5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930

General

Target

5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
Size

2.3MB
MD5

3fa08a11d59047a429dd90fcc15a6a87
SHA1

60a15cd2a326fd390a80a6056843f3721c33e3ff
SHA256

5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930
SHA512

6a23ec6be673d9607c080a2e1d35751d0622efc7f27500e5370bfc61fa5361cd2aed4a76e87a0c729f754cd78aa353475cb44b72fbcdfe47f094ce6ec219476a

Score

7^/10

spyware

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 5938 IoCs

Processes:

5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Indian\Reunion	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10337_.GIF	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\America\Jamaica	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01293_.GIF	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\LogoDev.png	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\SystemV\MST7	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\THMBNAIL.PNG	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\th-TH\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files (x86)\Microsoft Analysis Services\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTINTERNET.NET.XML	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\MSInfo\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Aspect.xml	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\el.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Asia\Seoul	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down.png	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\meta-index	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\Help\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\PopRemove.pdf	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR39F.GIF	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\Filters\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\!!!README!!!.txt	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1672 1232 WerFault.exe

pid	pid_target	process	target process
1672	1232	WerFault.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exeWerFault.exe

pid	process
1568	5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1672 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1672 WerFault.exe

pid	process
1672	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1672	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\5c8e4758ca55c7b3f6379d2edccdfd9616517eb420887601115f7736b25e6930.bin.sample.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1232 -s 1436
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1672

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1568-0-0x0000000000400000-0x000000000065F000-memory.dmp

Filesize
2.4MB

Download
memory/1568-3-0x0000000002C80000-0x0000000002C91000-memory.dmp

Filesize
68KB

Download
memory/1568-2-0x0000000003090000-0x00000000030A1000-memory.dmp

Filesize
68KB

Download
memory/1568-1-0x0000000002C80000-0x0000000002C91000-memory.dmp

Filesize
68KB

Download
memory/1672-168-0x0000000001F00000-0x0000000001F11000-memory.dmp

Filesize
68KB

Download
memory/1672-169-0x0000000002C70000-0x0000000002C81000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing