4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 02:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
Size

1.0MB
MD5

0d52c34732339d12e58c62cdcbcd2241
SHA1

b00a95fe388a69d375b4e370fa5112dda61c2ede
SHA256

1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98
SHA512

4da5f2b48663a183cc46799c02179bd5bc84a71993387742984a5c76ca92d4c7aec60d25efe758636a1a006ba8a4032a6e7763c48e9515801db8be6a98d6a3de
SSDEEP

24576:OfQYMfhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRF+G:Vo54clgLH+tkWJ0Nj

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
6	api.ipify.org
12	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4596	1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
4596	1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe

C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
"C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JVDwZFuyLLZLRDNXVZRwu661EB11482\82661EB114JVDwZFuyLLZLRDNXVZRwu\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVDwZFuyLLZLRDNXVZRwu661EB11482\82661EB114JVDwZFuyLLZLRDNXVZRwu\Grabber\HideRedo.doc

Filesize
338KB

MD5
1e85e38d2d2ee7d7d86b7dbd5cd637b6

SHA1
3105c381a12e553a1d3d5ed9d709c2112635ba8a

SHA256
c5337bd487cc4271c6f8bd4216611b44a43f62983e8fd14166a2aefc121f7277

SHA512
7cd243db6c462c6d6e73dc96b0e13bac81b7ff8395524492d49e464d832e14fff6921c8c894f925ed1c76b56df8c3ea6a2920f6ec8570fbd41ef2c9291ec8af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVDwZFuyLLZLRDNXVZRwu661EB11482\82661EB114JVDwZFuyLLZLRDNXVZRwu\Grabber\RegisterUnregister.txt

Filesize
636KB

MD5
233253eb895fed7f717fb1f3b884d283

SHA1
2496be62c2a0e01520c84bced8e8643e7b300e50

SHA256
bfe1bbc98f0604439913b43cbfb4e8afbe15bcdf50d5962af94b1bfb03350dd4

SHA512
7308ce4fb706178e74c4618f63345c2ee6c02a276b40e2f7a7603e2af6ef6c98a616d9e723cb21ddb1ab837b1e3922f82a49bb6b225bfbd4f8806e1488f84bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVDwZFuyLLZLRDNXVZRwu661EB11482\82661EB114JVDwZFuyLLZLRDNXVZRwu\Grabber\ResizeMove.jpg

Filesize
522KB

MD5
a0799b86ca4f8c6fd6a692945239553a

SHA1
6c51bed3e68fd1654123616af250ce3435fe8db1

SHA256
7537524744e0e981be012a0c6ba208bcb9b65d35ccd49d7467708da697eb23f3

SHA512
eed8dba4671b031cea3601e9a2a41cd41279498ac51c4ed9569cc947c99455950331575fc533b88ca14133eaccac91468670324aa3ae59d3bf1902aaa9fb9c58

Download Submit
memory/4596-0-0x00007FF9E2CE3000-0x00007FF9E2CE5000-memory.dmp

Filesize
8KB

Download
memory/4596-1-0x000001C50F920000-0x000001C50FA2A000-memory.dmp

Filesize
1.0MB

Download
memory/4596-2-0x000001C52A020000-0x000001C52A096000-memory.dmp

Filesize
472KB

Download
memory/4596-3-0x00007FF9E2CE0000-0x00007FF9E37A1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-78-0x00007FF9E2CE3000-0x00007FF9E2CE5000-memory.dmp

Filesize
8KB

Download
memory/4596-79-0x00007FF9E2CE0000-0x00007FF9E37A1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-91-0x00007FF9E2CE0000-0x00007FF9E37A1000-memory.dmp

Filesize
10.8MB

Download