Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
25-12-2024 13:36
General
-
Target
7zSCD97F9B7/61cf42df34a5e_Fri1721957b061.exe
-
Size
2.0MB
-
MD5
29fa0d00300d275c04b2d0cc3b969c57
-
SHA1
329b7fbe6ba9ceca9507af8adec6771799c2e841
-
SHA256
28314e224dcbae977cbf7dec0cda849e4a56cec90b3568a29b6bbd9234b895aa
-
SHA512
4925a7e5d831ebc1da9a6f7e77f5022e83f7f01032d102a41dd9e33a4df546202b3b27effb912aa46e5b007bda11238e1fc67f8c74ddac4993a6ee108a6cd411
-
SSDEEP
49152:7rEOLD0xW+aJVXfxu3Eosp/qw7RV+uY/:023Jtosp/qw7yb
Malware Config
Signatures
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7zSCD97F9B7\61cf42df34a5e_Fri1721957b061.exe"C:\Users\Admin\AppData\Local\Temp\7zSCD97F9B7\61cf42df34a5e_Fri1721957b061.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1800 -s 4842⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
458KB
MD5ba3a98e2a1faacf0ad668b4e9582a109
SHA11160c029a6257f776a6ed1cfdc09ae158d613ae3
SHA2568165138265a2bf60d2edd69662c399bdbf1426108e98c5dfff5933168eba33f5
SHA512d255da482ad2e9fa29b84676028c21683b0df7663113e2b0b7c6ff07c9fb8995e81a589e6c8d157ce33c1f266ac12a512821894159eee37dbb53a1d3ae6d6825
-
Filesize
391KB
MD57165e9d7456520d1f1644aa26da7c423
SHA1177f9116229a021e24f80c4059999c4c52f9e830
SHA25640ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
SHA512fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb
-
Filesize
31B
MD5b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
Filesize
246B
MD546183ada973d3bfaab7be726c800e96e
SHA17fcb7272b04d8b1caaf1343ec720461ca79f45c2
SHA2560cba483c4b5eeb5d275d2a54db9f7c3c213615628b4ac79044980347930e7a1f
SHA512338c4ccf7cde74e3aa5c9bb27672797ab8b4c8aa6e99fbcf61a2dc8caecdd871b747e4bcc654391479bc4df5a1e72257da9957f9768c67b2846dd9435b950926
-
Filesize
496KB