178cf2e50182606e000719ee8b7caa9c620950155542d10de6dd7eb5a2a34d01

General

Target

d5c5b23355fd928c660358f5ca0ae439.exe
Size

312KB
MD5

d5c5b23355fd928c660358f5ca0ae439
SHA1

87508a996eac3dae3ce463c7de2c3ee3b4812cc2
SHA256

178cf2e50182606e000719ee8b7caa9c620950155542d10de6dd7eb5a2a34d01
SHA512

e18bf114428037b3df3a62c76fdec73d2790c27e4ebc0beca8bda69e65c544aed7606917b21ac85af07a18575f3da4a3941695f517176668ba1dee1e368da430

Score

7^/10

spyware discovery

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d5c5b23355fd928c660358f5ca0ae439.exe

pid process

832 d5c5b23355fd928c660358f5ca0ae439.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
832	d5c5b23355fd928c660358f5ca0ae439.exe

Checks for installed software on the system 1 TTPs 30 IoCs

discovery

Query Registry

T1012

Processes:

d5c5b23355fd928c660358f5ca0ae439.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	d5c5b23355fd928c660358f5ca0ae439.exe

Loads dropped DLL 1 IoCs

Processes:

d5c5b23355fd928c660358f5ca0ae439.exe

pid process

832 d5c5b23355fd928c660358f5ca0ae439.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d5c5b23355fd928c660358f5ca0ae439.exe

description pid process

Token: SeDebugPrivilege 832 d5c5b23355fd928c660358f5ca0ae439.exe

pid	process
832	d5c5b23355fd928c660358f5ca0ae439.exe

description	pid	process
Token: SeDebugPrivilege	832	d5c5b23355fd928c660358f5ca0ae439.exe

C:\Users\Admin\AppData\Local\Temp\d5c5b23355fd928c660358f5ca0ae439.exe
"C:\Users\Admin\AppData\Local\Temp\d5c5b23355fd928c660358f5ca0ae439.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll

Download Submit

Analysis

Sharing