83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43

General

Target

83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43.bin.dll
Size

5.2MB
MD5

3a4299537272d8671d85c99c17918e99
SHA1

93ff8577a13146091e40349fa523a6f54bd5fa2a
SHA256

83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43
SHA512

29011d41fdfc35cf3a4fe84fc08536bf1aa2afae2954227c58c53bbd922dcbfe256c43844e4153b56888f0e648dc57ad25d9bf15abe0dfb5796c2276b2ff1d28

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

2 1140 RUNDLL32.EXE
4 1140 RUNDLL32.EXE
5 1140 RUNDLL32.EXE
6 1140 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
2	1140	RUNDLL32.EXE
4	1140	RUNDLL32.EXE
5	1140	RUNDLL32.EXE
6	1140	RUNDLL32.EXE

Drops desktop.ini file(s) 4 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5JH7AFHU\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GLQ59KOM\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	RUNDLL32.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 1432 rundll32.exe
Token: SeDebugPrivilege 1140 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	1432	rundll32.exe
Token: SeDebugPrivilege	1140	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1660 wrote to memory of 1432	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1432	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1432	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1432	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1432	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1432	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1432	1660	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1140	1432	rundll32.exe	RUNDLL32.EXE
PID 1432 wrote to memory of 1140	1432	rundll32.exe	RUNDLL32.EXE
PID 1432 wrote to memory of 1140	1432	rundll32.exe	RUNDLL32.EXE
PID 1432 wrote to memory of 1140	1432	rundll32.exe	RUNDLL32.EXE
PID 1432 wrote to memory of 1140	1432	rundll32.exe	RUNDLL32.EXE
PID 1432 wrote to memory of 1140	1432	rundll32.exe	RUNDLL32.EXE
PID 1432 wrote to memory of 1140	1432	rundll32.exe	RUNDLL32.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43.bin.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\RUNDLL32.EXE
    C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43.bin.dll,nkRaXKn3ASz9
    3⤵
    - Blocklisted process makes network request
    - Drops desktop.ini file(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-5-0x0000000000000000-mapping.dmp

Download
memory/1140-7-0x0000000074280000-0x0000000074423000-memory.dmp

Filesize
1.6MB

Download
memory/1432-2-0x0000000000000000-mapping.dmp

Download
memory/1432-3-0x0000000074D11000-0x0000000074D13000-memory.dmp

Filesize
8KB

Download
memory/1432-4-0x0000000074430000-0x00000000745D3000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing