Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241023-es
  • resource tags

    arch:x64arch:x86image:win7-20241023-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    30/10/2024, 13:52

General

  • Target

    -.exe

  • Size

    325KB

  • MD5

    04704493bcdc4d0c1c9d0fd8ebf5afbc

  • SHA1

    95d64b037a8d0c5d8318a7c1429d89529ac5c766

  • SHA256

    28225c5622637cdaed8342e14560e8de7b53dd6ba145d973643fc4b5bdd67b75

  • SHA512

    ed06b9f7931326ff6923b65e95db45931b21995aa8b52eb26f578017e5b60bee7139251bc3fedc65fc7becb7e1d7d4dfdaa17361d01d8d36ebd770c9142c5c8d

  • SSDEEP

    6144:daVWdyzOxeA1DfdwX3MmIO12waD3ioZjkzQAqnee7j/lEm5sQ71oJwZzyIrz:dMROxdDfOnMmXa3ioVTPee9t5sgoJqrz

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\-.exe
    "C:\Users\Admin\AppData\Local\Temp\-.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Users\Admin\AppData\Local\Temp\7zSC59494B6\setup-stub.exe
      .\setup-stub.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Users\Admin\AppData\Local\Temp\nst9500.tmp\download.exe
        "C:\Users\Admin\AppData\Local\Temp\nst9500.tmp\download.exe" /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nst9500.tmp\config.ini
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Users\Admin\AppData\Local\Temp\7zS0E5CE5E6\setup.exe
          .\setup.exe /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nst9500.tmp\config.ini
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2176

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\CabA4FE.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\TarA61A.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\Users\Admin\AppData\Local\Temp\nst9500.tmp\installing.html

          Filesize

          1KB

          MD5

          32de55f44c497811dd7ed7f227f5c28d

          SHA1

          c111be08e7f3d268e7a2ed160d0c30833f25ae4a

          SHA256

          6259f3a41a703f13466503e6fbd37ca40e94f565a2f4b4087fbcd87a13bf3ee1

          SHA512

          48bb6f24b3ee2f4b7052205a3843ea34f917ee192b70261d2438c037b0e17d48bce8beb4c31be4141e9618922a45b6b47745b797e5618f18fe00bfc1625309ef

        • C:\Users\Admin\AppData\Local\Temp\nst9500.tmp\installing.js

          Filesize

          2KB

          MD5

          dfa7861bca754036ab853b3bb02b194d

          SHA1

          46d7c5ba614b39caa4857fcba4bdedbabb2c67c0

          SHA256

          2c286b6eefd38f032a385f3ac6a1f794deab3bac0fbff71bd0ba21453f477878

          SHA512

          c58d96fb2496a84261a5e4b18cf4156a30f9ad161bbabc3652b6b5c24976f1ac432dced31927a9443260cdca0292524d1f691766b7c0731f926d37be11fe0c64

        • C:\Users\Admin\AppData\Local\Temp\nst9500.tmp\stub_common.js

          Filesize

          817B

          MD5

          58b8ac894c64370cfa137f5848aeb88d

          SHA1

          6a1ac1f88a918a232b79fe798b2de69cf433945f

          SHA256

          0e28aa770b0afade30be85c6dc1e50344db8f8cdd3fa01989d81a9e20a4990bd

          SHA512

          ae309518e0f926021e4d9378950c1a375263247d4f79d8a8cc09464cd01653ae5e707d52a4b0c36d532e649c246f4be6b5ba8648f58fb0e3e40c495ae63180ab

        • \Users\Admin\AppData\Local\Temp\7zS0E5CE5E6\setup.exe

          Filesize

          936KB

          MD5

          6e3a28d05ee41af8249955a225c10d56

          SHA1

          9c76a6a650644800724326d0114e6e2603a09bcd

          SHA256

          358a7531ad0ba8da5b81df5e9a4188a4c5ab3cc7b9aebf2aa89e44f1487a1278

          SHA512

          7479daf7bf66196768bad1597454732c109b8df3b2a83e0da6315b4b2028fb2011befd6abc7dc3ebf8b245993c794df161594047243142e3dfca56cb1032eea5

        • \Users\Admin\AppData\Local\Temp\7zSC59494B6\setup-stub.exe

          Filesize

          464KB

          MD5

          32b1aed8cda8677b31c3cec33b982462

          SHA1

          5966299d342e5c0a123551c49f97324494cd48ea

          SHA256

          d7840eea40a5a88af824f24473e95d0227e69c4439d6ea791d50cb94bf0cfb2a

          SHA512

          b9b33072350eff2f90e8e5bb84af9c78592c39bebeb8abc5775eb4f2cf87de2873e42d2ed3124772ead4b18a5618bf4a519bf334de0d07f2e87f5862c55454c7

        • \Users\Admin\AppData\Local\Temp\nst9500.tmp\CertCheck.dll

          Filesize

          5KB

          MD5

          2979f933cbbac19cfe35b1fa02cc95a4

          SHA1

          4f208c9c12199491d7ba3c1ee640fca615e11e92

          SHA256

          bcb6572fcb846d5b4459459a2ef9bde97628782b983eb23fadacbaec76528e6f

          SHA512

          61f07c54e0aaa59e23e244f3a7fd5e6a6c6a00730d55add8af338e33431ed166d156a66455a4f9321cafbce297e770abc1cb65f7410923cb2b5e5067d1768096

        • \Users\Admin\AppData\Local\Temp\nst9500.tmp\CityHash.dll

          Filesize

          43KB

          MD5

          737379945745bb94f8a0dadcc18cad8d

          SHA1

          6a1f497b4dc007f5935b66ec83b00e5a394332c6

          SHA256

          d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

          SHA512

          c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

        • \Users\Admin\AppData\Local\Temp\nst9500.tmp\InetBgDL.dll

          Filesize

          7KB

          MD5

          d4f7b4f9c296308e03a55cb0896a92fc

          SHA1

          63065bed300926a5b39eabf6efdf9296ed46e0cc

          SHA256

          6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83

          SHA512

          d4acc719ae29c53845ccf4778e1d7ed67f30358af30545fc744facdb9f4e3b05d8cb7dc5e72c93895259e9882471c056395ab2e6f238310841b767d6acbcd6c1

        • \Users\Admin\AppData\Local\Temp\nst9500.tmp\System.dll

          Filesize

          11KB

          MD5

          17ed1c86bd67e78ade4712be48a7d2bd

          SHA1

          1cc9fe86d6d6030b4dae45ecddce5907991c01a0

          SHA256

          bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

          SHA512

          0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

        • \Users\Admin\AppData\Local\Temp\nst9500.tmp\UAC.dll

          Filesize

          18KB

          MD5

          113c5f02686d865bc9e8332350274fd1

          SHA1

          4fa4414666f8091e327adb4d81a98a0d6e2e254a

          SHA256

          0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

          SHA512

          e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

        • \Users\Admin\AppData\Local\Temp\nst9500.tmp\UserInfo.dll

          Filesize

          4KB

          MD5

          1b446b36f5b4022d50ffdc0cf567b24a

          SHA1

          d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

          SHA256

          2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

          SHA512

          04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

        • \Users\Admin\AppData\Local\Temp\nst9500.tmp\WebBrowser.dll

          Filesize

          93KB

          MD5

          dfe24aa39f009e9d98b20b7c9cc070b1

          SHA1

          f48e4923c95466f689e8c5408265b52437ed2701

          SHA256

          8ec65a3d8ae8a290a6066773e49387fd368f5697392dfb58eac1b63640e30444

          SHA512

          665ce32d3776b1b41f95ed685054a796d0c1938dbc237619fa6309d1b52ae3bd44e3cf0a1f53ebf88556f7603111cca6dff1bfc917a911e0a9ce04affd0d5261

        • \Users\Admin\AppData\Local\Temp\nstD4AE.tmp\System.dll

          Filesize

          22KB

          MD5

          b361682fa5e6a1906e754cfa08aa8d90

          SHA1

          c6701aee0c866565de1b7c1f81fd88da56b395d3

          SHA256

          b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

          SHA512

          2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

        • memory/1092-33-0x00000000003E0000-0x00000000003EF000-memory.dmp

          Filesize

          60KB

        • memory/1092-166-0x0000000005940000-0x0000000005986000-memory.dmp

          Filesize

          280KB

        • memory/1504-308-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

        • memory/2396-122-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

        • memory/2396-0-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB