471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0

Analysis

max time kernel
842s
max time network
847s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
Size

4.9MB
MD5

4313fd0a3d2cbedd4570230931833fe1
SHA1

8280f59248747c6901079ac6e52814606ab8cdc4
SHA256

8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0
SHA512

1fd81fb997cbc2973b66a2f95b848dc5813b44513d21189b73a708e9d26b583bebe6bb429c89ecb7dd687262fa4a35abb791f56db3dc884e281b4d056b05887e
SSDEEP

98304:/VKIRQd+TZAJPEoRgWkJgsgv4n/C2QHij4WeoM14s7Oc3b7e6l/R4ze9H:NKo4iAJcoSLi4/C2QHTRh6o/Gy9

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 6 IoCs

Processes:

8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe

pid	process
2476	8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
2476	8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
2476	8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
2476	8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
2476	8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
2476	8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe

description	pid	process	target process
PID 2332 wrote to memory of 2476	2332	8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe	8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
PID 2332 wrote to memory of 2476	2332	8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe	8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
PID 2332 wrote to memory of 2476	2332	8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe	8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe

C:\Users\Admin\AppData\Local\Temp\8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
"C:\Users\Admin\AppData\Local\Temp\8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
  "C:\Users\Admin\AppData\Local\Temp\8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe"
  2⤵
  - Loads dropped DLL
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI23322\_ctypes.pyd

Filesize
119KB

MD5
05e373da5c2fb139e43b2c66779e09be

SHA1
e9feee5f881b4b5341b722e16a6336691c80aac3

SHA256
aca803d4e1cfce94992fa736e50ccf8df5568639810bd091a8cc0dbd73441bc0

SHA512
c3c1386a33bce06b5116a8a2d9420aa003eb48c7bbef85ac09c62d686119156eb599710549ff2ff3ee10952cafaff9fd398b82deb2219228dff1319ee524e0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23322\_hashlib.pyd

Filesize
1.4MB

MD5
cb10fc8d7c7bbe02a19b4c5cfd4cf6aa

SHA1
6d9acbbdb30f7971c97f4af2cbff8e4af1c6aaa1

SHA256
c348507a88ad56742ecc888545dde1c1b2d15da23258bf9616d7a1d04c05a2f4

SHA512
ae9c5c4257f6de6ac3870c741f87d4435a48b8fa9826af53e845d949cd24b8e5bfa02ec135d1bf1e6b2c931b0a7e14fddd86028b7d531375496ca603faf548cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23322\python27.dll

Filesize
3.2MB

MD5
914e35bf7c0e6b4ae25440612b1314a1

SHA1
7f3068414ed64712561f22d4a476297ac53618e9

SHA256
d98c58a5f1d98299645a8af1c364117d6d7b8b8f4b3ae05f4c99911c12f90995

SHA512
9dd87774cfd41c25106e0b401c4bb07ee85bce9bb28d36b7a25b2ec840e6be18700199bf21d48288cbf1773c0669640d30f51f63a46a7b06513f04716754e22c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23322\Crypto.Cipher._AES.pyd

Filesize
30KB

MD5
fee0d3b5e4d558b7f50b39a39a6c22fa

SHA1
8de9c523389e6efb8c57dd8cd9ae1ea667b03f1a

SHA256
9072e92e648e4049a3cccb981ac3b5c97114dac0dc69e94daaa5a6b0f75b2fbf

SHA512
a74009f18291ceeed1bfb55cb05ff9fb88d4549f6c82e792f9ea2bf451728989e427efa5e40916dc031e05234dcae8f56c791f8067b578b5e61e1e16167c4419

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23322\_socket.pyd

Filesize
50KB

MD5
d920a802ae7cd39827a831341674c229

SHA1
ae755ce2d44e38108398346bd1f7d263a4849327

SHA256
665b2a4ecdbb17e3dbd155a271b80efd6b49f409a7de828dbc7c0987494f0818

SHA512
65aba7a1f2376c5ea1df7080bf6f6dfab8a00e3b6fd6f1026fbb6d54fcd4de9e272c309b2f52577bb933bc36c425b3e2814331edc16b816732faad82858b54af

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23322\_ssl.pyd

Filesize
2.0MB

MD5
7d3c5960f1062e409fe1ec0ea6789e6c

SHA1
8ca7855e4189f0be006ab69477a4adad545bce01

SHA256
3aab5131bda24153b3d4e863fa0166bff491bb44b2e412e9a84bcdff1e5267eb

SHA512
4264084e19549da245c37f6a4fd9ffafcef0f32b6cb00351ec0ca44aaacb1a5d0bccb00465d75f41319a02ccfcdd90435bdeb3fd70671a1c09b3b3032e635ebb

Download Submit