309911eeb73e0a28aa50c3e4a51121db47068398b9284432e37e6d2d44c654a4

Analysis

Target

0.exe
Size

92KB
MD5

1f1f729ed90fd59ceb8f3c75e40cf5c3
SHA1

561db88fe754068dcf0a266b45dbd6bdecef67aa
SHA256

309911eeb73e0a28aa50c3e4a51121db47068398b9284432e37e6d2d44c654a4
SHA512

4e7773b07bed429d54b9bfec034200e0213304482cff29904c04f28fd47722e0fbffaaa46461ce822e3f634431680ecd1690fbac883fef6667c40afc0b3294dd

Score

7^/10

spyware

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0.exe

description pid process

Token: SeDebugPrivilege 1492 0.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

flow	ioc
3	ip-api.com

description	pid	process
Token: SeDebugPrivilege	1492	0.exe

C:\Users\Admin\AppData\Local\Temp\0.exe
"C:\Users\Admin\AppData\Local\Temp\0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact