6fd31ad446a222eb27dd578b3b66cd9e6f667d47a256441c70d7410563cab489

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Program.Unwanted.5599.6046.25600.exe
Size

20.0MB
MD5

e5293b3cb9e4f710b5c1bec09ea16d85
SHA1

4063cb95a16891b3b6c99354b5473fce31721496
SHA256

6fd31ad446a222eb27dd578b3b66cd9e6f667d47a256441c70d7410563cab489
SHA512

5f750c7676a41aaf445736ac7661d75e9cce6e2993a2f5ef9567ffe30c39d528b759895c83db6d45f647a50e22ecb4200adb1a8384fa8760e97f9b3cc129d051
SSDEEP

393216:jtVjUU7FxD+31pK5cV7MQ4graklxuxpWEn73cYkktZROwRAgUPG4THTjYc+rG+vW:5VjUU7FxD+loCV7f4gWkxu/3cHk7ryGQ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Auslogics\Duplicate File Finder\unins000.dat	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
File created	C:\Program Files (x86)\Auslogics\Duplicate File Finder\is-G20VI.tmp	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
File created	C:\Program Files (x86)\Auslogics\Duplicate File Finder\Lang\is-EBB6U.tmp	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
File created	C:\Program Files (x86)\Auslogics\Duplicate File Finder\Lang\is-2G3P3.tmp	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp

Executes dropped EXE 1 IoCs

pid	Process
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp

Loads dropped DLL 14 IoCs

pid	Process
2276	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.exe
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CB8A52AD-4546-26B7-1F5E-CC8F11AAA927}\Version\Assembly = ee0c7ad1bf43946452d1d6c94c935c7eee0c7ad1bf43946452d1d6c94c935c7e88ad8cbb5ed3f66b83a8a2cdf194269c890bb34aebd806e41a50d3bd9c0b4765219909f09e75dec0927ff4e8152284cd219909f09e75dec0927ff4e8152284cd59b5414605bae21e9735786eb516d3f8de1283c2aff9bf99d33ed2740c86bbd2f8157495fe950fa4a01046bb55f00dad0f20aa1b1adfe602954529934d03147d	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CB8A52AD-4546-26B7-1F5E-CC8F11AAA927}\Version	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CB8A52AD-4546-26B7-1F5E-CC8F11AAA927}	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
2268	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2268	2276	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.exe	30
PID 2276 wrote to memory of 2268	2276	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.exe	30
PID 2276 wrote to memory of 2268	2276	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.exe	30
PID 2276 wrote to memory of 2268	2276	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.exe	30
PID 2276 wrote to memory of 2268	2276	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.exe	30
PID 2276 wrote to memory of 2268	2276	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.exe	30
PID 2276 wrote to memory of 2268	2276	SecuriteInfo.com.Program.Unwanted.5599.6046.25600.exe	30

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.5599.6046.25600.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.5599.6046.25600.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\is-JKSQD.tmp\SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JKSQD.tmp\SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp" /SL5="$40150,20502182,505856,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.5599.6046.25600.exe"
  2⤵
  - Checks BIOS information in registry
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab236A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar245B.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OVJA4.tmp\enu.lng

Filesize
357KB

MD5
81aa5634a4f4e55207f0a46360236127

SHA1
53d3f8c4ede5c95851db9a5951392997123b7188

SHA256
ced60f075f2c3e311833cf6280e1eda0a46ab8a9916e4f5f8cc015481a77e1d6

SHA512
b206467bb27efa339e471866677f8c3f10d2553a2788df4fa444ae115bdf262f510aad8e5d1ccddd36f79ae9df9981e7c8b7d0e622009f82a7ac1be3f70b0839

Download Submit
\Users\Admin\AppData\Local\Temp\is-JKSQD.tmp\SecuriteInfo.com.Program.Unwanted.5599.6046.25600.tmp

Filesize
1.5MB

MD5
3af39fa30f4fcd4628e15a0a2ab3af12

SHA1
30a221318994600b615b7daae9316fbc7e8820c9

SHA256
ce704900f617ec71cbef6eb8a4a517c2768937e6c3e862becf7a846bb516f401

SHA512
3ed16998cc64307674b19c7332a75094244555a55b88e44a830f950a4e21d93fe44d3d11438ecef71608c5a67b8a1612b505ca8e9adf0322451aea0f9890210e

Download Submit
\Users\Admin\AppData\Local\Temp\is-OVJA4.tmp\AxComponentsRTL.bpl

Filesize
2.5MB

MD5
07d0149eb09496eb54a372ae489f7565

SHA1
93debd1030161acbc1f999ed4a87176f12e0e0f4

SHA256
3587192b3334258f3c41be810e5980b8aa51de3dbf04228dfee67b75681516ef

SHA512
b1cc9a8380550988b4e336121f20e04b3f44b49f51075587f677e38199bf4dda95411d4258aaa2962472936fce3ac94e6c8bad5d4533b1f1e8493ffb2464d679

Download Submit
\Users\Admin\AppData\Local\Temp\is-OVJA4.tmp\AxComponentsVCL.bpl

Filesize
8.8MB

MD5
8724e5f0b2e64b0d0d905ad8fb493d52

SHA1
86e90b22b180ecb3e70e0989a4eeb927e39ea1a1

SHA256
dbeb9160511ffeab19082ada9273e20fe4c0b7e2721cb0ae640f26d634862299

SHA512
0fcc63a0c9291c9a0b6acf89a7121ed2c0a94785ed7dce5b3eb4251c9bf0b2af0148d40ec07fc64ed837abd51f84db4a1c6a32436fec93b06a62f9e9807ef0c2

Download Submit
\Users\Admin\AppData\Local\Temp\is-OVJA4.tmp\BrowserHelper.dll

Filesize
2.1MB

MD5
7d799f726584d2e7ea2e9c2e366124bd

SHA1
d9feb7c91bc46005b5caeca3873da848ea057a0d

SHA256
981a6756b2c39a8d096c0e2a64d6962553c522253018597d25d9e3ac38836832

SHA512
b705d302a691ad47a4cb9ba6c0c8336b7af3b93bb7d36c35a5a3c68b2537fe62420634785600b1b301717b803d961bb92f8525f5c91fce732db931cf935ecf74

Download Submit
\Users\Admin\AppData\Local\Temp\is-OVJA4.tmp\CFAHelper.dll

Filesize
97KB

MD5
948ed0ffac9dbd853cd2b02a33bc5709

SHA1
3fcfd2d09a5a89ab9a6040b4d4d438ebd2dcc48d

SHA256
dc894ea2334c057843cb0e53ade93a52a82f960198fcfd66f88c7fa9a1c60c5c

SHA512
a178dea22381d7f0ad9874e195c8675939102f032bf2f5f4bca8e6ea4b339b34b188a1a69b890bf18bded48de386069896442bfe56304d6db1b61497d9717294

Download Submit
\Users\Admin\AppData\Local\Temp\is-OVJA4.tmp\CommonForms.Site.dll

Filesize
345KB

MD5
9f8e05d118b228c0414443da40d5cdd5

SHA1
85a1f6b62fa0671a749cf47efd3f427f0bddc730

SHA256
6fee4fd1fd06427bf6016fcfd3a9b64e3e3cf3a3b9db005c1a9e47a7764c40b0

SHA512
8f952c066fa76cdbe9bf077b7a461fd019f9134fee779b23de97c570cffdd7a7ce7d7b0c0f919ae5c58afb410fd10a2e9990f83c07b8dfac5c7d6f0255355947

Download Submit
\Users\Admin\AppData\Local\Temp\is-OVJA4.tmp\GoogleAnalyticsHelper.dll

Filesize
141KB

MD5
6ed3eaa975a7831ad3438633a7ae89be

SHA1
76954e4a66502d2678a85fcabbf6cbe08d0de595

SHA256
92abb2e877cfff30a1b7803d2e916da584cc525e77937619a2fb703e3c6d2288

SHA512
c89011dff3a3b176246b48513c31a03d36a14249b427be4e8206fc78a9611f24ec585aae0199adeb2ba9e7b5ab290aeda8953a4b358021b907260f2c05099d0f

Download Submit
\Users\Admin\AppData\Local\Temp\is-OVJA4.tmp\Integrator.exe

Filesize
5.0MB

MD5
38b9366adf103dd2a1934ca78978c358

SHA1
3aaf3cbc74cf52acd913f61614bed827d704f0c6

SHA256
52f45d37307cc850f202dc2c20e5183ae9778e11feff6642f12fa64dad2abb09

SHA512
2f93a595d64bd05d7997ed5d0de0f624d06d4f16f76f3473061d5fb20c45a8dfbe7cceda6f2a07e7338bc1ca7381089679d08e7f40122e2b51d1b55f4e1e3648

Download Submit
\Users\Admin\AppData\Local\Temp\is-OVJA4.tmp\Localizer.dll

Filesize
192KB

MD5
3b3fdb2c16a2042f8deb5d4f8ff5644f

SHA1
89bba06f1141079071656c91d2bcfa74a7991173

SHA256
195247a3bb0ec44211831838c166776568fc69a5b0bc7a431c8db885045e1a41

SHA512
fa9f8ceddf656ad9f889bfda3c485f125b4965a1376e6145671fa9b6d147dd56cdffc41191f22b8abe5b287729d46c3bf2de41d4803179881fc0583d0dd12960

Download Submit
\Users\Admin\AppData\Local\Temp\is-OVJA4.tmp\SetupCustom.dll

Filesize
2.1MB

MD5
21e7f07bab223d25d4d13b7ebd910c5c

SHA1
5452000d0f38a1d0912e2862ed597d27b5a61765

SHA256
ddffdd6c8fa8475162f9e0159452edb59d9f0c133e594d011c792282fc079201

SHA512
5585104f97c422a5726ce35fb08ab4677822672492662692cbeafceaba4f9a69753ef3c74c5c477d656daad2defd550b9b0ec0dd7b35fcf42d5ad025c6339c8a

Download Submit
\Users\Admin\AppData\Local\Temp\is-OVJA4.tmp\rtl250.bpl

Filesize
10.1MB

MD5
942cc74b7ef66b51859d135fa3bc8bb2

SHA1
642810b822d9e4ddd40faafb7437b552d2ad7d56

SHA256
66f2f6b2e8c24827d63f6415094ae40fddd50f30e097cda395cc0116d57356a6

SHA512
941e41ed4031674168d4b4380d52cdea4d3077c1e871a9f61d8c85030befda654b06cb5da666d906130fa2d5b985573b274f9d77ac570b634be295baefa385e5

Download Submit
\Users\Admin\AppData\Local\Temp\is-OVJA4.tmp\vcl250.bpl

Filesize
3.9MB

MD5
e4f482e3f7eb949256402c38e467122f

SHA1
2910db3ffc1769d2ae83b6569fa91e79faaa4033

SHA256
10b9d8569b8f9e9e46e7a579855492353c43f1e3b5d4a28959015bed5570350c

SHA512
8dc4eadc0ebe0cc86e7ac85843c16be5cc563a5dce2985f34b4769786e5d2f7176b62506854ef5e5b75a58aa1cbe45934650e7cab098a639bc62affe9119241b

Download Submit
\Users\Admin\AppData\Local\Temp\is-OVJA4.tmp\vclimg250.bpl

Filesize
355KB

MD5
57496780b9a5c733144e5663f088f42a

SHA1
ccdd74d1a638629f8fdba43ce1180a23d7a463dc

SHA256
6be794294ff9c4b27debc6ed50fce865d028cf496d4e39fcce9c4f8e48cbfbfd

SHA512
50cf52cc8524551e9fd106c823039f604df2b92d2de859ef2d4b85016d603a6c31dc928e155949554c20ebd63f5b5665b627cc8853576a6149f2213b533f16d0

Download Submit
memory/2268-87-0x0000000008800000-0x000000000881B000-memory.dmp

Filesize
108KB

Download
memory/2268-8-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2268-53-0x0000000008120000-0x0000000008140000-memory.dmp

Filesize
128KB

Download
memory/2268-54-0x0000000008120000-0x0000000008140000-memory.dmp

Filesize
128KB

Download
memory/2268-74-0x0000000008760000-0x0000000008780000-memory.dmp

Filesize
128KB

Download
memory/2268-149-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2268-46-0x0000000007D20000-0x0000000007F98000-memory.dmp

Filesize
2.5MB

Download
memory/2268-73-0x0000000008760000-0x0000000008780000-memory.dmp

Filesize
128KB

Download
memory/2268-71-0x0000000008700000-0x0000000008759000-memory.dmp

Filesize
356KB

Download
memory/2268-43-0x0000000007440000-0x0000000007D19000-memory.dmp

Filesize
8.8MB

Download
memory/2268-90-0x0000000008820000-0x0000000008845000-memory.dmp

Filesize
148KB

Download
memory/2268-36-0x00000000003A0000-0x00000000003FA000-memory.dmp

Filesize
360KB

Download
memory/2268-33-0x0000000007210000-0x0000000007437000-memory.dmp

Filesize
2.2MB

Download
memory/2268-64-0x00000000083D0000-0x0000000008402000-memory.dmp

Filesize
200KB

Download
memory/2268-153-0x0000000050A80000-0x0000000050E72000-memory.dmp

Filesize
3.9MB

Download
memory/2268-151-0x00000000003A0000-0x00000000003FA000-memory.dmp

Filesize
360KB

Download
memory/2268-158-0x0000000008800000-0x000000000881B000-memory.dmp

Filesize
108KB

Download
memory/2268-159-0x0000000008820000-0x0000000008845000-memory.dmp

Filesize
148KB

Download
memory/2268-157-0x0000000008700000-0x0000000008759000-memory.dmp

Filesize
356KB

Download
memory/2268-156-0x00000000083D0000-0x0000000008402000-memory.dmp

Filesize
200KB

Download
memory/2268-155-0x0000000007D20000-0x0000000007F98000-memory.dmp

Filesize
2.5MB

Download
memory/2268-154-0x0000000007440000-0x0000000007D19000-memory.dmp

Filesize
8.8MB

Download
memory/2268-152-0x0000000050050000-0x0000000050A76000-memory.dmp

Filesize
10.1MB

Download
memory/2268-150-0x0000000007210000-0x0000000007437000-memory.dmp

Filesize
2.2MB

Download
memory/2276-160-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2276-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2276-0-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download