044c16cdbc6ec18f58bfecaacf4d4e21150a19d8d10c694c4a4c3085697499a2

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7v20201028
submitted
04-01-2021 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe

Score

8^/10

spyware

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

tmprdttmm.exef.exe

pid process

1576 tmprdttmm.exe
840 f.exe

pid	process
1576	tmprdttmm.exe
840	f.exe

Drops startup file 2 IoCs

Processes:

tmprdttmm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	tmprdttmm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	tmprdttmm.exe

Loads dropped DLL 5 IoCs

Processes:

aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.execmd.exe

pid	process
1560	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
1560	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
1560	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
1560	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
272	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

tmprdttmm.exe

pid process

1576 tmprdttmm.exe

pid	process
1576	tmprdttmm.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exeaa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exetmprdttmm.execmd.exe

description	pid	process	target process
PID 1632 wrote to memory of 1560	1632	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
PID 1632 wrote to memory of 1560	1632	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
PID 1632 wrote to memory of 1560	1632	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
PID 1632 wrote to memory of 1560	1632	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
PID 1560 wrote to memory of 1576	1560	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe	tmprdttmm.exe
PID 1560 wrote to memory of 1576	1560	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe	tmprdttmm.exe
PID 1560 wrote to memory of 1576	1560	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe	tmprdttmm.exe
PID 1560 wrote to memory of 1576	1560	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe	tmprdttmm.exe
PID 1576 wrote to memory of 272	1576	tmprdttmm.exe	cmd.exe
PID 1576 wrote to memory of 272	1576	tmprdttmm.exe	cmd.exe
PID 1576 wrote to memory of 272	1576	tmprdttmm.exe	cmd.exe
PID 1576 wrote to memory of 272	1576	tmprdttmm.exe	cmd.exe
PID 272 wrote to memory of 840	272	cmd.exe	f.exe
PID 272 wrote to memory of 840	272	cmd.exe	f.exe
PID 272 wrote to memory of 840	272	cmd.exe	f.exe
PID 272 wrote to memory of 840	272	cmd.exe	f.exe

C:\Users\Admin\AppData\Local\Temp\aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
"C:\Users\Admin\AppData\Local\Temp\aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
"C:\Users\Admin\AppData\Local\Temp\aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\appdata\local\temp\tmprdttmm.exe
"C:\Users\Admin\appdata\local\temp\tmprdttmm.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\f.exe > C:\Users\Admin\AppData\Local\Temp\fp.tmp
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272

C:\Users\Admin\AppData\Local\Temp\f.exe
C:\Users\Admin\AppData\Local\Temp\f.exe
5⤵
- Executes dropped EXE
PID:840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI16322\Privkeygen.exe.manifest
MD5
531e60e159542610fb7f6846f14e4ca3

SHA1
e666a8c1337e7900b63ad0788612547db70bcbce

SHA256
f995b80c57367823846a887cdaed691d297223391c224b3ad89523ebf17d4bab

SHA512
0ee55732a7f8a02ccd252b9a3b2d48b55554195b4cc5dcc783e1ff3a4b14920f73f1cbd0de9dcfad6750e3c287c5e3f1f17d24ae4941f06767fc200cd56c6f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\python27.dll
MD5
985cbbc088b7cd7039ab2fdef7df3b7b

SHA1
7d1c58122f6952671dd4368a231cd4eefc14f973

SHA256
65a063a0b44746f382e9669563b29f4ae66b7bf3416c7fa5879a06b70ea9bb40

SHA512
1f5acc2c57a9c0c4367a57499710f3f9516daa7711f61e4db7a86b9654e9faec84ab40c1fda44d777eeaee1a0f6017f257ce4df2109101b6bfa395ab35b36974

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16~1\_ctypes.pyd
MD5
f1134b690b2dc0e6aa0f31be1ed9b05f

SHA1
9c27067c0070b9d9366da78c3d241b01ba1fa4ee

SHA256
030bf1aaff316dfbb1b424d91b1340b331c2e38f3e874ae532284c6170d93e7e

SHA512
7db97dd004c2d9ce28cd3856f32d96d3a2f696f922c188dbc1150ba35c9a859cdb8d5ed0264a437944ef0fb662f801e2af66f5ecce58c8ee9d2ebf852af8f170

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16~1\_hashlib.pyd
MD5
24c2f70ff5c6eaddb995f2cbb4bc4890

SHA1
c6534a6eb3e1e38fe36332d430eb33eeeb8ecc73

SHA256
8dceafaaec28740385b1cb8cf2655db68ecf2e561053bfe494795019542491e4

SHA512
d262c1b9162f7fcd121fc4c46ce5e85b5ad0e88cadc075ae6fe157ab407fc8558f9860b2cfcae9ae6119bb631c8b978652d1a93e4c2d093b6e7385e81719acf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.exe
MD5
394cbad5808ec208d95c956e5b84a713

SHA1
0c9c643172cd378bd4b775423577ec342de0db85

SHA256
5ee572c02829b15b368ba63c3d821c2e72c3abdf778585d2647e7ae4fbd8e8f7

SHA512
d6714e8b2bde7225ee5a244d94a944033ce869c9677cf43d0951440d0957bae65fd798bfea3e8d652e62f34b19aff0b2638579f968c601556f0b987dedb5c04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fp.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmprdttmm.exe
MD5
c4eaa123d911d5d6e259035814e50484

SHA1
1ec456cb8eee62aeaa864e551ded2be4b3eb5b54

SHA256
f6b6db568a6c9b543ff20c1cc5ddf67221c33eb1e0e8afecbb81512dd6e0fa6a

SHA512
5f6f25e605c6e66341d00ab22cf68a6eff038d1be68dfaa6a42e8d6789a4403eacc7d761e10037d642f5bba57aef69ff6ee0cea9a7285f9a7d31de6ca4e8274b

Download Submit
C:\Users\Admin\appdata\local\temp\tmprdttmm.exe
MD5
c4eaa123d911d5d6e259035814e50484

SHA1
1ec456cb8eee62aeaa864e551ded2be4b3eb5b54

SHA256
f6b6db568a6c9b543ff20c1cc5ddf67221c33eb1e0e8afecbb81512dd6e0fa6a

SHA512
5f6f25e605c6e66341d00ab22cf68a6eff038d1be68dfaa6a42e8d6789a4403eacc7d761e10037d642f5bba57aef69ff6ee0cea9a7285f9a7d31de6ca4e8274b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16322\python27.dll
MD5
985cbbc088b7cd7039ab2fdef7df3b7b

SHA1
7d1c58122f6952671dd4368a231cd4eefc14f973

SHA256
65a063a0b44746f382e9669563b29f4ae66b7bf3416c7fa5879a06b70ea9bb40

SHA512
1f5acc2c57a9c0c4367a57499710f3f9516daa7711f61e4db7a86b9654e9faec84ab40c1fda44d777eeaee1a0f6017f257ce4df2109101b6bfa395ab35b36974

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16~1\_ctypes.pyd
MD5
f1134b690b2dc0e6aa0f31be1ed9b05f

SHA1
9c27067c0070b9d9366da78c3d241b01ba1fa4ee

SHA256
030bf1aaff316dfbb1b424d91b1340b331c2e38f3e874ae532284c6170d93e7e

SHA512
7db97dd004c2d9ce28cd3856f32d96d3a2f696f922c188dbc1150ba35c9a859cdb8d5ed0264a437944ef0fb662f801e2af66f5ecce58c8ee9d2ebf852af8f170

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16~1\_hashlib.pyd
MD5
24c2f70ff5c6eaddb995f2cbb4bc4890

SHA1
c6534a6eb3e1e38fe36332d430eb33eeeb8ecc73

SHA256
8dceafaaec28740385b1cb8cf2655db68ecf2e561053bfe494795019542491e4

SHA512
d262c1b9162f7fcd121fc4c46ce5e85b5ad0e88cadc075ae6fe157ab407fc8558f9860b2cfcae9ae6119bb631c8b978652d1a93e4c2d093b6e7385e81719acf3

Download Submit
\Users\Admin\AppData\Local\Temp\f.exe
MD5
394cbad5808ec208d95c956e5b84a713

SHA1
0c9c643172cd378bd4b775423577ec342de0db85

SHA256
5ee572c02829b15b368ba63c3d821c2e72c3abdf778585d2647e7ae4fbd8e8f7

SHA512
d6714e8b2bde7225ee5a244d94a944033ce869c9677cf43d0951440d0957bae65fd798bfea3e8d652e62f34b19aff0b2638579f968c601556f0b987dedb5c04d

Download Submit
\Users\Admin\AppData\Local\Temp\tmprdttmm.exe
MD5
c4eaa123d911d5d6e259035814e50484

SHA1
1ec456cb8eee62aeaa864e551ded2be4b3eb5b54

SHA256
f6b6db568a6c9b543ff20c1cc5ddf67221c33eb1e0e8afecbb81512dd6e0fa6a

SHA512
5f6f25e605c6e66341d00ab22cf68a6eff038d1be68dfaa6a42e8d6789a4403eacc7d761e10037d642f5bba57aef69ff6ee0cea9a7285f9a7d31de6ca4e8274b

Download Submit
memory/272-15-0x0000000000000000-mapping.dmp

Download
memory/840-17-0x0000000000000000-mapping.dmp

Download
memory/1092-14-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp

Filesize
2.5MB

Download
memory/1560-2-0x0000000000000000-mapping.dmp

Download
memory/1576-11-0x0000000000000000-mapping.dmp

Download