a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66

Analysis

max time kernel
147s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
08-11-2020 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66.exe
Size

194KB
MD5

26b1b7280ff792f31759deae431f4d18
SHA1

57d9852c0ce6894fe020062901e7b1cef96a8558
SHA256

a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66
SHA512

14e2446ab408d1a73228a060a26381cbf75982b2ad99f33988f6308dbd6cfa83960728e4632d42a1a4ca3d71643cc73a6cb4fa2bbfb45780c413c9979a25161c

Score

9^/10

discovery spyware stealer

Malware Config

Signatures

ServiceHost packer 9 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/2400-74-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2400-75-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2400-76-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2400-77-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2400-79-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2400-78-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2400-80-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2400-81-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2400-82-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 4 IoCs

Processes:

atiedxx.exe1604851566_Tausuus.exeatiedxx.exeatiedxx.exe

pid process

3648 atiedxx.exe
2400 1604851566_Tausuus.exe
1032 atiedxx.exe
3948 atiedxx.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3648	atiedxx.exe
2400	1604851566_Tausuus.exe
1032	atiedxx.exe
3948	atiedxx.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

atiedxx.exe

description	pid	process	target process
PID 3648 set thread context of 1032	3648	atiedxx.exe	atiedxx.exe
PID 3648 set thread context of 3948	3648	atiedxx.exe	atiedxx.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3108 2400 WerFault.exe 1604851566_Tausuus.exe

pid	pid_target	process	target process
3108	2400	WerFault.exe	1604851566_Tausuus.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

powershell.exepowershell.exePowershell.exeWerFault.exeatiedxx.exeatiedxx.exe

pid	process
1716	powershell.exe
1716	powershell.exe
1716	powershell.exe
4056	powershell.exe
4056	powershell.exe
4056	powershell.exe
1192	Powershell.exe
1192	Powershell.exe
1192	Powershell.exe
3108	WerFault.exe
3108	WerFault.exe
3108	WerFault.exe
3108	WerFault.exe
3108	WerFault.exe
3108	WerFault.exe
3108	WerFault.exe
3108	WerFault.exe
3108	WerFault.exe
3108	WerFault.exe
3108	WerFault.exe
3108	WerFault.exe
3108	WerFault.exe
3108	WerFault.exe
1032	atiedxx.exe
1032	atiedxx.exe
1032	atiedxx.exe
1032	atiedxx.exe
3948	atiedxx.exe
3948	atiedxx.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exePowershell.exeWerFault.exeatiedxx.exe

description	pid	process
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	1192	Powershell.exe
Token: SeRestorePrivilege	3108	WerFault.exe
Token: SeBackupPrivilege	3108	WerFault.exe
Token: SeDebugPrivilege	3108	WerFault.exe
Token: SeDebugPrivilege	3948	atiedxx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66.exeatiedxx.exe

pid process

912 a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66.exe
3648 atiedxx.exe

pid	process
912	a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66.exe
3648	atiedxx.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66.exepowershell.exeatiedxx.exe

description	pid	process	target process
PID 912 wrote to memory of 1716	912	a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66.exe	powershell.exe
PID 912 wrote to memory of 1716	912	a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66.exe	powershell.exe
PID 912 wrote to memory of 1716	912	a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66.exe	powershell.exe
PID 1716 wrote to memory of 3648	1716	powershell.exe	atiedxx.exe
PID 1716 wrote to memory of 3648	1716	powershell.exe	atiedxx.exe
PID 1716 wrote to memory of 3648	1716	powershell.exe	atiedxx.exe
PID 3648 wrote to memory of 4056	3648	atiedxx.exe	powershell.exe
PID 3648 wrote to memory of 4056	3648	atiedxx.exe	powershell.exe
PID 3648 wrote to memory of 4056	3648	atiedxx.exe	powershell.exe
PID 3648 wrote to memory of 1192	3648	atiedxx.exe	Powershell.exe
PID 3648 wrote to memory of 1192	3648	atiedxx.exe	Powershell.exe
PID 3648 wrote to memory of 1192	3648	atiedxx.exe	Powershell.exe
PID 3648 wrote to memory of 2400	3648	atiedxx.exe	1604851566_Tausuus.exe
PID 3648 wrote to memory of 2400	3648	atiedxx.exe	1604851566_Tausuus.exe
PID 3648 wrote to memory of 2400	3648	atiedxx.exe	1604851566_Tausuus.exe
PID 3648 wrote to memory of 1032	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 1032	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 1032	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 1032	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 1032	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 1032	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 1032	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 1032	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 1032	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 3948	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 3948	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 3948	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 3948	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 3948	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 3948	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 3948	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 3948	3648	atiedxx.exe	atiedxx.exe
PID 3648 wrote to memory of 3948	3648	atiedxx.exe	atiedxx.exe

C:\Users\Admin\AppData\Local\Temp\a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66.exe
"C:\Users\Admin\AppData\Local\Temp\a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66.exe' -Destination 'C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe
"C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe';$shortcut.Save()
4⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell Set-MpPreference -DisableRealtimeMonitoring 1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Users\Admin\AppData\Local\Temp\1604851566_Tausuus.exe
"C:\Users\Admin\AppData\Local\Temp\1604851566_Tausuus.exe" 0
4⤵
- Executes dropped EXE
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 1316
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe
/scomma C:\Users\Admin\AppData\Local\dxetiax\1.log
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1032

C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe
/scomma C:\Users\Admin\AppData\Local\dxetiax\2.log
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
e71a0a7e48b10bde0a9c54387762f33e

SHA1
fed75947f1163b00096e24a46e67d9c21e7eeebd

SHA256
83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

SHA512
394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f1a546cd6867fc3e928fdc53a9210b4c

SHA1
c2c993b60f4c48f667f53d22b33cc32835bd756e

SHA256
d074a9ed334ec90b33862cb494e5ccb3b13399fd5b2618ad38f9097c5b69bb3b

SHA512
0806fcd716936a81e1aef250a05f5cd089f39c43e9d126b4f203f8b399e36e297626ecd0a47073419dcf9a18a36e05eaccf44f836c2283942d6c21a51e1116a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
58bb88e0c260e8790fcf2d4719cddf1b

SHA1
0b3ba591a85a0646e1d57a42ce8eaedc35a4dcd5

SHA256
922c8b6f083275e4b18913752b9f65210dd617dbb0c5a55c2f2d8e010f814492

SHA512
171f4e322f837525d2109cf729adf09486565e0c39fe6c384f11d7023fca622a4c61bac279b61ddad2f67d17f2eac9ebc5330dc27e8c2cf96f6ff78414f47f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1604851566_Tausuus.exe
MD5
273fbafdd57f4115fe25a5b0de1bd150

SHA1
0d280f0e9fb1dad719134dbf15ee4a6f0f2f20d5

SHA256
2810156d3f1f2359e06657a9c851c45117a2c085620fbea132f5a651a3106488

SHA512
2ba96feb79613eadef21d96b4e9f64f53781bf568055e0b3bfad03c74bd729cf194d4f8324d6d7aadcb3766247d9dfec080463b97960c5f953d3986d4820ad7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1604851566_Tausuus.exe
MD5
273fbafdd57f4115fe25a5b0de1bd150

SHA1
0d280f0e9fb1dad719134dbf15ee4a6f0f2f20d5

SHA256
2810156d3f1f2359e06657a9c851c45117a2c085620fbea132f5a651a3106488

SHA512
2ba96feb79613eadef21d96b4e9f64f53781bf568055e0b3bfad03c74bd729cf194d4f8324d6d7aadcb3766247d9dfec080463b97960c5f953d3986d4820ad7d

Download Submit
C:\Users\Admin\AppData\Local\dxetiax\1.log
MD5
de4f4a0e812333a204277f4ca32e0f1e

SHA1
1987425deb61435c610d18fb63ac3d6d84f499b7

SHA256
028d1db1620f8e08f7c5b85f5c6ddd2d20afa5af4f852c4f300ab6ba79dcfa15

SHA512
888e2e7c3315ddff655a94f2d0276a852bd539582acd8758129d5b95f6dcf729eb82e56111c51bb5be8f3f5d4071f13b02151b08c1d0b8bb8dc0763d740df9c2

Download Submit
C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe
MD5
26b1b7280ff792f31759deae431f4d18

SHA1
57d9852c0ce6894fe020062901e7b1cef96a8558

SHA256
a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66

SHA512
14e2446ab408d1a73228a060a26381cbf75982b2ad99f33988f6308dbd6cfa83960728e4632d42a1a4ca3d71643cc73a6cb4fa2bbfb45780c413c9979a25161c

Download Submit
C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe
MD5
26b1b7280ff792f31759deae431f4d18

SHA1
57d9852c0ce6894fe020062901e7b1cef96a8558

SHA256
a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66

SHA512
14e2446ab408d1a73228a060a26381cbf75982b2ad99f33988f6308dbd6cfa83960728e4632d42a1a4ca3d71643cc73a6cb4fa2bbfb45780c413c9979a25161c

Download Submit
C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe
MD5
26b1b7280ff792f31759deae431f4d18

SHA1
57d9852c0ce6894fe020062901e7b1cef96a8558

SHA256
a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66

SHA512
14e2446ab408d1a73228a060a26381cbf75982b2ad99f33988f6308dbd6cfa83960728e4632d42a1a4ca3d71643cc73a6cb4fa2bbfb45780c413c9979a25161c

Download Submit
C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe
MD5
26b1b7280ff792f31759deae431f4d18

SHA1
57d9852c0ce6894fe020062901e7b1cef96a8558

SHA256
a2ed1d69dbbc9d342a1f5a1d3d6c67b99f81e2f648557c5c0424d69e9bfbce66

SHA512
14e2446ab408d1a73228a060a26381cbf75982b2ad99f33988f6308dbd6cfa83960728e4632d42a1a4ca3d71643cc73a6cb4fa2bbfb45780c413c9979a25161c

Download Submit
memory/1032-88-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1032-91-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1032-89-0x0000000000447D8A-mapping.dmp

Download
memory/1192-60-0x0000000009100000-0x0000000009101000-memory.dmp

Filesize
4KB

Download
memory/1192-49-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/1192-52-0x0000000008FB0000-0x0000000008FE3000-memory.dmp

Filesize
204KB

Download
memory/1192-59-0x0000000008F70000-0x0000000008F71000-memory.dmp

Filesize
4KB

Download
memory/1192-46-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/1192-40-0x0000000072C20000-0x000000007330E000-memory.dmp

Filesize
6.9MB

Download
memory/1192-65-0x0000000009440000-0x0000000009441000-memory.dmp

Filesize
4KB

Download
memory/1192-39-0x0000000000000000-mapping.dmp

Download
memory/1192-67-0x0000000009430000-0x0000000009431000-memory.dmp

Filesize
4KB

Download
memory/1716-16-0x0000000009880000-0x0000000009881000-memory.dmp

Filesize
4KB

Download
memory/1716-8-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/1716-3-0x00000000734D0000-0x0000000073BBE000-memory.dmp

Filesize
6.9MB

Download
memory/1716-4-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/1716-5-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/1716-6-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/1716-17-0x000000000A400000-0x000000000A401000-memory.dmp

Filesize
4KB

Download
memory/1716-2-0x0000000000000000-mapping.dmp

Download
memory/1716-15-0x0000000008FE0000-0x0000000008FE1000-memory.dmp

Filesize
4KB

Download
memory/1716-14-0x00000000085C0000-0x00000000085C1000-memory.dmp

Filesize
4KB

Download
memory/1716-13-0x0000000009260000-0x0000000009261000-memory.dmp

Filesize
4KB

Download
memory/1716-7-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/1716-12-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/1716-11-0x0000000008490000-0x0000000008491000-memory.dmp

Filesize
4KB

Download
memory/1716-10-0x0000000007F80000-0x0000000007F81000-memory.dmp

Filesize
4KB

Download
memory/1716-9-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/2400-74-0x0000000000000000-mapping.dmp

Download
memory/2400-82-0x0000000000000000-mapping.dmp

Download
memory/2400-75-0x0000000000000000-mapping.dmp

Download
memory/2400-76-0x0000000000000000-mapping.dmp

Download
memory/2400-77-0x0000000000000000-mapping.dmp

Download
memory/2400-79-0x0000000000000000-mapping.dmp

Download
memory/2400-78-0x0000000000000000-mapping.dmp

Download
memory/2400-80-0x0000000000000000-mapping.dmp

Download
memory/2400-81-0x0000000000000000-mapping.dmp

Download
memory/2400-62-0x0000000000000000-mapping.dmp

Download
memory/3108-83-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/3108-73-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3648-18-0x0000000000000000-mapping.dmp

Download
memory/3948-93-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3948-94-0x0000000000413E10-mapping.dmp

Download
memory/3948-96-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4056-34-0x0000000008170000-0x0000000008171000-memory.dmp

Filesize
4KB

Download
memory/4056-23-0x0000000000000000-mapping.dmp

Download
memory/4056-25-0x0000000072D00000-0x00000000733EE000-memory.dmp

Filesize
6.9MB

Download
memory/4056-31-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download