5cfa2d44652bf41e83978ada2013d2e11f988c2179a82da9cae1dc1b53705753

General

Target

2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe
Size

3.6MB
MD5

6a594f559bff2fa3ff115c0dc83336e5
SHA1

d3c4f8223888e5c09397ed08ee701231ebdb1355
SHA256

2370a6234d8a97737a93039e6129746750191dec4b6f7015a61db9a3aaa131c8
SHA512

4c9093710174b0dcfd766fae20fb7ccf29aae6860ba34997cba07dab55b191253c3b762ab4f6a14c76be8c3a37f00bc995add3da0e087cd15714c76a16403d77

Score

7^/10

spyware

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe
1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1712	1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe	25
PID 1164 wrote to memory of 1712	1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe	25
PID 1164 wrote to memory of 1712	1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe	25
PID 1164 wrote to memory of 1712	1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe	25
PID 1164 wrote to memory of 1712	1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe	25
PID 1164 wrote to memory of 1712	1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe	25
PID 1164 wrote to memory of 1712	1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe	25

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe
1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe
1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe
1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe
1712	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe
1712	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe
1712	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe
1712	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe

js 2 IoCs

resource	yara_rule
behavioral1/memory/1164-2-0x0000000003760000-0x0000000003D22000-memory.dmp	js
behavioral1/memory/1712-456-0x0000000003810000-0x0000000003DD2000-memory.dmp	js

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe

Loads dropped DLL 2 IoCs

pid	Process
1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe
1164	2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe

C:\Users\Admin\AppData\Local\Temp\2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe
"C:\Users\Admin\AppData\Local\Temp\2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
- Loads dropped DLL
PID:1164
- C:\Users\Admin\AppData\Local\Temp\2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe
  "C:\Users\Admin\AppData\Local\Temp\2370A6234D8A97737A93039E6129746750191DEC4B6F7015A61DB9A3AAA131C8.exe" /_ShowProgress /mnl
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1164-6-0x0000000006030000-0x0000000006041000-memory.dmp

Filesize
68KB

Download
memory/1164-2-0x0000000003760000-0x0000000003D22000-memory.dmp

Filesize
5.8MB

Download
memory/1164-1-0x0000000002430000-0x0000000002747000-memory.dmp

Filesize
3.1MB

Download
memory/1164-5-0x0000000005C20000-0x0000000005C31000-memory.dmp

Filesize
68KB

Download
memory/1164-0-0x0000000002430000-0x0000000002747000-memory.dmp

Filesize
3.1MB

Download
memory/1164-7-0x0000000005C20000-0x0000000005C31000-memory.dmp

Filesize
68KB

Download
memory/1164-447-0x0000000005C20000-0x0000000005C31000-memory.dmp

Filesize
68KB

Download
memory/1164-449-0x0000000005C20000-0x0000000005C31000-memory.dmp

Filesize
68KB

Download
memory/1164-452-0x0000000005C20000-0x0000000005C31000-memory.dmp

Filesize
68KB

Download
memory/1712-454-0x00000000024E0000-0x00000000027F7000-memory.dmp

Filesize
3.1MB

Download
memory/1712-455-0x00000000024E0000-0x00000000027F7000-memory.dmp

Filesize
3.1MB

Download
memory/1712-456-0x0000000003810000-0x0000000003DD2000-memory.dmp

Filesize
5.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads