1ebe8c4369b01611d9c49ed8aadbbd36de80d306532927b21b426dd0e648f3f3

General

Target

PO 30091.exe
Size

684KB
MD5

9ac778fb946e20543b571464843fd232
SHA1

1ab3d9251802a6f3c8475cdbf9f7276689b61dd7
SHA256

1ebe8c4369b01611d9c49ed8aadbbd36de80d306532927b21b426dd0e648f3f3
SHA512

fb67073a5576592a5775ce1c37d99b378202b33f82ce4efa94a68305e601c1687c179f599551c752399d7e37368280836bf6ef25a2cd729f00c2dbbecf367475

Score

8^/10

persistence spyware

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

Processes:

msdt.exe

description ioc process

File opened for modification C:\Program Files (x86)\Mgzsd-6h\9rixjv3f0.exe msdt.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Mgzsd-6h\9rixjv3f0.exe	msdt.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

PO 30091.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 652 wrote to memory of 808	652	PO 30091.exe	PO 30091.exe
PID 652 wrote to memory of 808	652	PO 30091.exe	PO 30091.exe
PID 652 wrote to memory of 808	652	PO 30091.exe	PO 30091.exe
PID 3024 wrote to memory of 988	3024	Explorer.EXE	msdt.exe
PID 3024 wrote to memory of 988	3024	Explorer.EXE	msdt.exe
PID 3024 wrote to memory of 988	3024	Explorer.EXE	msdt.exe
PID 988 wrote to memory of 1556	988	msdt.exe	cmd.exe
PID 988 wrote to memory of 1556	988	msdt.exe	cmd.exe
PID 988 wrote to memory of 1556	988	msdt.exe	cmd.exe
PID 988 wrote to memory of 1992	988	msdt.exe	cmd.exe
PID 988 wrote to memory of 1992	988	msdt.exe	cmd.exe
PID 988 wrote to memory of 1992	988	msdt.exe	cmd.exe
PID 988 wrote to memory of 2548	988	msdt.exe	Firefox.exe
PID 988 wrote to memory of 2548	988	msdt.exe	Firefox.exe
PID 988 wrote to memory of 2548	988	msdt.exe	Firefox.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

PO 30091.exePO 30091.exemsdt.exe

pid process

652 PO 30091.exe
808 PO 30091.exe
808 PO 30091.exe
808 PO 30091.exe
988 msdt.exe
988 msdt.exe
988 msdt.exe
988 msdt.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO 30091.exePO 30091.exemsdt.exe

description	pid	process	target process
PID 652 set thread context of 808	652	PO 30091.exe	PO 30091.exe
PID 808 set thread context of 3024	808	PO 30091.exe	Explorer.EXE
PID 988 set thread context of 3024	988	msdt.exe	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

PO 30091.exemsdt.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	808	PO 30091.exe
Token: SeDebugPrivilege	988	msdt.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE

pid	process
3024	Explorer.EXE

pid	process
3024	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

PO 30091.exePO 30091.exemsdt.exe

pid	process
652	PO 30091.exe
652	PO 30091.exe
808	PO 30091.exe
808	PO 30091.exe
808	PO 30091.exe
808	PO 30091.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe
988	msdt.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

msdt.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer msdt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	msdt.exe

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YDJPOT20A0H = "C:\\Program Files (x86)\\Mgzsd-6h\\9rixjv3f0.exe"	msdt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3024

C:\Users\Admin\AppData\Local\Temp\PO 30091.exe
"C:\Users\Admin\AppData\Local\Temp\PO 30091.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:652

C:\Users\Admin\AppData\Local\Temp\PO 30091.exe
"C:\Users\Admin\AppData\Local\Temp\PO 30091.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:808

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- System policy modification
- Adds Run entry to policy start application
PID:988

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO 30091.exe"
3⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1992

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Download Submit
C:\Users\Admin\AppData\Roaming\L5P8R4-3\L5Plogim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\L5P8R4-3\L5Plogrf.ini

Download Submit
C:\Users\Admin\AppData\Roaming\L5P8R4-3\L5Plogrg.ini

Download Submit
C:\Users\Admin\AppData\Roaming\L5P8R4-3\L5Plogri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\L5P8R4-3\L5Plogrv.ini

Download Submit
memory/808-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/808-1-0x000000000041E330-mapping.dmp

Download
memory/988-10-0x00000000059A0000-0x0000000005A4A000-memory.dmp

Filesize
680KB

Download
memory/988-5-0x0000000000280000-0x00000000003F3000-memory.dmp

Filesize
1.4MB

Download
memory/988-4-0x0000000000280000-0x00000000003F3000-memory.dmp

Filesize
1.4MB

Download
memory/988-3-0x0000000000000000-mapping.dmp

Download
memory/1556-6-0x0000000000000000-mapping.dmp

Download
memory/1992-8-0x0000000000000000-mapping.dmp

Download
memory/2548-11-0x0000000000000000-mapping.dmp

Download
memory/2548-12-0x00007FF7C03D0000-0x00007FF7C0463000-memory.dmp

Filesize
588KB

Download
memory/2548-13-0x00007FF7C03D0000-0x00007FF7C0463000-memory.dmp

Filesize
588KB

Download
memory/2548-14-0x00007FF7C03D0000-0x00007FF7C0463000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads