12d8decff8e6285f7bf32161258817d35ebf684c9db5acb26aa79dd6c6e96960

General

Target

b1843967b94d29f088ec35143ad94e6e.exe
Size

412KB
MD5

b1843967b94d29f088ec35143ad94e6e
SHA1

013aa99862c45afe518018a4ca5d8b230f94d0da
SHA256

12d8decff8e6285f7bf32161258817d35ebf684c9db5acb26aa79dd6c6e96960
SHA512

1c3a083b48cc8329cee05aa3ac24aadee65e21626f965623fee8fc7779ecdaaeb7096cb7744712a3fccb4a1c9e6231c7b61fd0541e4eb4131a33d1cf14f09ad5

Score

7^/10

discovery spyware

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

b1843967b94d29f088ec35143ad94e6e.exe

pid process

3100 b1843967b94d29f088ec35143ad94e6e.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b1843967b94d29f088ec35143ad94e6e.exe

description pid process

Token: SeDebugPrivilege 3100 b1843967b94d29f088ec35143ad94e6e.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b1843967b94d29f088ec35143ad94e6e.exe

pid process

3100 b1843967b94d29f088ec35143ad94e6e.exe

pid	process
3100	b1843967b94d29f088ec35143ad94e6e.exe

description	pid	process
Token: SeDebugPrivilege	3100	b1843967b94d29f088ec35143ad94e6e.exe

pid	process
3100	b1843967b94d29f088ec35143ad94e6e.exe

Checks for installed software on the system 1 TTPs 29 IoCs

discovery

Query Registry

T1012

Processes:

b1843967b94d29f088ec35143ad94e6e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	b1843967b94d29f088ec35143ad94e6e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\b1843967b94d29f088ec35143ad94e6e.exe
"C:\Users\Admin\AppData\Local\Temp\b1843967b94d29f088ec35143ad94e6e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
PID:3100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll

Download Submit

Analysis

Sharing