8b162f27e2d079c737d9006f8aadb746b97b863012870fffd443e1636c70e6fb

General

Target

91cee6dd31c751aaefb0262491131d80.exe
Size

448KB
MD5

4376d0d5d4d90a28dff32caf78aad03c
SHA1

56ba7c2f016235894fed7a7916b68e053f64ebba
SHA256

8b162f27e2d079c737d9006f8aadb746b97b863012870fffd443e1636c70e6fb
SHA512

95bbed9ba8277d462d979e8e48af6a9bd4f783f74461585fde9c5b4f5039f7ecd00a3c82a5725f2e4de0bc7ff95371064565afcb0306929e53bd07323552f918

Score

7^/10

spyware

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

91cee6dd31c751aaefb0262491131d80.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}	91cee6dd31c751aaefb0262491131d80.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}	91cee6dd31c751aaefb0262491131d80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\URL = "http://www.gigabase.ru/search?q={searchTerms}&uin=1000"	91cee6dd31c751aaefb0262491131d80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\DisplayName = "Gigabase"	91cee6dd31c751aaefb0262491131d80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}"	91cee6dd31c751aaefb0262491131d80.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

91cee6dd31c751aaefb0262491131d80.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.ctel.ru/"	91cee6dd31c751aaefb0262491131d80.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

91cee6dd31c751aaefb0262491131d80.exe

pid process

1040 91cee6dd31c751aaefb0262491131d80.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

91cee6dd31c751aaefb0262491131d80.exe

pid process

1040 91cee6dd31c751aaefb0262491131d80.exe

pid	process
1040	91cee6dd31c751aaefb0262491131d80.exe

pid	process
1040	91cee6dd31c751aaefb0262491131d80.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

91cee6dd31c751aaefb0262491131d80.exe

description	pid	process
Token: SeManageVolumePrivilege	1040	91cee6dd31c751aaefb0262491131d80.exe
Token: SeDebugPrivilege	1040	91cee6dd31c751aaefb0262491131d80.exe

C:\Users\Admin\AppData\Local\Temp\91cee6dd31c751aaefb0262491131d80.exe
"C:\Users\Admin\AppData\Local\Temp\91cee6dd31c751aaefb0262491131d80.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1040

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1040-0-0x00000000007BB000-0x00000000007BC000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads