Analysis

  • max time kernel
    93s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 23:41

General

  • Target

    unext.exe

  • Size

    21.4MB

  • MD5

    b6853f56dcb9df17642c73ff22ca6395

  • SHA1

    eeac6671666fe797d8e111fd652b6799a9aa86c6

  • SHA256

    0242cf0f099ba698cc91112ffdbdf014ed3f3bd0bdede3f982cfe5a9d45b69a8

  • SHA512

    4fd1d90077a7be2ec497317bb0bf16055a0ea3db9aeb4efe63b286ed71ac12d6f28a4eb625d9dbfff1a8e3dee71e33f77849745e81193b0225de2ad644be03d7

  • SSDEEP

    393216:lBbA/XDhUtr9fXSnxrXld6MoYmz+v1UwOwreDNNjYVZey0nZdg+ogm1:jA/XMr9KhXeMbmz+vZsBYmBZas2

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 56 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\unext.exe
    "C:\Users\Admin\AppData\Local\Temp\unext.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\unext.exe
      C:\Users\Admin\AppData\Local\Temp\unext.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5072
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "ver"
        3⤵
          PID:2492
        • C:\Windows\System32\Wbem\wmic.exe
          wmic csproduct get uuid
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3416

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

            Filesize

            63KB

            MD5

            787b82d4466f393366657b8f1bc5f1a9

            SHA1

            658639cddda55ac3bfc452db4ec9cf88851e606b

            SHA256

            241322647ba9f94bdc3ae387413ffb57ae14c8cf88bd564a31fe193c6ca43e37

            SHA512

            afcf66962958f38eec8b591aa30d380eb0e1b41028836058ff91b4d1472658de9fba3262f5c27ba688bd73da018e938f398e45911cd37584f623073067f575b6

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

            Filesize

            155KB

            MD5

            0c7ea68ca88c07ae6b0a725497067891

            SHA1

            c2b61a3e230b30416bc283d1f3ea25678670eb74

            SHA256

            f74aaf0aa08cf90eb1eb23a474ccb7cb706b1ede7f911daf7ae68480765bdf11

            SHA512

            fd52f20496a12e6b20279646663d880b1354cffea10793506fe4560ed7da53e4efba900ae65c9996fbb3179c83844a9674051385e6e3c26fb2622917351846b9

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

            Filesize

            77KB

            MD5

            26dd19a1f5285712068b9e41808e8fa0

            SHA1

            90c9a112dd34d45256b4f2ed38c1cbbc9f24dba5

            SHA256

            eaabf6b78840daeaf96b5bdbf06adf0e4e2994dfeee5c5e27fefd824dbda5220

            SHA512

            173e1eda05d297d7da2193e8566201f05428437adcac80aecefe80f82d46295b15ce10990b5c080325dc59a432a587eef84a15ec688a62b82493ad501a1e4520

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

            Filesize

            157KB

            MD5

            ab0e4fbffb6977d0196c7d50bc76cf2d

            SHA1

            680e581c27d67cd1545c810dbb175c2a2a4ef714

            SHA256

            680ad2de8a6cff927822c1d7dd22112a3e8a824e82a7958ee409a7b9ce45ec70

            SHA512

            2bff84a8ec7a26dde8d1bb09792ead8636009c8ef3fa68300a75420197cd7b6c8eaaf8db6a5f97442723e5228afa62961f002948e0eeee8c957c6517547dffba

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

            Filesize

            292KB

            MD5

            50ea156b773e8803f6c1fe712f746cba

            SHA1

            2c68212e96605210eddf740291862bdf59398aef

            SHA256

            94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

            SHA512

            01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md.pyd

            Filesize

            10KB

            MD5

            cbf62e25e6e036d3ab1946dbaff114c1

            SHA1

            b35f91eaf4627311b56707ef12e05d6d435a4248

            SHA256

            06032e64e1561251ea3035112785f43945b1e959a9bf586c35c9ea1c59585c37

            SHA512

            04b694d0ae99d5786fa19f03c5b4dd8124c4f9144cfe7ca250b48a3c0de0883e06a6319351ae93ea95b55bbbfa69525a91e9407478e40ad62951f1d63d45ff18

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

            Filesize

            3.3MB

            MD5

            9d7a0c99256c50afd5b0560ba2548930

            SHA1

            76bd9f13597a46f5283aa35c30b53c21976d0824

            SHA256

            9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

            SHA512

            cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

            Filesize

            688KB

            MD5

            bec0f86f9da765e2a02c9237259a7898

            SHA1

            3caa604c3fff88e71f489977e4293a488fb5671c

            SHA256

            d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

            SHA512

            ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

            Filesize

            29KB

            MD5

            756c95d4d9b7820b00a3099faf3f4f51

            SHA1

            893954a45c75fb45fe8048a804990ca33f7c072d

            SHA256

            13e4d9a734a453a3613e11b6a518430099ad7e3d874ea407d1f9625b7f60268a

            SHA512

            0f54f0262cf8d71f00bf5666eb15541c6ecc5246cd298efd3b7dd39cdd29553a8242d204c42cfb28c537c3d61580153200373c34a94769f102b3baa288f6c398

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

            Filesize

            1.4MB

            MD5

            35f55e2ad0ae11a273408cfeff75b1ab

            SHA1

            672bff2dea4351e1245806e6af7f1be5da9dd055

            SHA256

            919572560c314e46b1dba56418bbb50e1620c0af328aec394eaff580c58f2fc5

            SHA512

            b84a42b42a710cd5fe91def37207200141a03a8e93488d05099115f16961255248aa74c3a9800a82a0c4eb79348b570ca1a2bfa4e3168b5359ce063a688d26a4

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

            Filesize

            1.1MB

            MD5

            58f7988b50cba7b793884f580c7083e1

            SHA1

            d52c06b19861f074e41d8b521938dee8b56c1f2e

            SHA256

            e36d14cf49ca2af44fae8f278e883341167bc380099dac803276a11e57c9cfa1

            SHA512

            397fa46b90582f8a8cd7df23b722204c38544717bf546837c45e138b39112f33a1850be790e248fca5b5ecd9ed7c91cd1af1864f72717d9805c486db0505fb9c

          • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\zstandard\backend_c.pyd

            Filesize

            507KB

            MD5

            56db4a861aec914a860461dedcdca0a0

            SHA1

            8535a8c9eac371a54308795a8bbe89414933e035

            SHA256

            6ab611c4a24406d9d97f09d49d50142ab2734b69a2b0d9ea6489e4af90c4a2a4

            SHA512

            600a21666e9ed334de5b4b17f60136434ee485c80f9740e6085e24ef95ca5376e6223a54c6b1c8f12987edab5d89af9676cc12e2a335f4c4e9ab79dfef8e4b90

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\Crypto\Cipher\_raw_cbc.pyd

            Filesize

            12KB

            MD5

            40390f2113dc2a9d6cfae7127f6ba329

            SHA1

            9c886c33a20b3f76b37aa9b10a6954f3c8981772

            SHA256

            6ba9c910f755885e4d356c798a4dd32d2803ea4cfabb3d56165b3017d0491ae2

            SHA512

            617b963816838d649c212c5021d7d0c58839a85d4d33bbaf72c0ec6ecd98b609080e9e57af06fa558ff302660619be57cc974282826ab9f21ae0d80fbaa831a1

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\Crypto\Cipher\_raw_cfb.pyd

            Filesize

            12KB

            MD5

            899895c0ed6830c4c9a3328cc7df95b6

            SHA1

            c02f14ebda8b631195068266ba20e03210abeabc

            SHA256

            18d568c7be3e04f4e6026d12b09b1fa3fae50ff29ac3deaf861f3c181653e691

            SHA512

            0b4c50e40af92bc9589668e13df417244274f46f5a66e1fc7d1d59bc281969ba319305becea119385f01cc4603439e4b37afa2cf90645425210848a02839e3e7

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\Crypto\Cipher\_raw_ctr.pyd

            Filesize

            14KB

            MD5

            c4c525b081f8a0927091178f5f2ee103

            SHA1

            a1f17b5ea430ade174d02ecc0b3cb79dbf619900

            SHA256

            4d86a90b2e20cde099d6122c49a72bae081f60eb2eea0f76e740be6c41da6749

            SHA512

            7c06e3e6261427bc6e654b2b53518c7eaa5f860a47ae8e80dc3f8f0fed91e122cb2d4632188dc44123fb759749b5425f426cd1153a8f84485ef0491002b26555

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\Crypto\Cipher\_raw_ecb.pyd

            Filesize

            10KB

            MD5

            80bb1e0e06acaf03a0b1d4ef30d14be7

            SHA1

            b20cac0d2f3cd803d98a2e8a25fbf65884b0b619

            SHA256

            5d1c2c60c4e571b88f27d4ae7d22494bed57d5ec91939e5716afa3ea7f6871f6

            SHA512

            2a13ab6715b818ad62267ab51e55cd54714aebf21ec9ea61c2aefd56017dc84a6b360d024f8682a2e105582b9c5fe892ecebd2bef8a492279b19ffd84bc83fa5

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\Crypto\Cipher\_raw_ofb.pyd

            Filesize

            11KB

            MD5

            19e0abf76b274c12ff624a16713f4999

            SHA1

            a4b370f556b925f7126bf87f70263d1705c3a0db

            SHA256

            d9fda05ae16c5387ab46dc728c6edce6a3d0a9e1abdd7acb8b32fc2a17be6f13

            SHA512

            d03033ea5cf37641fbd802ebeb5019caef33c9a78e01519fea88f87e773dca92c80b74ba80429b530694dad0bfa3f043a7104234c7c961e18d48019d90277c8e

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\VCRUNTIME140.dll

            Filesize

            106KB

            MD5

            4585a96cc4eef6aafd5e27ea09147dc6

            SHA1

            489cfff1b19abbec98fda26ac8958005e88dd0cb

            SHA256

            a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

            SHA512

            d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\_bz2.pyd

            Filesize

            82KB

            MD5

            a62207fc33140de460444e191ae19b74

            SHA1

            9327d3d4f9d56f1846781bcb0a05719dea462d74

            SHA256

            ebcac51449f323ae3ae961a33843029c34b6a82138ccd9214cf99f98dd2148c2

            SHA512

            90f9db9ee225958cb3e872b79f2c70cb1fd2248ebaa8f3282afff9250285852156bf668f5cfec49a4591b416ce7ebaaac62d2d887152f5356512f2347e3762b7

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\_cffi_backend.pyd

            Filesize

            174KB

            MD5

            739d352bd982ed3957d376a9237c9248

            SHA1

            961cf42f0c1bb9d29d2f1985f68250de9d83894d

            SHA256

            9aee90cf7980c8ff694bb3ffe06c71f87eb6a613033f73e3174a732648d39980

            SHA512

            585a5143519ed9b38bb53f912cea60c87f7ce8ba159a1011cf666f390c2e3cc149e0ac601b008e039a0a78eaf876d7a3f64fff612f5de04c822c6e214bc2efde

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\_queue.pyd

            Filesize

            31KB

            MD5

            06248702a6cd9d2dd20c0b1c6b02174d

            SHA1

            3f14d8af944fe0d35d17701033ff1501049e856f

            SHA256

            ac177cd84c12e03e3a68bca30290bc0b8f173eee518ef1fa6a9dce3a3e755a93

            SHA512

            5b22bbff56a8b48655332ebd77387d307f5c0a526626f3654267a34bc4863d8afaf08ff3946606f3cf00b660530389c37bdfac91843808dbebc7373040fec4c1

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\_sqlite3.pyd

            Filesize

            117KB

            MD5

            ffb03c18ed0f340fe9d86abaa9eef835

            SHA1

            d6295d7a100414ce76797c826d2d3c0b4df0c80e

            SHA256

            1d4e17237a10b68d16634fc9698edf342b40478d92fa15d574d212c7a44b05bb

            SHA512

            e911ce6e6b5de50696d7e7f14560c90b83c1179a946d2f5ddcf6fcf797c031dc65b42300685e97cfdc592bae5f974cc31c81d2e12994cd9c28d3f67df282dda5

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\_uuid.pyd

            Filesize

            24KB

            MD5

            aea6a82bfa35b61d86e8b6a5806f31d6

            SHA1

            7c21b7147b391b7195583ab695717e38fe971e3e

            SHA256

            27b9545f5a510e71195951485d3c6a8b112917546fe5e8e46579b8ff6ce2acb0

            SHA512

            133d11535dea4b40afeca37f1a0905854fc4d2031efe802f00dd72e97b1705ca7ffe461acf90a36e2077534fe4df94d9469e99c64dbd3f301e5bca5c327fdc65

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\charset_normalizer\md__mypyc.pyd

            Filesize

            118KB

            MD5

            bac273806f46cffb94a84d7b4ced6027

            SHA1

            773fbc0435196c8123ee89b0a2fc4d44241ff063

            SHA256

            1d9aba3ff1156ea1fbe10b8aa201d4565ae6022daf2117390d1d8197b80bb70b

            SHA512

            eaec1f072c2c0bc439ac7b4e3aea6e75c07bd4cd2d653be8500bbffe371fbfe045227daead653c162d972ccaadff18ac7da4d366d1200618b0291d76e18b125c

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\psutil\_psutil_windows.pyd

            Filesize

            65KB

            MD5

            49ac12a1f10ab93fafab064fd0523a63

            SHA1

            3ad6923ab0fb5d3dd9d22ed077db15b42c2fbd4f

            SHA256

            ba033b79e858dbfcba6bf8fb5afe10defd1cb03957dbbc68e8e62e4de6df492d

            SHA512

            1bc0f50e0bb0a9d9dddad31390e5c73b0d11c2b0a8c5462065d477e93ff21f7edc7aa2b2b36e478be0a797a38f43e3fbeb6aaabef0badec1d8d16eb73df67255

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\python3.dll

            Filesize

            65KB

            MD5

            7442c154565f1956d409092ede9cc310

            SHA1

            c72f9c99ea56c8fb269b4d6b3507b67e80269c2d

            SHA256

            95086ac060ffe6933ac04a6aa289b1c7d321f14380315e24ba0d6c4adfa0842b

            SHA512

            2bf96828534bcdf71e48d1948b989011d8e3ba757c38cc17905a13d3021ea5deb57e2c68d79507a6acbb62be009cfc85b24d14543958dba1d3bc3e4ca7d4f844

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\python311.dll

            Filesize

            5.5MB

            MD5

            e2bd5ae53427f193b42d64b8e9bf1943

            SHA1

            7c317aad8e2b24c08d3b8b3fba16dd537411727f

            SHA256

            c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

            SHA512

            ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\pywintypes311.dll

            Filesize

            131KB

            MD5

            5d67abf69a8939d13befb7de9889b253

            SHA1

            bcbbf88c05732d4e1e3811fd312425c1c92018d1

            SHA256

            615eb8a75f9ed9371a59da8f31e27ee091c013db0b9164a5124ca0656ea47cb4

            SHA512

            fa34eb05996c41f23524a8b4f1faed0bdd41224d8e514aa57d568a55d2044c32798c1357f22c72ad79fd02948caad89b98b8e9b0ad2927e4a0169739335271ce

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\unext.exe

            Filesize

            41.4MB

            MD5

            625231058b4825bc82a439fd5bbf3b33

            SHA1

            455769ece0564d631300b88665478be1eb7e99aa

            SHA256

            dbc467902c245e267c72af58a61e667d5f62b22855ea289872fe325ad6c538d8

            SHA512

            71211e2812a0b5a1ea430df6ba95eacecc68f64a18f8fcf73331cb91855cd5c2efb832a2d17dd08ebf23a51426145e968040d6254c99b770953e39d48d11f703

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\vcruntime140_1.dll

            Filesize

            48KB

            MD5

            7e668ab8a78bd0118b94978d154c85bc

            SHA1

            dbac42a02a8d50639805174afd21d45f3c56e3a0

            SHA256

            e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f

            SHA512

            72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032

          • C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\win32crypt.pyd

            Filesize

            121KB

            MD5

            f2c45fc8ab4d43537612a00d9e2e1c80

            SHA1

            816c670b54672340353fd753a54340aa73ff5112

            SHA256

            2640497071582ba2f872cef1c1f5f2cc5d889d5a112fa4ee03e22f9a6ae40365

            SHA512

            2d1209ea8363a31d11d39a39778a5ef32b3deaf749e9ee603d65b5025dbe1aaedcbc02f48c3187c5413a33380c75f7a5e352cf17045906325455354ee89b506f