521433d5e57056d9453e33f572757e5dde402d9b97b4edee522bff7dcaea579e

General

Target

SecuriteInfo.com.Win32.Heri.31591.21349.exe
Size

376KB
MD5

5614c61123bd258268b2798cb0077656
SHA1

81fae3e277fe42a51093a48d1fc94821665b7728
SHA256

521433d5e57056d9453e33f572757e5dde402d9b97b4edee522bff7dcaea579e
SHA512

dacabf0fd4726eb73118c3c97e11fc02b0a99c05505dd42aadb9d14e7a5ccdd6692e1f0ca7b4a98e526defb1336aa6cc86a8082bcb678d642967c40822c78713

Score

8^/10

Executes dropped EXE 2 IoCs

Processes:

jfiag_gg.exejfiag_gg.exe

pid process

1748 jfiag_gg.exe
1896 jfiag_gg.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1748	jfiag_gg.exe
1896	jfiag_gg.exe

Adds Run entry to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

SecuriteInfo.com.Win32.Heri.31591.21349.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"	SecuriteInfo.com.Win32.Heri.31591.21349.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Loads dropped DLL 4 IoCs

Processes:

SecuriteInfo.com.Win32.Heri.31591.21349.exe

pid	process
1768	SecuriteInfo.com.Win32.Heri.31591.21349.exe
1768	SecuriteInfo.com.Win32.Heri.31591.21349.exe
1768	SecuriteInfo.com.Win32.Heri.31591.21349.exe
1768	SecuriteInfo.com.Win32.Heri.31591.21349.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SecuriteInfo.com.Win32.Heri.31591.21349.exe

description	pid	process	target process
PID 1768 wrote to memory of 1748	1768	SecuriteInfo.com.Win32.Heri.31591.21349.exe	jfiag_gg.exe
PID 1768 wrote to memory of 1748	1768	SecuriteInfo.com.Win32.Heri.31591.21349.exe	jfiag_gg.exe
PID 1768 wrote to memory of 1748	1768	SecuriteInfo.com.Win32.Heri.31591.21349.exe	jfiag_gg.exe
PID 1768 wrote to memory of 1748	1768	SecuriteInfo.com.Win32.Heri.31591.21349.exe	jfiag_gg.exe
PID 1768 wrote to memory of 1896	1768	SecuriteInfo.com.Win32.Heri.31591.21349.exe	jfiag_gg.exe
PID 1768 wrote to memory of 1896	1768	SecuriteInfo.com.Win32.Heri.31591.21349.exe	jfiag_gg.exe
PID 1768 wrote to memory of 1896	1768	SecuriteInfo.com.Win32.Heri.31591.21349.exe	jfiag_gg.exe
PID 1768 wrote to memory of 1896	1768	SecuriteInfo.com.Win32.Heri.31591.21349.exe	jfiag_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
2⤵
- Executes dropped EXE
PID:1748

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
2⤵
- Executes dropped EXE
PID:1896