fa377574c99698cd65d8897d93e96c287dff271d4838107aeac36e7a843c1053

General

Target

e06bfb1a6b645d6437051b4ba950a92e.exe
Size

496KB
MD5

e06bfb1a6b645d6437051b4ba950a92e
SHA1

8b18f74b9300dc03df7f826e65d424320cd5cd53
SHA256

fa377574c99698cd65d8897d93e96c287dff271d4838107aeac36e7a843c1053
SHA512

e6a5c00f5ea78a3beb4ab8db9d96d4e61781a72904f0a5340134c5ce413719a12f3802ff259e9e4eb238f4f236fbe27b31d495927ab7949914ac2861a8773ffa

Score

7^/10

discovery spyware

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e06bfb1a6b645d6437051b4ba950a92e.exe

description pid process

Token: SeDebugPrivilege 3564 e06bfb1a6b645d6437051b4ba950a92e.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e06bfb1a6b645d6437051b4ba950a92e.exe

pid process

3564 e06bfb1a6b645d6437051b4ba950a92e.exe

description	pid	process
Token: SeDebugPrivilege	3564	e06bfb1a6b645d6437051b4ba950a92e.exe

pid	process
3564	e06bfb1a6b645d6437051b4ba950a92e.exe

Checks for installed software on the system 1 TTPs 29 IoCs

discovery

Query Registry

T1012

Processes:

e06bfb1a6b645d6437051b4ba950a92e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	e06bfb1a6b645d6437051b4ba950a92e.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	e06bfb1a6b645d6437051b4ba950a92e.exe

C:\Users\Admin\AppData\Local\Temp\e06bfb1a6b645d6437051b4ba950a92e.exe
"C:\Users\Admin\AppData\Local\Temp\e06bfb1a6b645d6437051b4ba950a92e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
PID:3564