Behavioral Report

Analysis

max time kernel
113s
max time network
121s
resource
win7v191014

Sharing

Copy URL

Twitter E-mail

General

Target

crypted[1].bin
Sample

191129-bykghah8ge
SHA256

9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57

Score

N/A

Malware Config

Signatures

Reads Secure browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\ 1304 crypted[1].bin.exe
Reads Waterfox user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\ 1304 crypted[1].bin.exe
Reads Uran user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\ 1304 crypted[1].bin.exe
Reads Tor Browser user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\TorBro\Profile\ 1304 crypted[1].bin.exe
Reads Nichrome user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Nichrome\User Data\ 1304 crypted[1].bin.exe
Reads Qip surf user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\QIP Surf\User Data\ 1304 crypted[1].bin.exe
Reads 7star user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\7Star\7Star\User Data\ 1304 crypted[1].bin.exe
Reads Torch user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Torch\User Data\ 1304 crypted[1].bin.exe
Reads Pale Moon browser user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\ 1304 crypted[1].bin.exe
Suspicious use of SetWindowsHookEx ⋅ 1 IoCs

Processes:

crypted[1].bin.exe

pid process

1304 crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\TorBro\Profile\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Nichrome\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\QIP Surf\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\7Star\7Star\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Torch\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\	1304	crypted[1].bin.exe

pid	process
1304	crypted[1].bin.exe

⋅ 4 IoCs

Processes:

crypted[1].bin.exe

ioc
drive.google.com
File opened for modification	C:\Users\Admin\AppData\Local\Temp\machineinfo.txt	1304	crypted[1].bin.exe
HTTP URL	http://34.76.145.229/gate/log.php
HTTP URL	http://34.76.145.229/file_handler/file.php?hash=d3a547a5fa34fecef563a4e0d65825c4539a5386&js=8eb1309d3b4163e746e3f66ce26ccf5f269dd5e5&callback=http://34.76.145.229/gate

Reads Sputnik user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\ 1304 crypted[1].bin.exe
Reads user profile for Thunderbird email client, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\ 1304 crypted[1].bin.exe
Reads Rockmelt user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\RockMelt\User Data\ 1304 crypted[1].bin.exe
Reads Vivaldi user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Vivaldi\User Data\ 1304 crypted[1].bin.exe
Reads Amigo user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Amigo\User Data\ 1304 crypted[1].bin.exe
Reads Orbitum user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Orbitum\User Data\ 1304 crypted[1].bin.exe
Reads Suhba user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Suhba\User Data\ 1304 crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\RockMelt\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Vivaldi\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Amigo\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Orbitum\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Suhba\User Data\	1304	crypted[1].bin.exe

Checks for installed software on the system ⋅ 1 TTPs 1 IoCs

discovery

TTPs:

Query Registry

Processes:

crypted[1].bin.exe

description	ioc	pid	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	1304	crypted[1].bin.exe

Reads Chromium user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Chromium\User Data\ 1304 crypted[1].bin.exe
Reads Dragon user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\ 1304 crypted[1].bin.exe
Runs ping.exe ⋅ 1 TTPs 1 IoCs
evasion spreading

TTPs:

Remote System Discovery

Processes:

PING.EXE

pid process

1232 PING.EXE
Reads Kometa user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Kometa\User Data\ 1304 crypted[1].bin.exe
Reads Superbird user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Superbird\User Data\ 1304 crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Chromium\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\	1304	crypted[1].bin.exe

pid	process
1232	PING.EXE

ioc	pid	process
C:\Users\Admin\AppData\Local\Kometa\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Superbird\User Data\	1304	crypted[1].bin.exe

Modifies system certificate store ⋅ 2 TTPs 3 IoCs

evasion spyware trojan

TTPs:

Install Root Certificate Modify Registry

Processes:

crypted[1].bin.exe

description	ioc	pid	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e	1304	crypted[1].bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d03003000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe7e00000001000000080000000000042beb77d5017f000000010000000c000000300a06082b060105050703091d000000010000001000000073621e116224668780b2d2bee454e52e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e5300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d00520032000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e	1304	crypted[1].bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 190000000100000010000000a8827a3cbd2d87d783b59b8062c87e9a0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d0302000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e	1304	crypted[1].bin.exe

Reads Chrome user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ 1304 crypted[1].bin.exe
Reads Epic privacy browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\ 1304 crypted[1].bin.exe
Reads Centbrowser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\CentBrowser\User Data\ 1304 crypted[1].bin.exe
Reads Elements browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Elements Browser\User Data\ 1304 crypted[1].bin.exe
Reads Mustang user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\ 1304 crypted[1].bin.exe
Deletes itself ⋅ 1 IoCs

Processes:

cmd.exe

pid process

1800 cmd.exe
Reads Chrome SxS user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\ 1304 crypted[1].bin.exe
Reads Bromium user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Bromium\User Data\ 1304 crypted[1].bin.exe
Reads Chedot user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Chedot\User Data\ 1304 crypted[1].bin.exe
Reads Firefox user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ 1304 crypted[1].bin.exe
Accesses Bither wallet, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

description ioc pid process

File opened (read-only) C:\Users\Admin\AppData\Roaming\Bither\address.db 1304 crypted[1].bin.exe
Suspicious use of WriteProcessMemory ⋅ 2 IoCs

Processes:

crypted[1].bin.execmd.exe

description pid process target process

PID 1304 wrote to memory of 1800 1304 crypted[1].bin.exe cmd.exe
PID 1800 wrote to memory of 1232 1800 cmd.exe PING.EXE
raccoon family
family raccoon
Loads dropped DLL ⋅ 1 IoCs

Processes:

crypted[1].bin.exe

pid process

1304 crypted[1].bin.exe
Reads Go! user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
spyware

TTPs:

Data from Local System Credentials in Files

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Go!\User Data\ 1304 crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\CentBrowser\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Elements Browser\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\	1304	crypted[1].bin.exe

pid	process
1800	cmd.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Bromium\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Chedot\User Data\	1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\	1304	crypted[1].bin.exe

description	ioc	pid	process
File opened (read-only)	C:\Users\Admin\AppData\Roaming\Bither\address.db	1304	crypted[1].bin.exe

description	pid	process	target process
PID 1304 wrote to memory of 1800	1304	crypted[1].bin.exe	cmd.exe
PID 1800 wrote to memory of 1232	1800	cmd.exe	PING.EXE

pid	process
1304	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Go!\User Data\	1304	crypted[1].bin.exe

C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe

"C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"

Reads Secure browser user data, possible credential harvesting
Reads Waterfox user profile, possible credential harvesting
Reads Uran user data, possible credential harvesting
Reads Tor Browser user profile, possible credential harvesting
Reads Nichrome user data, possible credential harvesting
Reads Qip surf user data, possible credential harvesting
Reads 7star user data, possible credential harvesting
Reads Torch user data, possible credential harvesting
Reads Pale Moon browser user profile, possible credential harvesting
Suspicious use of SetWindowsHookEx
Reads Sputnik user data, possible credential harvesting
Reads user profile for Thunderbird email client, possible credential harvesting
Reads Rockmelt user data, possible credential harvesting
Reads Vivaldi user data, possible credential harvesting
Reads Amigo user data, possible credential harvesting
Reads Orbitum user data, possible credential harvesting
Reads Suhba user data, possible credential harvesting
Checks for installed software on the system
Reads Chromium user data, possible credential harvesting
Reads Dragon user data, possible credential harvesting
Reads Kometa user data, possible credential harvesting
Reads Superbird user data, possible credential harvesting
Modifies system certificate store
Reads Chrome user data, possible credential harvesting
Reads Epic privacy browser user data, possible credential harvesting
Reads Centbrowser user data, possible credential harvesting
Reads Elements browser user data, possible credential harvesting
Reads Mustang user data, possible credential harvesting
Reads Chrome SxS user data, possible credential harvesting
Reads Bromium user data, possible credential harvesting
Reads Chedot user data, possible credential harvesting
Reads Firefox user profile, possible credential harvesting
Accesses Bither wallet, possible credential harvesting
Suspicious use of WriteProcessMemory
Loads dropped DLL
Reads Go! user data, possible credential harvesting

PID:1304

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"

Deletes itself
Suspicious use of WriteProcessMemory

PID:1800

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1333835286-1054468390-1472936826-787043865-20918172221881988614-2562341841526789034"

PID:736

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 3000

Runs ping.exe

PID:1232

Network

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

\Users\Admin\AppData\Local\Temp\AdLibs\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\AdLibs\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\AdLibs\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\AdLibs\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Download Submit