e4887e656bd43662871e1dbc21aaadecf49110a830f0bca98ed5309f5a276a11

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4887e656bd43662871e1dbc21aaadecf49110a830f0bca98ed5309f5a276a11N.exe
Size

734KB
MD5

89244196bdc04bc8ace820b03a782470
SHA1

3bc65709c7ae0edd170fc6735e10f7df5c93401b
SHA256

e4887e656bd43662871e1dbc21aaadecf49110a830f0bca98ed5309f5a276a11
SHA512

b38a5d22e24611d56ae5b12304422d1e353f1b37c0a523117ee036cabbc8601500a758dec9c66ded1e288c4fd633824baab1efec2de24cb8b6671a7548b83d1f
SSDEEP

12288:ASqyMJfsG0iK/NJAOB81AQ2w35/FYj6K5y+4hDy0kzCN3MiIMU4EOcqF+WO/NWqY:bqyMJfs+ENJA6GAQ2OFUQxhDy0VcMU4j

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1672-1-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-6-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-5-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-91-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-93-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-94-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-92-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-95-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-114-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-116-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-128-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-129-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-130-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-138-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-140-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-151-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-152-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-153-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-154-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-157-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-158-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-160-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-166-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-168-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-169-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-167-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-170-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-171-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-172-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-173-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-174-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-175-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-176-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-177-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-178-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx
behavioral1/memory/1672-180-0x0000000001DD0000-0x0000000001F16000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~2\is259424733.log	e4887e656bd43662871e1dbc21aaadecf49110a830f0bca98ed5309f5a276a11N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4887e656bd43662871e1dbc21aaadecf49110a830f0bca98ed5309f5a276a11N.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	e4887e656bd43662871e1dbc21aaadecf49110a830f0bca98ed5309f5a276a11N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1672	e4887e656bd43662871e1dbc21aaadecf49110a830f0bca98ed5309f5a276a11N.exe
1672	e4887e656bd43662871e1dbc21aaadecf49110a830f0bca98ed5309f5a276a11N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1672	e4887e656bd43662871e1dbc21aaadecf49110a830f0bca98ed5309f5a276a11N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1672	e4887e656bd43662871e1dbc21aaadecf49110a830f0bca98ed5309f5a276a11N.exe
1672	e4887e656bd43662871e1dbc21aaadecf49110a830f0bca98ed5309f5a276a11N.exe

C:\Users\Admin\AppData\Local\Temp\e4887e656bd43662871e1dbc21aaadecf49110a830f0bca98ed5309f5a276a11N.exe
"C:\Users\Admin\AppData\Local\Temp\e4887e656bd43662871e1dbc21aaadecf49110a830f0bca98ed5309f5a276a11N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ISH259~1\images\Close_Hover.png

Filesize
1KB

MD5
83487401daf307d6c726a479de1ee6f9

SHA1
c173be4937a63672570078b325864c76b28040b8

SHA256
f4f0f59fccd9b87b208b416423797dcfb532472dcfef99bef41a11ea9f6f713b

SHA512
da69729b6682acd1c46587c7c3b4533d9afbcf84c17e55f43798f1fee0097c7a2f39860e6dbc6a9b1cb26dc63d9afab4511071981ad5fd494f36ad9659c56e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259424140\bootstrap_52785.html

Filesize
156B

MD5
1ea9e5b417811379e874ad4870d5c51a

SHA1
a4bd01f828454f3619a815dbe5423b181ec4051c

SHA256
f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a

SHA512
965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259424140\css\main.css

Filesize
5KB

MD5
c4defa8d39bae67d8f65a0db206ce195

SHA1
61c4c8d278c15f4fbcf3d5c471adf796135920b5

SHA256
ac85063553d730cb11945522296d3887dc200fba829024c92bb3c72ce24b4de1

SHA512
8d9565d2ddbb5b9d336b7275f5e3c3398444cd467a162a5831238057855273571991bfe1812c50a5a94446014e15871ba1a42dfc9f3b53e73d31f185acc2b39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259424140\css\sdk-ui\progress-bar.css

Filesize
507B

MD5
abc5fac091a8548789f3e6b4553ef430

SHA1
c02d3c132f87607b7081a7b61fbd48728cc75ee4

SHA256
d482709570c0f9259ccf0ca4569a9ca05b37798910fe650da459b30dd832c845

SHA512
5e01c691a1b4e2e767e73c32bd74866ebe5a61532438c4c222058f832c26901824fe365157f23a3f559de171332b743c9a55f0ae4ce5c004ae24cd906595a2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259424140\images\BG.gif

Filesize
21KB

MD5
e4f15874b7d6a90e64364a02269bc4df

SHA1
63e6ea43b6f890cb00dab260967723730f525cb0

SHA256
1d4313dacef0bbf110c9f7b8bf4035334a6f7c9f2e05caa775aef936e4fb69d3

SHA512
fc707be1c0209b83f4403e95d2c2b67703d68309b6d27842d596c44179980c29e020a639b90956b79e4661c1e82f8ab615a054475c66d855b49669d7f20ebd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259424140\images\Color_Button.png

Filesize
1KB

MD5
a379d9826c7537e27c3d039e6d816382

SHA1
19fc3f105175fa7b61d91e3217f2f7b56bc752a6

SHA256
ed26660ccbec7a439f5158741892beb9b63d2e7b9c491e359535d2cbce4f4e72

SHA512
cd2b2c5a559968857ff759351d8d5133410be863b97587ef50ea0b769ff46d142e96aedd24eeeb01b0aca55292cf91a86ea9569fa4c3838007a2aa76ab60ae55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259424140\images\Color_Button_Hover.png

Filesize
1KB

MD5
08ffc7fcaf5adc850cc454275a98274c

SHA1
d504fa7e100b7dc379b83a8565b307e6485bf29b

SHA256
28879145d87be92a4ca7896fc60f6eaa81d5baa5d12af34e768e2ad374a8ffa4

SHA512
96639e4bf4cfc9d353c071768f88cc6da7342619c5e19cffcff0e2fd53edae13b49e398ddc51b2d78ef89900f895f2b26172360222e860dcf11ea43560a111bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259424140\images\Loader.gif

Filesize
10KB

MD5
57ca1a2085d82f0574e3ef740b9a5ead

SHA1
2974f4bf37231205a256f2648189a461e74869c0

SHA256
476a7b1085cc64de1c0eb74a6776fa8385d57eb18774f199df83fc4d7bbcc24e

SHA512
2d50b9095d06ffd15eeeccf0eb438026ca8d09ba57141fed87a60edd2384e2139320fb5539144a2f16de885c49b0919a93690974f32b73654debca01d9d7d55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259424140\images\icon.png

Filesize
3KB

MD5
b460d82eab7af8ba6e338e351dd0ecdc

SHA1
265b9a3f3c80f40f8534ddcfbf9c1ed61e3b1b20

SHA256
47a4ac193b9bdfe15d0b8a95370823739c2ae4f6ebf2015e1412b880cde6b81d

SHA512
e3add5d91a61da7f64c7860e6303344f37cd49e2fde15c677924d133fec607dfe4ab4d99ec8a3322587b0b186a58e71fcd326e67057a6ff7ef80ad8ed3f0e63e

Download Submit
memory/1672-140-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-153-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-92-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-94-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-93-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-114-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-116-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-128-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-129-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-130-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-138-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-91-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1672-0-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/1672-5-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-6-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-1-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-151-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-152-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-95-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-154-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-157-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-158-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-160-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-166-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-168-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-169-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-167-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-170-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-171-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-172-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-173-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-174-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-175-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-176-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-177-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-178-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download
memory/1672-180-0x0000000001DD0000-0x0000000001F16000-memory.dmp

Filesize
1.3MB

Download