Analysis
-
max time kernel
114s -
resource
win7v191014 -
submitted
02-12-2019 23:11
Task
task1
Sample
payload.bin.exe
Resource
win7v191014
0 signatures
General
Malware Config
Signatures
-
Reads Epic privacy browser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\ payload.bin.exe -
Reads Nichrome user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Nichrome\User Data\ payload.bin.exe -
Reads Centbrowser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\CentBrowser\User Data\ payload.bin.exe -
Reads Kometa user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Kometa\User Data\ payload.bin.exe -
Reads Go! user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Go!\User Data\ payload.bin.exe -
Reads Uran user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\ payload.bin.exe -
Reads Amigo user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Amigo\User Data\ payload.bin.exe -
Reads Qip surf user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\QIP Surf\User Data\ payload.bin.exe -
Reads user profile for Thunderbird email client, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\ payload.bin.exe -
Reads Dragon user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\ payload.bin.exe -
Reads Torch user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Torch\User Data\ payload.bin.exe -
Reads Firefox user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ payload.bin.exe -
Reads Secure browser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\ payload.bin.exe -
Reads Chedot user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Chedot\User Data\ payload.bin.exe -
Reads 7star user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\7Star\7Star\User Data\ payload.bin.exe -
Reads Chrome SxS user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\ payload.bin.exe -
Reads Rockmelt user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\RockMelt\User Data\ payload.bin.exe -
Reads Tor Browser user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\TorBro\Profile\ payload.bin.exe -
Reads Vivaldi user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Vivaldi\User Data\ payload.bin.exe -
Reads Orbitum user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Orbitum\User Data\ payload.bin.exe -
Checks for installed software on the system 1 TTPs 28 IoCs
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall -
Reads Suhba user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Suhba\User Data\ payload.bin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1508 cmd.exe -
Reads Chromium user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Chromium\User Data\ payload.bin.exe -
Reads Pale Moon browser user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\ payload.bin.exe -
Reads Mustang user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\ payload.bin.exe -
Reads Superbird user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Superbird\User Data\ payload.bin.exe -
Reads Waterfox user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\ payload.bin.exe -
Reads Bromium user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Bromium\User Data\ payload.bin.exe -
Processes:
description ioc Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d03003000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe7e00000001000000080000000000042beb77d5017f000000010000000c000000300a06082b060105050703091d000000010000001000000073621e116224668780b2d2bee454e52e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e5300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d00520032000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 190000000100000010000000a8827a3cbd2d87d783b59b8062c87e9a0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d0302000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e -
Raccoon
It's the RaccAttack!
-
Reads Elements browser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Elements Browser\User Data\ payload.bin.exe -
Loads dropped DLL 1 IoCs
Processes:
payload.bin.exepid process 856 payload.bin.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
payload.bin.execmd.exedescription pid process target process PID 856 wrote to memory of 1508 856 payload.bin.exe cmd.exe PID 1508 wrote to memory of 1240 1508 cmd.exe PING.EXE -
Reads Chrome user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ payload.bin.exe -
Reads Sputnik user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\ payload.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"1⤵
- Reads Epic privacy browser user data, possible credential harvesting
- Reads Nichrome user data, possible credential harvesting
- Reads Centbrowser user data, possible credential harvesting
- Reads Kometa user data, possible credential harvesting
- Reads Go! user data, possible credential harvesting
- Reads Uran user data, possible credential harvesting
- Reads Amigo user data, possible credential harvesting
- Reads Qip surf user data, possible credential harvesting
- Reads user profile for Thunderbird email client, possible credential harvesting
- Reads Dragon user data, possible credential harvesting
- Reads Torch user data, possible credential harvesting
- Reads Firefox user profile, possible credential harvesting
- Reads Secure browser user data, possible credential harvesting
- Reads Chedot user data, possible credential harvesting
- Reads 7star user data, possible credential harvesting
- Reads Chrome SxS user data, possible credential harvesting
- Reads Rockmelt user data, possible credential harvesting
- Reads Tor Browser user profile, possible credential harvesting
- Reads Vivaldi user data, possible credential harvesting
- Reads Orbitum user data, possible credential harvesting
- Reads Suhba user data, possible credential harvesting
- Reads Chromium user data, possible credential harvesting
- Reads Pale Moon browser user profile, possible credential harvesting
- Reads Mustang user data, possible credential harvesting
- Reads Superbird user data, possible credential harvesting
- Reads Waterfox user profile, possible credential harvesting
- Reads Bromium user data, possible credential harvesting
- Reads Elements browser user data, possible credential harvesting
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Reads Chrome user data, possible credential harvesting
- Reads Sputnik user data, possible credential harvesting
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "170567490699066284820195978591905946548-1324181297-6827939461883015892416655494"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\AdLibs\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\AdLibs\msvcp140.dll
-
\Users\Admin\AppData\Local\Temp\AdLibs\nss3.dll
-
\Users\Admin\AppData\Local\Temp\AdLibs\vcruntime140.dll
-
\Users\Admin\AppData\Local\Temp\sqlite3.dll
-
memory/856-0-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/856-1-0x0000000001DE0000-0x0000000001DF1000-memory.dmpFilesize
68KB