8018cda9143d0dfeddb6ef8e5e90a920d837d0bb7eea826b9ce37f3c96850859

General

Target

Copia veloce.exe
Size

626KB
MD5

862a0c97d4eb40f77df90006d24cd462
SHA1

bb5ffb6f696e8c73d80b9eeecada892a7af3a680
SHA256

8018cda9143d0dfeddb6ef8e5e90a920d837d0bb7eea826b9ce37f3c96850859
SHA512

414815ef9faa054e2659725b6586c19d78918e99012b10f067b2490bd45ccb1b206fbd661407be41749d27b05796e701b2ff4d38da7e272ea80eb8a0043b8847

Score

8^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 3836	3888	Copia veloce.exe	67
PID 3888 wrote to memory of 3836	3888	Copia veloce.exe	67
PID 3888 wrote to memory of 3836	3888	Copia veloce.exe	67
PID 3888 wrote to memory of 3836	3888	Copia veloce.exe	67
PID 3888 wrote to memory of 3836	3888	Copia veloce.exe	67
PID 3888 wrote to memory of 3836	3888	Copia veloce.exe	67
PID 2976 wrote to memory of 3928	2976	Explorer.EXE	68
PID 2976 wrote to memory of 3928	2976	Explorer.EXE	68
PID 2976 wrote to memory of 3928	2976	Explorer.EXE	68
PID 3928 wrote to memory of 3368	3928	control.exe	69
PID 3928 wrote to memory of 3368	3928	control.exe	69
PID 3928 wrote to memory of 3368	3928	control.exe	69
PID 3928 wrote to memory of 3760	3928	control.exe	71
PID 3928 wrote to memory of 3760	3928	control.exe	71
PID 3928 wrote to memory of 3760	3928	control.exe	71

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3836	ieinstal.exe
Token: SeDebugPrivilege	3928	control.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3836 set thread context of 2976	3836	ieinstal.exe	56
PID 3928 set thread context of 2976	3928	control.exe	56

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TLRTQ6-XATB = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe"	control.exe
Key created	\Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	control.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3836	ieinstal.exe
3836	ieinstal.exe
3836	ieinstal.exe
3836	ieinstal.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3836	ieinstal.exe
3836	ieinstal.exe
3836	ieinstal.exe
3928	control.exe
3928	control.exe
3928	control.exe
3928	control.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Copia veloce.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b0601050507030353000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Copia veloce.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	control.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2976
- C:\Users\Admin\AppData\Local\Temp\Copia veloce.exe
  "C:\Users\Admin\AppData\Local\Temp\Copia veloce.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Modifies system certificate store
  PID:3888
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3836
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetThreadContext
  - Adds policy Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Adds Run key to start application
  PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:3368
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3760-10-0x00007FF7D67B0000-0x00007FF7D6843000-memory.dmp

Filesize
588KB

Download
memory/3760-11-0x00007FF7D67B0000-0x00007FF7D6843000-memory.dmp

Filesize
588KB

Download
memory/3760-12-0x00007FF7D67B0000-0x00007FF7D6843000-memory.dmp

Filesize
588KB

Download
memory/3888-0-0x0000000010410000-0x000000001043D000-memory.dmp

Filesize
180KB

Download
memory/3928-7-0x00000000060A0000-0x0000000006232000-memory.dmp

Filesize
1.6MB

Download
memory/3928-4-0x0000000000380000-0x00000000003A0000-memory.dmp

Filesize
128KB

Download
memory/3928-3-0x0000000000380000-0x00000000003A0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads