f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
Size

1.6MB
MD5

79400b1fd740d9cb7ec7c2c2e9a7d618
SHA1

8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3
SHA256

556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f
SHA512

3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac
SSDEEP

24576:nui93Vkg97e2KjCcGIG4W6VifDWIkJ7iJtxNhtNNefd0OIG3RQlyrLxoA8ZPo+Zn:dlJe9G3D6JYxpNNEd0OIcRfn0Po+Z1I

Score

9^/10

discovery spyware stealer upx

Malware Config

Signatures

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral22/memory/220-6-0x0000000000400000-0x0000000000480000-memory.dmp	Nirsoft
behavioral22/memory/1756-17-0x0000000000400000-0x0000000000483000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral22/memory/1756-17-0x0000000000400000-0x0000000000483000-memory.dmp	WebBrowserPassView

Executes dropped EXE 2 IoCs

Processes:

11111.exe11111.exe

pid process

220 11111.exe
1756 11111.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com

pid	process
220	11111.exe
1756	11111.exe

flow	ioc
3	ip-api.com

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\11111.exe	upx
behavioral22/memory/220-3-0x0000000000400000-0x0000000000480000-memory.dmp	upx
behavioral22/memory/220-6-0x0000000000400000-0x0000000000480000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\11111.exe	upx
behavioral22/memory/1756-11-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral22/memory/1756-17-0x0000000000400000-0x0000000000483000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

11111.exe11111.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

11111.exe

pid process

1756 11111.exe
1756 11111.exe
1756 11111.exe
1756 11111.exe

pid	process
1756	11111.exe
1756	11111.exe
1756	11111.exe
1756	11111.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

61e7501db65f3_Tue23c7b395c3.exe

description	pid	process	target process
PID 1916 wrote to memory of 220	1916	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 1916 wrote to memory of 220	1916	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 1916 wrote to memory of 220	1916	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 1916 wrote to memory of 1756	1916	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 1916 wrote to memory of 1756	1916	61e7501db65f3_Tue23c7b395c3.exe	11111.exe
PID 1916 wrote to memory of 1756	1916	61e7501db65f3_Tue23c7b395c3.exe	11111.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:220
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
207KB

MD5
d0527733abcc5c58735e11d43061b431

SHA1
28de9d191826192721e325787b8a50a84328cffd

SHA256
b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45

SHA512
7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
215KB

MD5
94989927a6611e1919f84e1871922b63

SHA1
b602e4c47c9c42c273b68a1ce85f0814c0e05deb

SHA256
6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17

SHA512
ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
1KB

MD5
0de1c1adcd260760fd221bccc3ebc1ef

SHA1
eb8d37e4a2757e00e63ec4698e641cbed1f94680

SHA256
a43e057329c848cc5f7af90197f0e4cc03ca001157739c73ef42024ce1b41db7

SHA512
14de67bf24b7e7a802dfb6846b4dec2c5afd2713d001e72e2878157e71c866a118fc8e359c98db797ce5445a05c547765a10afca5ba86e55f67da16c93cd2913

Download Submit
memory/220-3-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/220-6-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1756-11-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1756-17-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download