9ec04a9e422aaf264c84e8df5fdc280890cf537e0a79fa42462710f52781c428

General

Target

setup_x86_x64_install.exe
Size

1.3MB
MD5

10bbd892427f3378066c04d8b0c29d37
SHA1

e26a0352192fde788de75237d1c27079ea76bba4
SHA256

b1cd31c723fb0f56ff7733ab366ba2cbea4c3194aa1db5b024cade882bef6219
SHA512

87e3463b326e2f9e616c140ace21193be7d1e2bc037ea253052da39371c20e671fc3e31b799cf1813c53bb3a0e9786d4547ff90718b836b28ff5b3133f6393b8
SSDEEP

12288:S17G3C1IAXHkYPD3oiW+e2DUDcm47/PUEYlBSlczF9viy/+EX:OKymAXHnD4iW+e2DQc1L8EtqF9v1+m

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	setup_x86_x64_install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_x86_x64_install.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup_x86_x64_install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup_x86_x64_install.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bQileSBU\_Files\_Files\ConfirmUndo.txt

Filesize
200KB

MD5
2c180a1c027b9ef4cb4d547711599fb5

SHA1
91e64861007bc19708976cc0435195ab80294427

SHA256
08086384d80819cdec75a2e0aebeb2dd4f9a4137e2cdfa830d4cb8a59eda2091

SHA512
386ec37e9abaeb365e4dd788084b9db048ce21b2fb4547ccbf5a11921a31d26dc8b2a56c0c2f86c5e66beef335afcb3762e5fcdd938de1eaa1c13bcfe8b36819

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQileSBU\_Files\_Information.txt

Filesize
1KB

MD5
6b7a34ba35c42b929aa1acd84708c334

SHA1
a227a0818ff4af0aba2f69681987021909179fe7

SHA256
c0a23e04e1cd13e0ad83d61523ebd603d42bf8304bd43188773fdd940443891b

SHA512
2853de499f0b77a048a8f1d2db0d3706e09be18b924dd4febde74d4c0d07310ebb1eeb313775e384107f18a8a7f1bd6b1bed52b588e2e49e846648c6b6333a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQileSBU\_Files\_Information.txt

Filesize
1KB

MD5
fd55d106cd767202e0a42442196357a4

SHA1
285fcf1632a24e97948bd845cd5d929e50fdfc35

SHA256
634eb54c9f5a0c0a4da5a2783c0142a2f33688187f8c9b41705aa7231fff46f2

SHA512
fa132bf8c6f17be25daaa37451e28500b9910b7fb9d03d59321876d0fdd8082169be07a6f16dbf1350044ace37502a6f6cad7987d57124ebf8e4e70e6d105435

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQileSBU\_Files\_Information.txt

Filesize
5KB

MD5
b1fdbff86227521d717c3de4d98cd26a

SHA1
bfbf3cb6633e254ee6ef99eb1a796f173cb8740f

SHA256
f3cabc519a213ccc46f04e5af9d32be450f1ae9c31cfdb615881f622612dd386

SHA512
f1b32d9eadf89367f6cff6aed58c48662ee51dff053d5e009d56696ef110edafda93e9fb19b97f4326ba1cf4d727663b5ec746cd6b56e43577b24a4d2de620a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQileSBU\_Files\_Screen_Desktop.jpeg

Filesize
58KB

MD5
e21cdbe89fae98083d52f4e316c57132

SHA1
6adc383424decb557c9c660c3d3818096c2d4bf2

SHA256
0828a66a4466e310a9b96b297c1c1819265d3e5f8e0675857385d34807bfadfc

SHA512
19c7502db654af9f31f1247e97ced879f7a73bd72222dce4a0cb0ce086d5c0a6eb5894e68a009b27a749c9db902117d77935aa08cdb8279b016dce8e14c3713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQileSBU\ygliyhJmIyCd.zip

Filesize
254KB

MD5
b2c8fb1ad708b3899654906da51603e9

SHA1
0c9a8dc77cf35e85613c921d787b8f1e42d82d3e

SHA256
233f15cf42d2dcd4a57e814c89d710f868516ee16551e5f4c31f9bb189c219a5

SHA512
eb63fdef3e01491600d2e51005d7c718df43f39da290b4c3e8b355a22371e1333e1ad09f8ff664c27db6cd21a7e3d9a90eb5da497660e2a68d0ce83dfafbbb81

Download Submit
memory/2872-0-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/2872-2-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/2872-1-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing