be6a3c4a0636cf4d05cdc8a58a42221d4e6358460d8dd7a679aebeeafe254a06

General

Target

P.O_310006132800154200.scr
Size

426KB
MD5

10edd461dae11be49d9c73cf57081b78
SHA1

beeeee39d7496d6076b4aeb869acf70355b6b404
SHA256

be6a3c4a0636cf4d05cdc8a58a42221d4e6358460d8dd7a679aebeeafe254a06
SHA512

639ef485afd33fd4bcc947c220ebdd218e1b02bf1ccc20340c5494bf298faa2d7ecb53087ffd671511b800602ed2dfe2d9b84cffd93251b7c5abc9f6a5329968

Score

7^/10

spyware

Malware Config

Signatures

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

P.O_310006132800154200.scr

description	pid	process	target process
PID 1496 wrote to memory of 1904	1496	P.O_310006132800154200.scr	P.O_310006132800154200.scr
PID 1496 wrote to memory of 1904	1496	P.O_310006132800154200.scr	P.O_310006132800154200.scr
PID 1496 wrote to memory of 1904	1496	P.O_310006132800154200.scr	P.O_310006132800154200.scr
PID 1496 wrote to memory of 1904	1496	P.O_310006132800154200.scr	P.O_310006132800154200.scr
PID 1496 wrote to memory of 1904	1496	P.O_310006132800154200.scr	P.O_310006132800154200.scr
PID 1496 wrote to memory of 1904	1496	P.O_310006132800154200.scr	P.O_310006132800154200.scr
PID 1496 wrote to memory of 1904	1496	P.O_310006132800154200.scr	P.O_310006132800154200.scr
PID 1496 wrote to memory of 1904	1496	P.O_310006132800154200.scr	P.O_310006132800154200.scr
PID 1496 wrote to memory of 1904	1496	P.O_310006132800154200.scr	P.O_310006132800154200.scr

Suspicious use of SetThreadContext 1 IoCs

Processes:

P.O_310006132800154200.scr

description pid process target process

PID 1496 set thread context of 1904 1496 P.O_310006132800154200.scr P.O_310006132800154200.scr
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

P.O_310006132800154200.scr

description pid process

Token: SeDebugPrivilege 1904 P.O_310006132800154200.scr
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

P.O_310006132800154200.scr

pid process

1904 P.O_310006132800154200.scr
1904 P.O_310006132800154200.scr
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 1496 set thread context of 1904	1496	P.O_310006132800154200.scr	P.O_310006132800154200.scr

description	pid	process
Token: SeDebugPrivilege	1904	P.O_310006132800154200.scr

pid	process
1904	P.O_310006132800154200.scr
1904	P.O_310006132800154200.scr

C:\Users\Admin\AppData\Local\Temp\P.O_310006132800154200.scr
"C:\Users\Admin\AppData\Local\Temp\P.O_310006132800154200.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1496

C:\Users\Admin\AppData\Local\Temp\P.O_310006132800154200.scr
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1904-2-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1904-3-0x0000000000445C4E-mapping.dmp

Download
memory/1904-4-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1904-5-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing