c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0

General

Target

c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe
Size

1.4MB
MD5

0135c1b313921dc0ecdd607f08b2f5fd
SHA1

1430a4d71665a27bd8e4937cc0f7cef6f4ad3a9a
SHA256

c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0
SHA512

0677a7f69c7fc070b7c8123ea4c64f68ccc26e6a2b7bf9e05ae939d062bce936dbef654f3b03644bda7e5611b56f7813152d973f32cccab8c1ec11c5e9a639cc

Score

7^/10

discovery spyware

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exeWerFault.exeMSBuild.exe

pid	process
3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe
3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe
3156	MSBuild.exe

Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org
5 ip-api.com

flow	ioc
1	api.ipify.org
2	api.ipify.org
5	ip-api.com

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exeMSBuild.exe

description	pid	process	target process
PID 3692 wrote to memory of 4028	3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe	MSBuild.exe
PID 3692 wrote to memory of 4028	3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe	MSBuild.exe
PID 3692 wrote to memory of 4028	3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe	MSBuild.exe
PID 3692 wrote to memory of 3156	3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe	MSBuild.exe
PID 3692 wrote to memory of 3156	3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe	MSBuild.exe
PID 3692 wrote to memory of 3156	3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe	MSBuild.exe
PID 3692 wrote to memory of 3156	3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe	MSBuild.exe
PID 3692 wrote to memory of 3156	3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe	MSBuild.exe
PID 3692 wrote to memory of 3156	3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe	MSBuild.exe
PID 3692 wrote to memory of 3156	3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe	MSBuild.exe
PID 3692 wrote to memory of 3156	3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe	MSBuild.exe
PID 3156 wrote to memory of 1336	3156	MSBuild.exe	netsh.exe
PID 3156 wrote to memory of 1336	3156	MSBuild.exe	netsh.exe
PID 3156 wrote to memory of 1336	3156	MSBuild.exe	netsh.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exeMSBuild.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe
Token: SeDebugPrivilege	3156	MSBuild.exe
Token: SeRestorePrivilege	500	WerFault.exe
Token: SeBackupPrivilege	500	WerFault.exe
Token: SeDebugPrivilege	500	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe

description	pid	process	target process
PID 3692 set thread context of 3156	3692	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe	MSBuild.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

500 3692 WerFault.exe c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe

pid	pid_target	process	target process
500	3692	WerFault.exe	c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe

Checks for installed software on the system 1 TTPs 29 IoCs

discovery

Query Registry

T1012

Processes:

MSBuild.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	MSBuild.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	MSBuild.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	MSBuild.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe
"C:\Users\Admin\AppData\Local\Temp\c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Checks for installed software on the system
PID:3156

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profiles
3⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 1180
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Program crash
PID:500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/500-2-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/500-3-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/500-5-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/1336-6-0x0000000000000000-mapping.dmp

Download
memory/3156-0-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3156-1-0x0000000000496F7E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads