664ed6ed7e3992bdf022771e85f3ccf0930649b105cfe38c6fd1adad75f3b479

General

Target

phy__1__31629__2649094674__1605642612.exe
Size

796KB
MD5

6bcfa9f7cff3724c68ab9d9a5a7cfa61
SHA1

56b9891386dd507afc6fa109feee6eb783abecb9
SHA256

664ed6ed7e3992bdf022771e85f3ccf0930649b105cfe38c6fd1adad75f3b479
SHA512

94eaf0cbd7eea9a6d412eb4ce6d88e83fcb33c50cf545d7a8aa281aca7ed074f34a91c8cdb03429ca11da6cf85bdd974f64f5cbc17246cc8c52e115f0960a776

Score

7^/10

discovery spyware

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 api.ipify.org

flow	ioc
23	api.ipify.org

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXEphy__1__31629__2649094674__1605642612.exeAcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	phy__1__31629__2649094674__1605642612.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	phy__1__31629__2649094674__1605642612.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEEXCEL.EXE

pid process

2908 WINWORD.EXE
2908 WINWORD.EXE
3380 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

phy__1__31629__2649094674__1605642612.exe

pid process

500 phy__1__31629__2649094674__1605642612.exe
500 phy__1__31629__2649094674__1605642612.exe

pid	process
500	phy__1__31629__2649094674__1605642612.exe
500	phy__1__31629__2649094674__1605642612.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

WINWORD.EXEEXCEL.EXEAcroRd32.exe

pid	process
2908	WINWORD.EXE
2908	WINWORD.EXE
2908	WINWORD.EXE
2908	WINWORD.EXE
2908	WINWORD.EXE
2908	WINWORD.EXE
2908	WINWORD.EXE
2908	WINWORD.EXE
2908	WINWORD.EXE
2908	WINWORD.EXE
2908	WINWORD.EXE
2908	WINWORD.EXE
2908	WINWORD.EXE
2908	WINWORD.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3868	AcroRd32.exe
3868	AcroRd32.exe
3868	AcroRd32.exe
3868	AcroRd32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

AcroRd32.exe

description	pid	process	target process
PID 3868 wrote to memory of 688	3868	AcroRd32.exe	RdrCEF.exe
PID 3868 wrote to memory of 688	3868	AcroRd32.exe	RdrCEF.exe
PID 3868 wrote to memory of 688	3868	AcroRd32.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\phy__1__31629__2649094674__1605642612.exe
"C:\Users\Admin\AppData\Local\Temp\phy__1__31629__2649094674__1605642612.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:500

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\MeasureStart.dot"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Desktop\GetReset.xlt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3380

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3868

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
ebbcc18c0779b96f2b98a99e9fc82309

SHA1
545ae2a240b9a8460b56fddd4a79e57dfd13c908

SHA256
7fdf354a1b5c7812c5e89c4770c156e572485c54d0fb8eb9554be7c803787216

SHA512
d67149fcded8049c5956eef0c90ea657a948e568d1b4e1a1bc35c8c2394a18723447564d035a801d2e4820f24310d70e2e7fe9df1923c9700201893a9267f1eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
fe8edeb86cdbfe23a6429df208dab41f

SHA1
1b27259cdf74e4f8c6a9305f42e09af4b3ed1ee2

SHA256
889eeadf4a5737abae9c8b3a5033b3385b992926a981e9bfe6fdad3443a6bc4a

SHA512
f3f2b9792c40e617405c68be304b4fd016431178542a276ce9f02a22e7a2e1367cf41909d9439dd52a2a4df0f755e73051c0fd42500117e5ff78ad90d139c9fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\906E65D8-8932-4C07-8C85-040E889A534B
MD5
6b708cec09a215b397314fda8df629a4

SHA1
47748c958384b2952665768147a4a13f2f24bc71

SHA256
c4a85fffaceb51ecf7c729cf31cd502611f0ae7dcb3dbf394d5308de23761045

SHA512
281b4d3d59cc7113825f4e48a9d92ed5b5442339d25894385c1c0e60df86105c7cbb32e2d46164c1ba45d0e61fb267dfe35e4c72de59d0677f06352bbb0fcc97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
MD5
04875516e0a9f701534d47d00fabfabe

SHA1
fc3444af11440919ed6edb22b5cd545fe0c74426

SHA256
c5c132266a0577e489b2992767d412775cbb6c4dd11e6d039b18d6f2665b0cf3

SHA512
03755b7c0f52924a26bb770ac34257a029ae2d1c59213a851875e53ef275e80816401e9dc1501577325db351dc811a32d7747df28c7be915141c570b4c079474

Download Submit
memory/688-21-0x0000000000000000-mapping.dmp

Download
memory/2908-0-0x00007FFE9A740000-0x00007FFE9AD77000-memory.dmp

Filesize
6.2MB

Download
memory/2908-13-0x00007FFE96B30000-0x00007FFE99653000-memory.dmp

Filesize
43.1MB

Download
memory/2908-14-0x00007FFE96B30000-0x00007FFE99653000-memory.dmp

Filesize
43.1MB

Download
memory/2908-15-0x00007FFE96B30000-0x00007FFE99653000-memory.dmp

Filesize
43.1MB

Download
memory/3380-16-0x00007FFE9A740000-0x00007FFE9AD77000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads