044c16cdbc6ec18f58bfecaacf4d4e21150a19d8d10c694c4a4c3085697499a2

Analysis

max time kernel
147s
max time network
152s
platform
windows10_x64
resource
win10v20201028
submitted
04-01-2021 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe

Score

8^/10

spyware

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

tmpdh3ba3.exef.exe

pid process

1712 tmpdh3ba3.exe
3808 f.exe

pid	process
1712	tmpdh3ba3.exe
3808	f.exe

Drops startup file 2 IoCs

Processes:

tmpdh3ba3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	tmpdh3ba3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	tmpdh3ba3.exe

Loads dropped DLL 3 IoCs

Processes:

aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe

pid	process
3548	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
3548	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
3548	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

tmpdh3ba3.exe

pid process

1712 tmpdh3ba3.exe

pid	process
1712	tmpdh3ba3.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exeaa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exetmpdh3ba3.execmd.exe

description	pid	process	target process
PID 540 wrote to memory of 3548	540	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
PID 540 wrote to memory of 3548	540	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
PID 540 wrote to memory of 3548	540	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
PID 3548 wrote to memory of 1712	3548	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe	tmpdh3ba3.exe
PID 3548 wrote to memory of 1712	3548	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe	tmpdh3ba3.exe
PID 3548 wrote to memory of 1712	3548	aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe	tmpdh3ba3.exe
PID 1712 wrote to memory of 196	1712	tmpdh3ba3.exe	cmd.exe
PID 1712 wrote to memory of 196	1712	tmpdh3ba3.exe	cmd.exe
PID 1712 wrote to memory of 196	1712	tmpdh3ba3.exe	cmd.exe
PID 196 wrote to memory of 3808	196	cmd.exe	f.exe
PID 196 wrote to memory of 3808	196	cmd.exe	f.exe

C:\Users\Admin\AppData\Local\Temp\aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
"C:\Users\Admin\AppData\Local\Temp\aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe
"C:\Users\Admin\AppData\Local\Temp\aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\appdata\local\temp\tmpdh3ba3.exe
"C:\Users\Admin\appdata\local\temp\tmpdh3ba3.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\f.exe > C:\Users\Admin\AppData\Local\Temp\fp.tmp
4⤵
- Suspicious use of WriteProcessMemory
PID:196

C:\Users\Admin\AppData\Local\Temp\f.exe
C:\Users\Admin\AppData\Local\Temp\f.exe
5⤵
- Executes dropped EXE
PID:3808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI5402\Privkeygen.exe.manifest
MD5
531e60e159542610fb7f6846f14e4ca3

SHA1
e666a8c1337e7900b63ad0788612547db70bcbce

SHA256
f995b80c57367823846a887cdaed691d297223391c224b3ad89523ebf17d4bab

SHA512
0ee55732a7f8a02ccd252b9a3b2d48b55554195b4cc5dcc783e1ff3a4b14920f73f1cbd0de9dcfad6750e3c287c5e3f1f17d24ae4941f06767fc200cd56c6f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5402\_ctypes.pyd
MD5
f1134b690b2dc0e6aa0f31be1ed9b05f

SHA1
9c27067c0070b9d9366da78c3d241b01ba1fa4ee

SHA256
030bf1aaff316dfbb1b424d91b1340b331c2e38f3e874ae532284c6170d93e7e

SHA512
7db97dd004c2d9ce28cd3856f32d96d3a2f696f922c188dbc1150ba35c9a859cdb8d5ed0264a437944ef0fb662f801e2af66f5ecce58c8ee9d2ebf852af8f170

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5402\_hashlib.pyd
MD5
24c2f70ff5c6eaddb995f2cbb4bc4890

SHA1
c6534a6eb3e1e38fe36332d430eb33eeeb8ecc73

SHA256
8dceafaaec28740385b1cb8cf2655db68ecf2e561053bfe494795019542491e4

SHA512
d262c1b9162f7fcd121fc4c46ce5e85b5ad0e88cadc075ae6fe157ab407fc8558f9860b2cfcae9ae6119bb631c8b978652d1a93e4c2d093b6e7385e81719acf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5402\python27.dll
MD5
985cbbc088b7cd7039ab2fdef7df3b7b

SHA1
7d1c58122f6952671dd4368a231cd4eefc14f973

SHA256
65a063a0b44746f382e9669563b29f4ae66b7bf3416c7fa5879a06b70ea9bb40

SHA512
1f5acc2c57a9c0c4367a57499710f3f9516daa7711f61e4db7a86b9654e9faec84ab40c1fda44d777eeaee1a0f6017f257ce4df2109101b6bfa395ab35b36974

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.exe
MD5
394cbad5808ec208d95c956e5b84a713

SHA1
0c9c643172cd378bd4b775423577ec342de0db85

SHA256
5ee572c02829b15b368ba63c3d821c2e72c3abdf778585d2647e7ae4fbd8e8f7

SHA512
d6714e8b2bde7225ee5a244d94a944033ce869c9677cf43d0951440d0957bae65fd798bfea3e8d652e62f34b19aff0b2638579f968c601556f0b987dedb5c04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.exe
MD5
394cbad5808ec208d95c956e5b84a713

SHA1
0c9c643172cd378bd4b775423577ec342de0db85

SHA256
5ee572c02829b15b368ba63c3d821c2e72c3abdf778585d2647e7ae4fbd8e8f7

SHA512
d6714e8b2bde7225ee5a244d94a944033ce869c9677cf43d0951440d0957bae65fd798bfea3e8d652e62f34b19aff0b2638579f968c601556f0b987dedb5c04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fp.tmp
MD5
40050e541873c0904c6ffeb9e34a716a

SHA1
91465661712c040c070442e7492e8f7158f0c841

SHA256
00cf718b2f79f5fc36d98561480e7fa0bd32007103fb829a1111afba45d62276

SHA512
7cda7dddb78d9616ae7a89312f6dc782fee16d0fd07dfad88e555d566806ef5d52f7483ecd21ab58331858656cb24adcdfeb10de7c60b60849e714aeeb5e6878

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpdh3ba3.exe
MD5
c4eaa123d911d5d6e259035814e50484

SHA1
1ec456cb8eee62aeaa864e551ded2be4b3eb5b54

SHA256
f6b6db568a6c9b543ff20c1cc5ddf67221c33eb1e0e8afecbb81512dd6e0fa6a

SHA512
5f6f25e605c6e66341d00ab22cf68a6eff038d1be68dfaa6a42e8d6789a4403eacc7d761e10037d642f5bba57aef69ff6ee0cea9a7285f9a7d31de6ca4e8274b

Download Submit
C:\Users\Admin\appdata\local\temp\tmpdh3ba3.exe
MD5
c4eaa123d911d5d6e259035814e50484

SHA1
1ec456cb8eee62aeaa864e551ded2be4b3eb5b54

SHA256
f6b6db568a6c9b543ff20c1cc5ddf67221c33eb1e0e8afecbb81512dd6e0fa6a

SHA512
5f6f25e605c6e66341d00ab22cf68a6eff038d1be68dfaa6a42e8d6789a4403eacc7d761e10037d642f5bba57aef69ff6ee0cea9a7285f9a7d31de6ca4e8274b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI5402\_ctypes.pyd
MD5
f1134b690b2dc0e6aa0f31be1ed9b05f

SHA1
9c27067c0070b9d9366da78c3d241b01ba1fa4ee

SHA256
030bf1aaff316dfbb1b424d91b1340b331c2e38f3e874ae532284c6170d93e7e

SHA512
7db97dd004c2d9ce28cd3856f32d96d3a2f696f922c188dbc1150ba35c9a859cdb8d5ed0264a437944ef0fb662f801e2af66f5ecce58c8ee9d2ebf852af8f170

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI5402\_hashlib.pyd
MD5
24c2f70ff5c6eaddb995f2cbb4bc4890

SHA1
c6534a6eb3e1e38fe36332d430eb33eeeb8ecc73

SHA256
8dceafaaec28740385b1cb8cf2655db68ecf2e561053bfe494795019542491e4

SHA512
d262c1b9162f7fcd121fc4c46ce5e85b5ad0e88cadc075ae6fe157ab407fc8558f9860b2cfcae9ae6119bb631c8b978652d1a93e4c2d093b6e7385e81719acf3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI5402\python27.dll
MD5
985cbbc088b7cd7039ab2fdef7df3b7b

SHA1
7d1c58122f6952671dd4368a231cd4eefc14f973

SHA256
65a063a0b44746f382e9669563b29f4ae66b7bf3416c7fa5879a06b70ea9bb40

SHA512
1f5acc2c57a9c0c4367a57499710f3f9516daa7711f61e4db7a86b9654e9faec84ab40c1fda44d777eeaee1a0f6017f257ce4df2109101b6bfa395ab35b36974

Download Submit
memory/196-13-0x0000000000000000-mapping.dmp

Download
memory/1712-10-0x0000000000000000-mapping.dmp

Download
memory/3548-2-0x0000000000000000-mapping.dmp

Download
memory/3808-14-0x0000000000000000-mapping.dmp

Download