5e93b449a80beffbe61f82bfab9042149156227e74efb7e39c95d0044e4a0ab3

General

Target

TRUNG VIET IMPORT & EXPORT - products_list.excel.exe
Size

849KB
MD5

08ddeda4b15b6401f717cf37dfad1fda
SHA1

db3eda62b4b84eb8828fe15bf469796cd8864209
SHA256

5e93b449a80beffbe61f82bfab9042149156227e74efb7e39c95d0044e4a0ab3
SHA512

16bb8e5935cc8f5d7719d2c724123057f4d4f270b058e098d0e324b2c81fc36ab2235b8c1cb8fb9530cef9ffdd6ac685a4dd2f232a3e2c1e72bf26282eefbbd8

Score

7^/10

persistence spyware

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

ieinstal.exeNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3976	ieinstal.exe
Token: SeDebugPrivilege	3804	NETSTAT.EXE
Token: SeShutdownPrivilege	2964	Explorer.EXE
Token: SeCreatePagefilePrivilege	2964	Explorer.EXE
Token: SeShutdownPrivilege	2964	Explorer.EXE
Token: SeCreatePagefilePrivilege	2964	Explorer.EXE
Token: SeShutdownPrivilege	2964	Explorer.EXE
Token: SeCreatePagefilePrivilege	2964	Explorer.EXE
Token: SeShutdownPrivilege	2964	Explorer.EXE
Token: SeCreatePagefilePrivilege	2964	Explorer.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TRUNG VIET IMPORT & EXPORT - products_list.excel.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Afxy = "C:\\Users\\Admin\\AppData\\Local\\Afxy\\Afxy.hta"	TRUNG VIET IMPORT & EXPORT - products_list.excel.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

TRUNG VIET IMPORT & EXPORT - products_list.excel.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3904 wrote to memory of 3976	3904	TRUNG VIET IMPORT & EXPORT - products_list.excel.exe	ieinstal.exe
PID 3904 wrote to memory of 3976	3904	TRUNG VIET IMPORT & EXPORT - products_list.excel.exe	ieinstal.exe
PID 3904 wrote to memory of 3976	3904	TRUNG VIET IMPORT & EXPORT - products_list.excel.exe	ieinstal.exe
PID 3904 wrote to memory of 3976	3904	TRUNG VIET IMPORT & EXPORT - products_list.excel.exe	ieinstal.exe
PID 3904 wrote to memory of 3976	3904	TRUNG VIET IMPORT & EXPORT - products_list.excel.exe	ieinstal.exe
PID 2964 wrote to memory of 3804	2964	Explorer.EXE	NETSTAT.EXE
PID 2964 wrote to memory of 3804	2964	Explorer.EXE	NETSTAT.EXE
PID 2964 wrote to memory of 3804	2964	Explorer.EXE	NETSTAT.EXE
PID 3804 wrote to memory of 3152	3804	NETSTAT.EXE	cmd.exe
PID 3804 wrote to memory of 3152	3804	NETSTAT.EXE	cmd.exe
PID 3804 wrote to memory of 3152	3804	NETSTAT.EXE	cmd.exe
PID 3804 wrote to memory of 3896	3804	NETSTAT.EXE	Firefox.exe
PID 3804 wrote to memory of 3896	3804	NETSTAT.EXE	Firefox.exe
PID 3804 wrote to memory of 3896	3804	NETSTAT.EXE	Firefox.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

TRUNG VIET IMPORT & EXPORT - products_list.excel.exeieinstal.exeNETSTAT.EXE

description	pid	process	target process
PID 3904 set thread context of 3976	3904	TRUNG VIET IMPORT & EXPORT - products_list.excel.exe	ieinstal.exe
PID 3976 set thread context of 2964	3976	ieinstal.exe	Explorer.EXE
PID 3804 set thread context of 2964	3804	NETSTAT.EXE	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

ieinstal.exeNETSTAT.EXE

pid	process
3976	ieinstal.exe
3976	ieinstal.exe
3976	ieinstal.exe
3976	ieinstal.exe
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE
3804	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

ieinstal.exeNETSTAT.EXE

pid process

3976 ieinstal.exe
3976 ieinstal.exe
3976 ieinstal.exe
3804 NETSTAT.EXE
3804 NETSTAT.EXE
3804 NETSTAT.EXE
3804 NETSTAT.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964

C:\Users\Admin\AppData\Local\Temp\TRUNG VIET IMPORT & EXPORT - products_list.excel.exe
"C:\Users\Admin\AppData\Local\Temp\TRUNG VIET IMPORT & EXPORT - products_list.excel.exe"
2⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3904

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3976

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3804

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3152

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Download Submit
C:\Users\Admin\AppData\Roaming\6Q4Q29R5\6Q4logim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\6Q4Q29R5\6Q4logrf.ini

Download Submit
C:\Users\Admin\AppData\Roaming\6Q4Q29R5\6Q4logrg.ini

Download Submit
C:\Users\Admin\AppData\Roaming\6Q4Q29R5\6Q4logri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\6Q4Q29R5\6Q4logrv.ini

Download Submit
memory/3152-5-0x0000000000000000-mapping.dmp

Download
memory/3804-4-0x0000000000050000-0x000000000005B000-memory.dmp

Filesize
44KB

Download
memory/3804-7-0x0000000005E70000-0x0000000005F8B000-memory.dmp

Filesize
1.1MB

Download
memory/3804-3-0x0000000000050000-0x000000000005B000-memory.dmp

Filesize
44KB

Download
memory/3804-2-0x0000000000000000-mapping.dmp

Download
memory/3896-9-0x0000000000000000-mapping.dmp

Download
memory/3896-10-0x00007FF6C8B00000-0x00007FF6C8B93000-memory.dmp

Filesize
588KB

Download
memory/3896-11-0x00007FF6C8B00000-0x00007FF6C8B93000-memory.dmp

Filesize
588KB

Download
memory/3896-12-0x00007FF6C8B00000-0x00007FF6C8B93000-memory.dmp

Filesize
588KB

Download
memory/3976-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3976-1-0x000000000041E3A0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads