297a85bb7912f7d8e148c5036d19d32f90c36378dd8116853e9b8b6179a269a3

Analysis

Target

dddd.exe
Size

84KB
MD5

4ab065354c6156380645c905823cafde
SHA1

331828a86d6a174256a5721f18c02da9d4cf2268
SHA256

297a85bb7912f7d8e148c5036d19d32f90c36378dd8116853e9b8b6179a269a3
SHA512

3c0039b5179044ea431c7157fbddea0e0006659144fedd9e0b6255337f274142b76912f37e58169cfb541d936252b9fbe7876cc76ace3d01b8e82157267f810d

Score

7^/10

spyware

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dddd.exe

description pid process

Token: SeDebugPrivilege 2728 dddd.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process
Token: SeDebugPrivilege	2728	dddd.exe

flow	ioc
1	ip-api.com

C:\Users\Admin\AppData\Local\Temp\dddd.exe
"C:\Users\Admin\AppData\Local\Temp\dddd.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact