f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
Size

1.6MB
MD5

79400b1fd740d9cb7ec7c2c2e9a7d618
SHA1

8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3
SHA256

556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f
SHA512

3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac
SSDEEP

24576:nui93Vkg97e2KjCcGIG4W6VifDWIkJ7iJtxNhtNNefd0OIG3RQlyrLxoA8ZPo+Zn:dlJe9G3D6JYxpNNEd0OIcRfn0Po+Z1I

Score

9^/10

discovery spyware stealer upx

Malware Config

Signatures

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral21/memory/2788-8-0x0000000000400000-0x0000000000480000-memory.dmp	Nirsoft
behavioral21/memory/2752-23-0x0000000000400000-0x0000000000483000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral21/memory/2752-23-0x0000000000400000-0x0000000000483000-memory.dmp	WebBrowserPassView

Executes dropped EXE 2 IoCs

Processes:

11111.exe11111.exe

pid process

2788 11111.exe
2752 11111.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

pid	process
2788	11111.exe
2752	11111.exe

flow	ioc
4	ip-api.com

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\11111.exe	upx
behavioral21/memory/2788-6-0x0000000000400000-0x0000000000480000-memory.dmp	upx
behavioral21/memory/2788-8-0x0000000000400000-0x0000000000480000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\11111.exe	upx
behavioral21/memory/2752-17-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral21/memory/2752-23-0x0000000000400000-0x0000000000483000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

11111.exe11111.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

11111.exe

pid process

2752 11111.exe
2752 11111.exe

pid	process
2752	11111.exe
2752	11111.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

61e7501db65f3_Tue23c7b395c3.exe

description	pid	process	target process
PID 2880 wrote to memory of 2788	2880	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 2880 wrote to memory of 2788	2880	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 2880 wrote to memory of 2788	2880	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 2880 wrote to memory of 2788	2880	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 2880 wrote to memory of 2752	2880	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 2880 wrote to memory of 2752	2880	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 2880 wrote to memory of 2752	2880	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 2880 wrote to memory of 2752	2880	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 2880 wrote to memory of 2656	2880	61e7501db65f3_Tue23c7b395c3.exe	WerFault.exe
PID 2880 wrote to memory of 2656	2880	61e7501db65f3_Tue23c7b395c3.exe	WerFault.exe
PID 2880 wrote to memory of 2656	2880	61e7501db65f3_Tue23c7b395c3.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2880 -s 480
  2⤵
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
215KB

MD5
94989927a6611e1919f84e1871922b63

SHA1
b602e4c47c9c42c273b68a1ce85f0814c0e05deb

SHA256
6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17

SHA512
ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
207KB

MD5
d0527733abcc5c58735e11d43061b431

SHA1
28de9d191826192721e325787b8a50a84328cffd

SHA256
b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45

SHA512
7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
275B

MD5
1ef27bf34ef1987482af62a2d850f112

SHA1
72056e1c9480c09d07231459ed1c80bd89f64025

SHA256
af4e46c53f5055bbb9f91e53c3832e778d275a738f5db5aea35f26d77ca1fecf

SHA512
b5af1a9d4721a912ef9c30ecaa70cbad9531b927e01076dc97c0485b3be4541aebdf1bb8a7c50e83132e4f1cdf60b4f13e67baa4654be197fe16e3b50134a559

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
246B

MD5
46183ada973d3bfaab7be726c800e96e

SHA1
7fcb7272b04d8b1caaf1343ec720461ca79f45c2

SHA256
0cba483c4b5eeb5d275d2a54db9f7c3c213615628b4ac79044980347930e7a1f

SHA512
338c4ccf7cde74e3aa5c9bb27672797ab8b4c8aa6e99fbcf61a2dc8caecdd871b747e4bcc654391479bc4df5a1e72257da9957f9768c67b2846dd9435b950926

Download Submit
memory/2752-17-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2752-23-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2788-6-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2788-8-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download