7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318

General

Target

7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe
Size

3.9MB
MD5

d9a3d088b4cbcbfb2230da604571868c
SHA1

bf01b74eb384cb5b7817cb891ccf96c883b98988
SHA256

7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318
SHA512

9a70a94ebb76f25724bb5653db9e9d76d6f8800bee053379e919d42d6df363df9963f1891b45756e19ab77030031ffb2bc0eb9434fa0c51db50a7f7418808ee2

Score

8^/10

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Loads dropped DLL 4 IoCs

pid	Process
1388	7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe
1388	7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe
1388	7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe
1388	7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1528	1388	7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe	24
PID 1388 wrote to memory of 1528	1388	7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe	24
PID 1388 wrote to memory of 1528	1388	7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe	24
PID 1388 wrote to memory of 1528	1388	7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe	24
PID 1388 wrote to memory of 372	1388	7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe	25
PID 1388 wrote to memory of 372	1388	7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe	25
PID 1388 wrote to memory of 372	1388	7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe	25
PID 1388 wrote to memory of 372	1388	7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe	25

Executes dropped EXE 2 IoCs

pid	Process
1528	jfiag_gg.exe
372	jfiag_gg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run entry to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"	7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe

C:\Users\Admin\AppData\Local\Temp\7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe
"C:\Users\Admin\AppData\Local\Temp\7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
PID:1388
- C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
  2⤵
  - Executes dropped EXE
  PID:372