Analysis

  • max time kernel
    93s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 02:11

General

  • Target

    1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe

  • Size

    1.0MB

  • MD5

    0d52c34732339d12e58c62cdcbcd2241

  • SHA1

    b00a95fe388a69d375b4e370fa5112dda61c2ede

  • SHA256

    1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98

  • SHA512

    4da5f2b48663a183cc46799c02179bd5bc84a71993387742984a5c76ca92d4c7aec60d25efe758636a1a006ba8a4032a6e7763c48e9515801db8be6a98d6a3de

  • SSDEEP

    24576:OfQYMfhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRF+G:Vo54clgLH+tkWJ0Nj

Malware Config

Signatures

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
    "C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:5076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NuyTVLTXyuBuDHw24025E5463\6324025E54NuyTVLTXyuBuDHw\Browsers\Passwords\Passwords_Edge.txt

    Filesize

    426B

    MD5

    42fa959509b3ed7c94c0cf3728b03f6d

    SHA1

    661292176640beb0b38dc9e7a462518eb592d27d

    SHA256

    870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

    SHA512

    7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

  • C:\Users\Admin\AppData\Local\Temp\NuyTVLTXyuBuDHw24025E5463\6324025E54NuyTVLTXyuBuDHw\Grabber\ClearSelect.doc

    Filesize

    682KB

    MD5

    40d69c957ac1a39d697285726133b9d7

    SHA1

    de9dcbba75f3a09d632a43013d705fd96adc0354

    SHA256

    f425a97a532364395c9b55a9c6acdcad9c84390b29b45605a0175c9c8f44b39d

    SHA512

    863b01fa2f3828621e6f4e33acafacca3288f697a51b39567ab24dd1db0fc00c59b73f33d88ae6115af0f1f49382e3e659e645ac2d10f1f5c5931a155a4755c1

  • C:\Users\Admin\AppData\Local\Temp\NuyTVLTXyuBuDHw24025E5463\6324025E54NuyTVLTXyuBuDHw\Grabber\JoinDebug.doc

    Filesize

    711KB

    MD5

    d485ec09130be18c11c18b7ad6a2264b

    SHA1

    aab65ad9bdb8e568c7e8340cc1c7af48365bf63b

    SHA256

    71d3d648c7093324093e51b5ced12b91c22d5a9f6a1af896d8857e8e32b59a64

    SHA512

    102e52c7713181be1eaf0382491f29cc9ac4ecf830e27658a912b1fb198d3b267c51debc2191dc0cf90f0d450c95c48641e61cb82c6f1e70e2773ddafa88307c

  • memory/5076-0-0x00007FFE43933000-0x00007FFE43935000-memory.dmp

    Filesize

    8KB

  • memory/5076-1-0x000001D28D240000-0x000001D28D34A000-memory.dmp

    Filesize

    1.0MB

  • memory/5076-2-0x000001D2A7940000-0x000001D2A79B6000-memory.dmp

    Filesize

    472KB

  • memory/5076-3-0x00007FFE43930000-0x00007FFE443F1000-memory.dmp

    Filesize

    10.8MB

  • memory/5076-83-0x00007FFE43930000-0x00007FFE443F1000-memory.dmp

    Filesize

    10.8MB