33bca0b7c35d92fe1dec4638d803349ca76a0f4b2a647efa49697edb77d2ae95

Analysis

max time kernel
93s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zSCD97F9B7/61cf42df34a5e_Fri1721957b061.exe
Size

2.0MB
MD5

29fa0d00300d275c04b2d0cc3b969c57
SHA1

329b7fbe6ba9ceca9507af8adec6771799c2e841
SHA256

28314e224dcbae977cbf7dec0cda849e4a56cec90b3568a29b6bbd9234b895aa
SHA512

4925a7e5d831ebc1da9a6f7e77f5022e83f7f01032d102a41dd9e33a4df546202b3b27effb912aa46e5b007bda11238e1fc67f8c74ddac4993a6ee108a6cd411
SSDEEP

49152:7rEOLD0xW+aJVXfxu3Eosp/qw7RV+uY/:023Jtosp/qw7yb

Score

9^/10

discovery spyware stealer

Malware Config

Signatures

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral30/files/0x000c000000023b33-2.dat	Nirsoft
behavioral30/files/0x000d000000023b33-8.dat	Nirsoft
behavioral30/memory/5104-9-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral30/files/0x000d000000023b33-8.dat	WebBrowserPassView
behavioral30/memory/5104-9-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Executes dropped EXE 2 IoCs

pid	Process
3464	11111.exe
5104	11111.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5104	11111.exe
5104	11111.exe
5104	11111.exe
5104	11111.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 3464	3976	61cf42df34a5e_Fri1721957b061.exe	84
PID 3976 wrote to memory of 3464	3976	61cf42df34a5e_Fri1721957b061.exe	84
PID 3976 wrote to memory of 3464	3976	61cf42df34a5e_Fri1721957b061.exe	84
PID 3976 wrote to memory of 5104	3976	61cf42df34a5e_Fri1721957b061.exe	88
PID 3976 wrote to memory of 5104	3976	61cf42df34a5e_Fri1721957b061.exe	88
PID 3976 wrote to memory of 5104	3976	61cf42df34a5e_Fri1721957b061.exe	88

C:\Users\Admin\AppData\Local\Temp\7zSCD97F9B7\61cf42df34a5e_Fri1721957b061.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCD97F9B7\61cf42df34a5e_Fri1721957b061.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3464
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
458KB

MD5
ba3a98e2a1faacf0ad668b4e9582a109

SHA1
1160c029a6257f776a6ed1cfdc09ae158d613ae3

SHA256
8165138265a2bf60d2edd69662c399bdbf1426108e98c5dfff5933168eba33f5

SHA512
d255da482ad2e9fa29b84676028c21683b0df7663113e2b0b7c6ff07c9fb8995e81a589e6c8d157ce33c1f266ac12a512821894159eee37dbb53a1d3ae6d6825

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
391KB

MD5
7165e9d7456520d1f1644aa26da7c423

SHA1
177f9116229a021e24f80c4059999c4c52f9e830

SHA256
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67

SHA512
fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
1KB

MD5
cb1b474457dcd604ef40872ab957f5f6

SHA1
90dafbdd4d7a44149ac383d22d0304d582e26f65

SHA256
20ad0049997ce595144bc66b87a62bebd0e9ec075b60c9768fd66dcb26a70a67

SHA512
50de78a698902f03694e6b3273e8806bdb39e81d1c282c8919d38c9120151ced947b80805876f2ff7700b4627ac70a5b04093b622707b72c4a3067ef1f5dfbbc

Download Submit
memory/5104-9-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download