8b162f27e2d079c737d9006f8aadb746b97b863012870fffd443e1636c70e6fb

General

Target

91cee6dd31c751aaefb0262491131d80.exe
Size

448KB
MD5

4376d0d5d4d90a28dff32caf78aad03c
SHA1

56ba7c2f016235894fed7a7916b68e053f64ebba
SHA256

8b162f27e2d079c737d9006f8aadb746b97b863012870fffd443e1636c70e6fb
SHA512

95bbed9ba8277d462d979e8e48af6a9bd4f783f74461585fde9c5b4f5039f7ecd00a3c82a5725f2e4de0bc7ff95371064565afcb0306929e53bd07323552f918

Score

8^/10

discovery persistence spyware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

.exe

pid process

1360 .exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1360	.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

.exe

description	ioc	process
Key created	\registry\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\AD Network = "\"C:\\Users\\Admin\\AppData\\Local\\{D1824327-FBA0-5FD2-7211-69FE18DED2B8}\\.exe\" ?"	.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

91cee6dd31c751aaefb0262491131d80.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}	91cee6dd31c751aaefb0262491131d80.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}	91cee6dd31c751aaefb0262491131d80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\URL = "http://www.gigabase.ru/search?q={searchTerms}&uin=1000"	91cee6dd31c751aaefb0262491131d80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\DisplayName = "Gigabase"	91cee6dd31c751aaefb0262491131d80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}"	91cee6dd31c751aaefb0262491131d80.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

91cee6dd31c751aaefb0262491131d80.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.ctel.ru/"	91cee6dd31c751aaefb0262491131d80.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

91cee6dd31c751aaefb0262491131d80.exe

pid process

3980 91cee6dd31c751aaefb0262491131d80.exe
3980 91cee6dd31c751aaefb0262491131d80.exe

pid	process
3980	91cee6dd31c751aaefb0262491131d80.exe
3980	91cee6dd31c751aaefb0262491131d80.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

91cee6dd31c751aaefb0262491131d80.exe

description	pid	process
Token: SeManageVolumePrivilege	3980	91cee6dd31c751aaefb0262491131d80.exe
Token: SeDebugPrivilege	3980	91cee6dd31c751aaefb0262491131d80.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

91cee6dd31c751aaefb0262491131d80.exe

description	pid	process	target process
PID 3980 wrote to memory of 1360	3980	91cee6dd31c751aaefb0262491131d80.exe	.exe
PID 3980 wrote to memory of 1360	3980	91cee6dd31c751aaefb0262491131d80.exe	.exe
PID 3980 wrote to memory of 1360	3980	91cee6dd31c751aaefb0262491131d80.exe	.exe

C:\Users\Admin\AppData\Local\Temp\91cee6dd31c751aaefb0262491131d80.exe
"C:\Users\Admin\AppData\Local\Temp\91cee6dd31c751aaefb0262491131d80.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\{D1824327-FBA0-5FD2-7211-69FE18DED2B8}\.exe
>
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\{D1824327-FBA0-5FD2-7211-69FE18DED2B8}\.cfg
MD5
20165a79bcccf30bbef992c7820b2829

SHA1
00445acf5c6cc679e76d47b519132cb9485fd445

SHA256
7104e9fd4c65275f9e5c9557188f11f56faf9e9e54543a4c8e42284830a3bc6a

SHA512
eb968a59eb2fe7440596e8d57fb64b79b8ae2ddc79f8812200248653165d3b1285ffcd5d0381fd0980fecad9b76ccea613c515dfb1f1e15d850d6e3eacb0052f

Download Submit
C:\Users\Admin\AppData\Local\{D1824327-FBA0-5FD2-7211-69FE18DED2B8}\.exe
MD5
bc946336443689a1d2fe120208a8d2d4

SHA1
fd732b24c336a8f96ffb330daa49a231075389e9

SHA256
673e38d55492d70c2a5120e65cee5b820e51a4564e3530daab61d0a85cd54fb1

SHA512
652db4d08a6d9562e8964e7d89e27efb72f8b2e268abe326a524332d765c8d32b576033beaafec3f48e0fa41c193e42f78dec4473f4cdcc3b5e23ee1ed3e9669

Download Submit
C:\Users\Admin\AppData\Local\{D1824327-FBA0-5FD2-7211-69FE18DED2B8}\.exe
MD5
bc946336443689a1d2fe120208a8d2d4

SHA1
fd732b24c336a8f96ffb330daa49a231075389e9

SHA256
673e38d55492d70c2a5120e65cee5b820e51a4564e3530daab61d0a85cd54fb1

SHA512
652db4d08a6d9562e8964e7d89e27efb72f8b2e268abe326a524332d765c8d32b576033beaafec3f48e0fa41c193e42f78dec4473f4cdcc3b5e23ee1ed3e9669

Download Submit
memory/1360-1-0x0000000000000000-mapping.dmp

Download
memory/1360-4-0x00000000007F7000-0x00000000007F8000-memory.dmp

Filesize
4KB

Download
memory/3980-0-0x0000000000937000-0x0000000000938000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads