d0e6cead62e17793a326d6ce73d938bd2faff677112db260ca64bf9e7f569dce

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$APPDATA/$_33_/ntcrxinst.exe
Size

100KB
MD5

69f05f76c5549e81759f9823343bcb70
SHA1

7c842beff93d521ddbd8b97ca3b106a5a24a0913
SHA256

0b4292f503438b1bf95cc06c049c98bec9fb36331e2c12f433455802ee77a8ac
SHA512

5be7d7cadd806c3942c83f2e4ef42c5a852d9edcff30fd9f94f2d1a1e85d220b9efef396702ba096617cc86ccc6531a3332815428d5ca6484e0f0fecac21ffc7
SSDEEP

1536:6CUm7KFP2QuXYdsLP0DgXJFibMZateQihqHkmJCMpoo0f2VXZf2mGq6ZHib:6CuFP2lXIHDgXJFKMZ/Qj7tr0ODOm9Ei

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral5/files/0x000500000001a4fc-3.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
1820	ntcrxinst.exe
1820	ntcrxinst.exe
1820	ntcrxinst.exe
1820	ntcrxinst.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfenflmklmpohipcckmagnmbmbibnolo\1.0.0_0\manifest.json	ntcrxinst.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/files/0x000500000001a4fc-3.dat	upx
behavioral5/memory/1820-12-0x0000000074C50000-0x0000000074C5A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntcrxinst.exe

C:\Users\Admin\AppData\Local\Temp\$APPDATA\$_33_\ntcrxinst.exe
"C:\Users\Admin\AppData\Local\Temp\$APPDATA\$_33_\ntcrxinst.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- System Location Discovery: System Language Discovery
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdB1E2.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB1E2.tmp\nsJSON.dll

Filesize
7KB

MD5
e273fac4ce13239f485dd944f48a70aa

SHA1
9c8108686412e0b193775b26e34fba1074e1cb14

SHA256
6c3d7dc2882b009ff4b617593af26edc43505f43db80bfa07fc138ee3600e3a5

SHA512
f5f0fa0407a55faccc2da82534c8d4f5e267b7b14b1655ffb94a23f55019081a4b12dd7ed4a4339fb5427c3ab0f08531b1b11496f4daaacedbd2a6ec2f47831a

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB1E2.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB1E2.tmp\replacebf.dll

Filesize
22KB

MD5
ce2901eee68d80fe56d76f0a3a07f274

SHA1
8c79facd772ddc6177235382ad2ab9b2e58ac60f

SHA256
1fbf6e96fa1c9f54a24a9919880c89621b7b2706d98bbf03ad44c607dad36386

SHA512
3bba1dd15c6cbca2ef8d44d0e9bed2c40e685fff288787b64c0ae76c2125a255d8e35075971a171d2b92a0eec289eb044ea7a18b00804a824d8253aa0c2cb6ab

Download Submit
memory/1820-12-0x0000000074C50000-0x0000000074C5A000-memory.dmp

Filesize
40KB

Download
memory/1820-18-0x00000000021C0000-0x00000000021D3000-memory.dmp

Filesize
76KB

Download
memory/1820-50-0x00000000021C0000-0x00000000021D3000-memory.dmp

Filesize
76KB

Download