Overview
overview
10Static
static
107zS850A099...ed.exe
windows7-x64
37zS850A099...ed.exe
windows10-2004-x64
77zS850A099...1a.exe
windows7-x64
77zS850A099...1a.exe
windows10-2004-x64
77zS850A099...b7.exe
windows7-x64
107zS850A099...b7.exe
windows10-2004-x64
107zS850A099...5e.exe
windows7-x64
67zS850A099...5e.exe
windows10-2004-x64
67zS850A099...a0.exe
windows7-x64
107zS850A099...a0.exe
windows10-2004-x64
107zS850A099...95.exe
windows7-x64
87zS850A099...95.exe
windows10-2004-x64
77zS850A099...cb.exe
windows7-x64
107zS850A099...cb.exe
windows10-2004-x64
107zS850A099...58.exe
windows7-x64
107zS850A099...58.exe
windows10-2004-x64
107zS850A099...7f.exe
windows7-x64
107zS850A099...7f.exe
windows10-2004-x64
107zS850A099...32.exe
windows7-x64
107zS850A099...32.exe
windows10-2004-x64
107zS850A099...c3.exe
windows7-x64
97zS850A099...c3.exe
windows10-2004-x64
97zS850A099...e9.exe
windows7-x64
107zS850A099...e9.exe
windows10-2004-x64
107zS850A099...8c.exe
windows7-x64
37zS850A099...8c.exe
windows10-2004-x64
37zS850A099...8c.exe
windows7-x64
67zS850A099...8c.exe
windows10-2004-x64
67zS850A099...rl.dll
windows7-x64
37zS850A099...rl.dll
windows10-2004-x64
37zS850A099...pp.dll
windows7-x64
37zS850A099...pp.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 06:29
Behavioral task
behavioral1
Sample
7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
7zS850A099E/61e74fd3252fe_Tue23df2ad021a.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
7zS850A099E/61e74fd3252fe_Tue23df2ad021a.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
7zS850A099E/61e74fd41f841_Tue2365aa82b7.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
7zS850A099E/61e74fd41f841_Tue2365aa82b7.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
7zS850A099E/61e74fd53f766_Tue23ec97445e.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
7zS850A099E/61e74fd53f766_Tue23ec97445e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
7zS850A099E/61e74fd78769f_Tue234b6c24d9a0.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
7zS850A099E/61e74fd78769f_Tue234b6c24d9a0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
7zS850A099E/61e74fd8ef830_Tue23593425095.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
7zS850A099E/61e74fd8ef830_Tue23593425095.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
7zS850A099E/61e74fda51500_Tue23260baecb.exe
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
7zS850A099E/61e74fda51500_Tue23260baecb.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
7zS850A099E/61e7501ab629f_Tue23c4645058.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
7zS850A099E/61e7501ab629f_Tue23c4645058.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
7zS850A099E/61e7501b7eabe_Tue2344597f.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
7zS850A099E/61e7501b7eabe_Tue2344597f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
7zS850A099E/61e7501c830d6_Tue23bdf4712a32.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
7zS850A099E/61e7501c830d6_Tue23bdf4712a32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
7zS850A099E/61e7502b8389b_Tue233252e9.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
7zS850A099E/61e7502b8389b_Tue233252e9.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
7zS850A099E/61e7502c4cff3_Tue232cba58c.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
7zS850A099E/61e7502c4cff3_Tue232cba58c.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
7zS850A099E/61e7502f007f3_Tue23d6fecf8c.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
7zS850A099E/61e7502f007f3_Tue23d6fecf8c.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
7zS850A099E/libcurl.dll
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
7zS850A099E/libcurl.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
7zS850A099E/libcurlpp.dll
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
7zS850A099E/libcurlpp.dll
Resource
win10v2004-20241007-en
General
-
Target
7zS850A099E/61e7501db65f3_Tue23c7b395c3.exe
-
Size
1.6MB
-
MD5
79400b1fd740d9cb7ec7c2c2e9a7d618
-
SHA1
8ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3
-
SHA256
556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f
-
SHA512
3ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac
-
SSDEEP
24576:nui93Vkg97e2KjCcGIG4W6VifDWIkJ7iJtxNhtNNefd0OIG3RQlyrLxoA8ZPo+Zn:dlJe9G3D6JYxpNNEd0OIcRfn0Po+Z1I
Malware Config
Signatures
-
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral22/memory/3660-6-0x0000000000400000-0x0000000000480000-memory.dmp Nirsoft behavioral22/memory/2052-17-0x0000000000400000-0x0000000000483000-memory.dmp Nirsoft -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral22/memory/2052-17-0x0000000000400000-0x0000000000483000-memory.dmp WebBrowserPassView -
Executes dropped EXE 2 IoCs
Processes:
11111.exe11111.exepid process 3660 11111.exe 2052 11111.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\11111.exe upx behavioral22/memory/3660-3-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral22/memory/3660-6-0x0000000000400000-0x0000000000480000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\11111.exe upx behavioral22/memory/2052-11-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral22/memory/2052-17-0x0000000000400000-0x0000000000483000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
11111.exe11111.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11111.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
11111.exepid process 2052 11111.exe 2052 11111.exe 2052 11111.exe 2052 11111.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
61e7501db65f3_Tue23c7b395c3.exedescription pid process target process PID 2988 wrote to memory of 3660 2988 61e7501db65f3_Tue23c7b395c3.exe 11111.exe PID 2988 wrote to memory of 3660 2988 61e7501db65f3_Tue23c7b395c3.exe 11111.exe PID 2988 wrote to memory of 3660 2988 61e7501db65f3_Tue23c7b395c3.exe 11111.exe PID 2988 wrote to memory of 2052 2988 61e7501db65f3_Tue23c7b395c3.exe 11111.exe PID 2988 wrote to memory of 2052 2988 61e7501db65f3_Tue23c7b395c3.exe 11111.exe PID 2988 wrote to memory of 2052 2988 61e7501db65f3_Tue23c7b395c3.exe 11111.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3660
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215KB
MD594989927a6611e1919f84e1871922b63
SHA1b602e4c47c9c42c273b68a1ce85f0814c0e05deb
SHA2566abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17
SHA512ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e
-
Filesize
207KB
MD5d0527733abcc5c58735e11d43061b431
SHA128de9d191826192721e325787b8a50a84328cffd
SHA256b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45
SHA5127704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5
-
Filesize
31B
MD5b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
Filesize
1KB
MD50de1c1adcd260760fd221bccc3ebc1ef
SHA1eb8d37e4a2757e00e63ec4698e641cbed1f94680
SHA256a43e057329c848cc5f7af90197f0e4cc03ca001157739c73ef42024ce1b41db7
SHA51214de67bf24b7e7a802dfb6846b4dec2c5afd2713d001e72e2878157e71c866a118fc8e359c98db797ce5445a05c547765a10afca5ba86e55f67da16c93cd2913