4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409

Analysis

max time kernel
93s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/11/2024, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
Size

1.0MB
MD5

0d52c34732339d12e58c62cdcbcd2241
SHA1

b00a95fe388a69d375b4e370fa5112dda61c2ede
SHA256

1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98
SHA512

4da5f2b48663a183cc46799c02179bd5bc84a71993387742984a5c76ca92d4c7aec60d25efe758636a1a006ba8a4032a6e7763c48e9515801db8be6a98d6a3de
SSDEEP

24576:OfQYMfhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRF+G:Vo54clgLH+tkWJ0Nj

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
6	api.ipify.org
11	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5076	1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
5076	1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5076	1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe

C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
"C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NuyTVLTXyuBuDHw24025E5463\6324025E54NuyTVLTXyuBuDHw\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Local\Temp\NuyTVLTXyuBuDHw24025E5463\6324025E54NuyTVLTXyuBuDHw\Grabber\ClearSelect.doc

Filesize
682KB

MD5
40d69c957ac1a39d697285726133b9d7

SHA1
de9dcbba75f3a09d632a43013d705fd96adc0354

SHA256
f425a97a532364395c9b55a9c6acdcad9c84390b29b45605a0175c9c8f44b39d

SHA512
863b01fa2f3828621e6f4e33acafacca3288f697a51b39567ab24dd1db0fc00c59b73f33d88ae6115af0f1f49382e3e659e645ac2d10f1f5c5931a155a4755c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NuyTVLTXyuBuDHw24025E5463\6324025E54NuyTVLTXyuBuDHw\Grabber\JoinDebug.doc

Filesize
711KB

MD5
d485ec09130be18c11c18b7ad6a2264b

SHA1
aab65ad9bdb8e568c7e8340cc1c7af48365bf63b

SHA256
71d3d648c7093324093e51b5ced12b91c22d5a9f6a1af896d8857e8e32b59a64

SHA512
102e52c7713181be1eaf0382491f29cc9ac4ecf830e27658a912b1fb198d3b267c51debc2191dc0cf90f0d450c95c48641e61cb82c6f1e70e2773ddafa88307c

Download Submit
memory/5076-0-0x00007FFE43933000-0x00007FFE43935000-memory.dmp

Filesize
8KB

Download
memory/5076-1-0x000001D28D240000-0x000001D28D34A000-memory.dmp

Filesize
1.0MB

Download
memory/5076-2-0x000001D2A7940000-0x000001D2A79B6000-memory.dmp

Filesize
472KB

Download
memory/5076-3-0x00007FFE43930000-0x00007FFE443F1000-memory.dmp

Filesize
10.8MB

Download
memory/5076-83-0x00007FFE43930000-0x00007FFE443F1000-memory.dmp

Filesize
10.8MB

Download