Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 06:29

General

  • Target

    7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe

  • Size

    1.6MB

  • MD5

    79400b1fd740d9cb7ec7c2c2e9a7d618

  • SHA1

    8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3

  • SHA256

    556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f

  • SHA512

    3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac

  • SSDEEP

    24576:nui93Vkg97e2KjCcGIG4W6VifDWIkJ7iJtxNhtNNefd0OIG3RQlyrLxoA8ZPo+Zn:dlJe9G3D6JYxpNNEd0OIcRfn0Po+Z1I

Malware Config

Signatures

  • Detected Nirsoft tools 2 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3660
    • C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\11111.exe

    Filesize

    215KB

    MD5

    94989927a6611e1919f84e1871922b63

    SHA1

    b602e4c47c9c42c273b68a1ce85f0814c0e05deb

    SHA256

    6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17

    SHA512

    ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

  • C:\Users\Admin\AppData\Local\Temp\11111.exe

    Filesize

    207KB

    MD5

    d0527733abcc5c58735e11d43061b431

    SHA1

    28de9d191826192721e325787b8a50a84328cffd

    SHA256

    b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45

    SHA512

    7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

  • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

    Filesize

    31B

    MD5

    b7161c0845a64ff6d7345b67ff97f3b0

    SHA1

    d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

    SHA256

    fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

    SHA512

    98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

  • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

    Filesize

    1KB

    MD5

    0de1c1adcd260760fd221bccc3ebc1ef

    SHA1

    eb8d37e4a2757e00e63ec4698e641cbed1f94680

    SHA256

    a43e057329c848cc5f7af90197f0e4cc03ca001157739c73ef42024ce1b41db7

    SHA512

    14de67bf24b7e7a802dfb6846b4dec2c5afd2713d001e72e2878157e71c866a118fc8e359c98db797ce5445a05c547765a10afca5ba86e55f67da16c93cd2913

  • memory/2052-11-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

  • memory/2052-17-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

  • memory/3660-3-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/3660-6-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB