dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a

General

Target

dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe
Size

1.4MB
MD5

a1d72456dfc81cd15cbd2ac3a015b34b
SHA1

3807a91078dd020ba23d8cf79c2e4e236e35daa5
SHA256

dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a
SHA512

58a511d71c6a07eb95b06536098ea5dbdb9bc254e2b80b436f4a7591453d09e7674616ef56c9689ce257f204b9ae886fe3ae518ebdae40587f004c16d48e20cf

Score

7^/10

spyware

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3016	3920	WerFault.exe	67

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3888	dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe
3888	dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe
3888	dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 3920	3888	dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe	67
PID 3888 wrote to memory of 3920	3888	dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe	67
PID 3888 wrote to memory of 3920	3888	dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe	67
PID 3888 wrote to memory of 3920	3888	dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe	67
PID 3888 wrote to memory of 3920	3888	dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe	67

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3920	MSBuild.exe
Token: SeRestorePrivilege	3016	WerFault.exe
Token: SeBackupPrivilege	3016	WerFault.exe
Token: SeDebugPrivilege	3016	WerFault.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3920	MSBuild.exe
3920	MSBuild.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3888	dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe
3888	dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe
3888	dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3888 set thread context of 3920	3888	dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe	67

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\verclsid.url	dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe

C:\Users\Admin\AppData\Local\Temp\dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe
"C:\Users\Admin\AppData\Local\Temp\dbbfe15516215d810689645a799f406a9cfe0cb0ab19aa0b073383091aac466a.exe"
1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetThreadContext
- Drops startup file
PID:3888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1432
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:3016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3016-2-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/3016-15-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/3920-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing