Analysis
-
max time kernel
93s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:41
Static task
static1
General
-
Target
unext.exe
-
Size
21.4MB
-
MD5
b6853f56dcb9df17642c73ff22ca6395
-
SHA1
eeac6671666fe797d8e111fd652b6799a9aa86c6
-
SHA256
0242cf0f099ba698cc91112ffdbdf014ed3f3bd0bdede3f982cfe5a9d45b69a8
-
SHA512
4fd1d90077a7be2ec497317bb0bf16055a0ea3db9aeb4efe63b286ed71ac12d6f28a4eb625d9dbfff1a8e3dee71e33f77849745e81193b0225de2ad644be03d7
-
SSDEEP
393216:lBbA/XDhUtr9fXSnxrXld6MoYmz+v1UwOwreDNNjYVZey0nZdg+ogm1:jA/XMr9KhXeMbmz+vZsBYmBZas2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5072 unext.exe -
Loads dropped DLL 56 IoCs
pid Process 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe 5072 unext.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 24 discord.com 25 discord.com 26 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ipinfo.io 23 ipinfo.io -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 5072 unext.exe Token: SeIncreaseQuotaPrivilege 3416 wmic.exe Token: SeSecurityPrivilege 3416 wmic.exe Token: SeTakeOwnershipPrivilege 3416 wmic.exe Token: SeLoadDriverPrivilege 3416 wmic.exe Token: SeSystemProfilePrivilege 3416 wmic.exe Token: SeSystemtimePrivilege 3416 wmic.exe Token: SeProfSingleProcessPrivilege 3416 wmic.exe Token: SeIncBasePriorityPrivilege 3416 wmic.exe Token: SeCreatePagefilePrivilege 3416 wmic.exe Token: SeBackupPrivilege 3416 wmic.exe Token: SeRestorePrivilege 3416 wmic.exe Token: SeShutdownPrivilege 3416 wmic.exe Token: SeDebugPrivilege 3416 wmic.exe Token: SeSystemEnvironmentPrivilege 3416 wmic.exe Token: SeRemoteShutdownPrivilege 3416 wmic.exe Token: SeUndockPrivilege 3416 wmic.exe Token: SeManageVolumePrivilege 3416 wmic.exe Token: 33 3416 wmic.exe Token: 34 3416 wmic.exe Token: 35 3416 wmic.exe Token: 36 3416 wmic.exe Token: SeIncreaseQuotaPrivilege 3416 wmic.exe Token: SeSecurityPrivilege 3416 wmic.exe Token: SeTakeOwnershipPrivilege 3416 wmic.exe Token: SeLoadDriverPrivilege 3416 wmic.exe Token: SeSystemProfilePrivilege 3416 wmic.exe Token: SeSystemtimePrivilege 3416 wmic.exe Token: SeProfSingleProcessPrivilege 3416 wmic.exe Token: SeIncBasePriorityPrivilege 3416 wmic.exe Token: SeCreatePagefilePrivilege 3416 wmic.exe Token: SeBackupPrivilege 3416 wmic.exe Token: SeRestorePrivilege 3416 wmic.exe Token: SeShutdownPrivilege 3416 wmic.exe Token: SeDebugPrivilege 3416 wmic.exe Token: SeSystemEnvironmentPrivilege 3416 wmic.exe Token: SeRemoteShutdownPrivilege 3416 wmic.exe Token: SeUndockPrivilege 3416 wmic.exe Token: SeManageVolumePrivilege 3416 wmic.exe Token: 33 3416 wmic.exe Token: 34 3416 wmic.exe Token: 35 3416 wmic.exe Token: 36 3416 wmic.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1628 wrote to memory of 5072 1628 unext.exe 88 PID 1628 wrote to memory of 5072 1628 unext.exe 88 PID 5072 wrote to memory of 2492 5072 unext.exe 89 PID 5072 wrote to memory of 2492 5072 unext.exe 89 PID 5072 wrote to memory of 3416 5072 unext.exe 92 PID 5072 wrote to memory of 3416 5072 unext.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\unext.exe"C:\Users\Admin\AppData\Local\Temp\unext.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\onefile_1628_133755828865094197\unext.exeC:\Users\Admin\AppData\Local\Temp\unext.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:2492
-
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5787b82d4466f393366657b8f1bc5f1a9
SHA1658639cddda55ac3bfc452db4ec9cf88851e606b
SHA256241322647ba9f94bdc3ae387413ffb57ae14c8cf88bd564a31fe193c6ca43e37
SHA512afcf66962958f38eec8b591aa30d380eb0e1b41028836058ff91b4d1472658de9fba3262f5c27ba688bd73da018e938f398e45911cd37584f623073067f575b6
-
Filesize
155KB
MD50c7ea68ca88c07ae6b0a725497067891
SHA1c2b61a3e230b30416bc283d1f3ea25678670eb74
SHA256f74aaf0aa08cf90eb1eb23a474ccb7cb706b1ede7f911daf7ae68480765bdf11
SHA512fd52f20496a12e6b20279646663d880b1354cffea10793506fe4560ed7da53e4efba900ae65c9996fbb3179c83844a9674051385e6e3c26fb2622917351846b9
-
Filesize
77KB
MD526dd19a1f5285712068b9e41808e8fa0
SHA190c9a112dd34d45256b4f2ed38c1cbbc9f24dba5
SHA256eaabf6b78840daeaf96b5bdbf06adf0e4e2994dfeee5c5e27fefd824dbda5220
SHA512173e1eda05d297d7da2193e8566201f05428437adcac80aecefe80f82d46295b15ce10990b5c080325dc59a432a587eef84a15ec688a62b82493ad501a1e4520
-
Filesize
157KB
MD5ab0e4fbffb6977d0196c7d50bc76cf2d
SHA1680e581c27d67cd1545c810dbb175c2a2a4ef714
SHA256680ad2de8a6cff927822c1d7dd22112a3e8a824e82a7958ee409a7b9ce45ec70
SHA5122bff84a8ec7a26dde8d1bb09792ead8636009c8ef3fa68300a75420197cd7b6c8eaaf8db6a5f97442723e5228afa62961f002948e0eeee8c957c6517547dffba
-
Filesize
292KB
MD550ea156b773e8803f6c1fe712f746cba
SHA12c68212e96605210eddf740291862bdf59398aef
SHA25694edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47
SHA51201ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0
-
Filesize
10KB
MD5cbf62e25e6e036d3ab1946dbaff114c1
SHA1b35f91eaf4627311b56707ef12e05d6d435a4248
SHA25606032e64e1561251ea3035112785f43945b1e959a9bf586c35c9ea1c59585c37
SHA51204b694d0ae99d5786fa19f03c5b4dd8124c4f9144cfe7ca250b48a3c0de0883e06a6319351ae93ea95b55bbbfa69525a91e9407478e40ad62951f1d63d45ff18
-
Filesize
3.3MB
MD59d7a0c99256c50afd5b0560ba2548930
SHA176bd9f13597a46f5283aa35c30b53c21976d0824
SHA2569b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2
-
Filesize
688KB
MD5bec0f86f9da765e2a02c9237259a7898
SHA13caa604c3fff88e71f489977e4293a488fb5671c
SHA256d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd
SHA512ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4
-
Filesize
29KB
MD5756c95d4d9b7820b00a3099faf3f4f51
SHA1893954a45c75fb45fe8048a804990ca33f7c072d
SHA25613e4d9a734a453a3613e11b6a518430099ad7e3d874ea407d1f9625b7f60268a
SHA5120f54f0262cf8d71f00bf5666eb15541c6ecc5246cd298efd3b7dd39cdd29553a8242d204c42cfb28c537c3d61580153200373c34a94769f102b3baa288f6c398
-
Filesize
1.4MB
MD535f55e2ad0ae11a273408cfeff75b1ab
SHA1672bff2dea4351e1245806e6af7f1be5da9dd055
SHA256919572560c314e46b1dba56418bbb50e1620c0af328aec394eaff580c58f2fc5
SHA512b84a42b42a710cd5fe91def37207200141a03a8e93488d05099115f16961255248aa74c3a9800a82a0c4eb79348b570ca1a2bfa4e3168b5359ce063a688d26a4
-
Filesize
1.1MB
MD558f7988b50cba7b793884f580c7083e1
SHA1d52c06b19861f074e41d8b521938dee8b56c1f2e
SHA256e36d14cf49ca2af44fae8f278e883341167bc380099dac803276a11e57c9cfa1
SHA512397fa46b90582f8a8cd7df23b722204c38544717bf546837c45e138b39112f33a1850be790e248fca5b5ecd9ed7c91cd1af1864f72717d9805c486db0505fb9c
-
Filesize
507KB
MD556db4a861aec914a860461dedcdca0a0
SHA18535a8c9eac371a54308795a8bbe89414933e035
SHA2566ab611c4a24406d9d97f09d49d50142ab2734b69a2b0d9ea6489e4af90c4a2a4
SHA512600a21666e9ed334de5b4b17f60136434ee485c80f9740e6085e24ef95ca5376e6223a54c6b1c8f12987edab5d89af9676cc12e2a335f4c4e9ab79dfef8e4b90
-
Filesize
12KB
MD540390f2113dc2a9d6cfae7127f6ba329
SHA19c886c33a20b3f76b37aa9b10a6954f3c8981772
SHA2566ba9c910f755885e4d356c798a4dd32d2803ea4cfabb3d56165b3017d0491ae2
SHA512617b963816838d649c212c5021d7d0c58839a85d4d33bbaf72c0ec6ecd98b609080e9e57af06fa558ff302660619be57cc974282826ab9f21ae0d80fbaa831a1
-
Filesize
12KB
MD5899895c0ed6830c4c9a3328cc7df95b6
SHA1c02f14ebda8b631195068266ba20e03210abeabc
SHA25618d568c7be3e04f4e6026d12b09b1fa3fae50ff29ac3deaf861f3c181653e691
SHA5120b4c50e40af92bc9589668e13df417244274f46f5a66e1fc7d1d59bc281969ba319305becea119385f01cc4603439e4b37afa2cf90645425210848a02839e3e7
-
Filesize
14KB
MD5c4c525b081f8a0927091178f5f2ee103
SHA1a1f17b5ea430ade174d02ecc0b3cb79dbf619900
SHA2564d86a90b2e20cde099d6122c49a72bae081f60eb2eea0f76e740be6c41da6749
SHA5127c06e3e6261427bc6e654b2b53518c7eaa5f860a47ae8e80dc3f8f0fed91e122cb2d4632188dc44123fb759749b5425f426cd1153a8f84485ef0491002b26555
-
Filesize
10KB
MD580bb1e0e06acaf03a0b1d4ef30d14be7
SHA1b20cac0d2f3cd803d98a2e8a25fbf65884b0b619
SHA2565d1c2c60c4e571b88f27d4ae7d22494bed57d5ec91939e5716afa3ea7f6871f6
SHA5122a13ab6715b818ad62267ab51e55cd54714aebf21ec9ea61c2aefd56017dc84a6b360d024f8682a2e105582b9c5fe892ecebd2bef8a492279b19ffd84bc83fa5
-
Filesize
11KB
MD519e0abf76b274c12ff624a16713f4999
SHA1a4b370f556b925f7126bf87f70263d1705c3a0db
SHA256d9fda05ae16c5387ab46dc728c6edce6a3d0a9e1abdd7acb8b32fc2a17be6f13
SHA512d03033ea5cf37641fbd802ebeb5019caef33c9a78e01519fea88f87e773dca92c80b74ba80429b530694dad0bfa3f043a7104234c7c961e18d48019d90277c8e
-
Filesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
Filesize
82KB
MD5a62207fc33140de460444e191ae19b74
SHA19327d3d4f9d56f1846781bcb0a05719dea462d74
SHA256ebcac51449f323ae3ae961a33843029c34b6a82138ccd9214cf99f98dd2148c2
SHA51290f9db9ee225958cb3e872b79f2c70cb1fd2248ebaa8f3282afff9250285852156bf668f5cfec49a4591b416ce7ebaaac62d2d887152f5356512f2347e3762b7
-
Filesize
174KB
MD5739d352bd982ed3957d376a9237c9248
SHA1961cf42f0c1bb9d29d2f1985f68250de9d83894d
SHA2569aee90cf7980c8ff694bb3ffe06c71f87eb6a613033f73e3174a732648d39980
SHA512585a5143519ed9b38bb53f912cea60c87f7ce8ba159a1011cf666f390c2e3cc149e0ac601b008e039a0a78eaf876d7a3f64fff612f5de04c822c6e214bc2efde
-
Filesize
31KB
MD506248702a6cd9d2dd20c0b1c6b02174d
SHA13f14d8af944fe0d35d17701033ff1501049e856f
SHA256ac177cd84c12e03e3a68bca30290bc0b8f173eee518ef1fa6a9dce3a3e755a93
SHA5125b22bbff56a8b48655332ebd77387d307f5c0a526626f3654267a34bc4863d8afaf08ff3946606f3cf00b660530389c37bdfac91843808dbebc7373040fec4c1
-
Filesize
117KB
MD5ffb03c18ed0f340fe9d86abaa9eef835
SHA1d6295d7a100414ce76797c826d2d3c0b4df0c80e
SHA2561d4e17237a10b68d16634fc9698edf342b40478d92fa15d574d212c7a44b05bb
SHA512e911ce6e6b5de50696d7e7f14560c90b83c1179a946d2f5ddcf6fcf797c031dc65b42300685e97cfdc592bae5f974cc31c81d2e12994cd9c28d3f67df282dda5
-
Filesize
24KB
MD5aea6a82bfa35b61d86e8b6a5806f31d6
SHA17c21b7147b391b7195583ab695717e38fe971e3e
SHA25627b9545f5a510e71195951485d3c6a8b112917546fe5e8e46579b8ff6ce2acb0
SHA512133d11535dea4b40afeca37f1a0905854fc4d2031efe802f00dd72e97b1705ca7ffe461acf90a36e2077534fe4df94d9469e99c64dbd3f301e5bca5c327fdc65
-
Filesize
118KB
MD5bac273806f46cffb94a84d7b4ced6027
SHA1773fbc0435196c8123ee89b0a2fc4d44241ff063
SHA2561d9aba3ff1156ea1fbe10b8aa201d4565ae6022daf2117390d1d8197b80bb70b
SHA512eaec1f072c2c0bc439ac7b4e3aea6e75c07bd4cd2d653be8500bbffe371fbfe045227daead653c162d972ccaadff18ac7da4d366d1200618b0291d76e18b125c
-
Filesize
65KB
MD549ac12a1f10ab93fafab064fd0523a63
SHA13ad6923ab0fb5d3dd9d22ed077db15b42c2fbd4f
SHA256ba033b79e858dbfcba6bf8fb5afe10defd1cb03957dbbc68e8e62e4de6df492d
SHA5121bc0f50e0bb0a9d9dddad31390e5c73b0d11c2b0a8c5462065d477e93ff21f7edc7aa2b2b36e478be0a797a38f43e3fbeb6aaabef0badec1d8d16eb73df67255
-
Filesize
65KB
MD57442c154565f1956d409092ede9cc310
SHA1c72f9c99ea56c8fb269b4d6b3507b67e80269c2d
SHA25695086ac060ffe6933ac04a6aa289b1c7d321f14380315e24ba0d6c4adfa0842b
SHA5122bf96828534bcdf71e48d1948b989011d8e3ba757c38cc17905a13d3021ea5deb57e2c68d79507a6acbb62be009cfc85b24d14543958dba1d3bc3e4ca7d4f844
-
Filesize
5.5MB
MD5e2bd5ae53427f193b42d64b8e9bf1943
SHA17c317aad8e2b24c08d3b8b3fba16dd537411727f
SHA256c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400
SHA512ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036
-
Filesize
131KB
MD55d67abf69a8939d13befb7de9889b253
SHA1bcbbf88c05732d4e1e3811fd312425c1c92018d1
SHA256615eb8a75f9ed9371a59da8f31e27ee091c013db0b9164a5124ca0656ea47cb4
SHA512fa34eb05996c41f23524a8b4f1faed0bdd41224d8e514aa57d568a55d2044c32798c1357f22c72ad79fd02948caad89b98b8e9b0ad2927e4a0169739335271ce
-
Filesize
41.4MB
MD5625231058b4825bc82a439fd5bbf3b33
SHA1455769ece0564d631300b88665478be1eb7e99aa
SHA256dbc467902c245e267c72af58a61e667d5f62b22855ea289872fe325ad6c538d8
SHA51271211e2812a0b5a1ea430df6ba95eacecc68f64a18f8fcf73331cb91855cd5c2efb832a2d17dd08ebf23a51426145e968040d6254c99b770953e39d48d11f703
-
Filesize
48KB
MD57e668ab8a78bd0118b94978d154c85bc
SHA1dbac42a02a8d50639805174afd21d45f3c56e3a0
SHA256e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f
SHA51272bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032
-
Filesize
121KB
MD5f2c45fc8ab4d43537612a00d9e2e1c80
SHA1816c670b54672340353fd753a54340aa73ff5112
SHA2562640497071582ba2f872cef1c1f5f2cc5d889d5a112fa4ee03e22f9a6ae40365
SHA5122d1209ea8363a31d11d39a39778a5ef32b3deaf749e9ee603d65b5025dbe1aaedcbc02f48c3187c5413a33380c75f7a5e352cf17045906325455354ee89b506f