256
7b591146c1f26d84b92d6c2113f9bfcf6c9d11728da3baf7973b94db523256e7

SHA512
737977344ecb252cf86768d14ae4602ab1a24adaa8f61f52beeee25b70d0ad46c834078b46e98aad4e1f9cac54b0754720c5170c4f533b12e96f0b1421727d04

Download Submit
memory/1768-0-0x000007FEF5F73000-0x000007FEF5F74000-memory.dmp

Filesize
4KB

Download
memory/1768-1-0x0000000001110000-0x00000000011C6000-memory.dmp

Filesize
728KB

Download
memory/1768-2-0x0000000000F90000-0x0000000001072000-memory.dmp

Filesize
904KB

Download
memory/1768-3-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-4-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-5-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-29-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-33-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-31-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-27-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-25-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-23-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-21-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-19-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-17-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-15-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-13-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-11-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-9-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-7-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-39-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-53-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-67-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-65-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-63-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-61-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-59-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-57-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-55-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-51-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-49-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-47-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-45-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-43-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-41-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-37-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-35-0x0000000000F90000-0x000000000106C000-memory.dmp

Filesize
880KB

Download
memory/1768-2864-0x0000000000D20000-0x0000000000D92000-memory.dmp

Filesize
456KB

Download
memory/1768-2865-0x0000000001070000-0x00000000010BC000-memory.dmp

Filesize
304KB

Download
memory/1768-2866-0x000000001B6E0000-0x000000001B93E000-memory.dmp

Filesize
2.4MB

Download
memory/1768-2867-0x000000001B940000-0x000000001BC6C000-memory.dmp

Filesize
3.2MB

Download
memory/1768-2872-0x000007FEF5F73000-0x000007FEF5F74000-memory.dmp

Filesize
4KB

Download
memory/1768-2873-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-2874-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-2875-0x000000001BDB0000-0x000000001BE2A000-memory.dmp

Filesize
488KB

Download
memory/1768-2876-0x000000001BF50000-0x000000001BFB4000-memory.dmp

Filesize
400KB

Download
memory/1768-2878-0x0000000000D90000-0x0000000000DB5000-memory.dmp

Filesize
148KB

Download
memory/1768-2906-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-2907-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download