b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89

General

Target

b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
Size

605KB
MD5

1578dff0667515e1f9e20fd9667b5793
SHA1

6c18fd0b383162cb9030e4b18a27ecbacd8c34d3
SHA256

b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89
SHA512

0d261eb8c81bef9df5bc0812c1b9e77d8f0728c891bc9e9ffcfd8df89733cff0e2b581891a6e6da05d068d26353ff0992056a2c0198cf484d3050e5e6e534004

Score

8^/10

spyware vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

4384 dllhost.exe

pid	process
4384	dllhost.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4652-3-0x000001FD2A670000-0x000001FD2A671000-memory.dmp	vmprotect
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dllhost.exe	vmprotect
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dllhost.exe	vmprotect
behavioral2/memory/1588-37-0x0000020F91A90000-0x0000020F91A91000-memory.dmp	vmprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ipinfo.io
19 ipinfo.io

flow	ioc
18	ipinfo.io
19	ipinfo.io

Drops file in Program Files directory 6 IoCs

Processes:

b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe

description	ioc	process
File created	C:\Program Files\Windows Defender\Offline\csrss.exe	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
File created	C:\Program Files\Windows Defender\Offline\886983d96e3d3e31032c679b2d4ea91b6c05afef	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
File created	C:\Program Files\Windows Defender\en-US\dwm.exe	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
File created	C:\Program Files\Windows Defender\en-US\6cb0b6c459d5d3455a3da700e713f2e2529862ff	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dllhost.exe	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\5940a34987c99120d96dace90a3f93f329dcad63	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1588 4384 WerFault.exe dllhost.exe
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3840 schtasks.exe
3308 schtasks.exe
3152 schtasks.exe
3532 schtasks.exe
3488 schtasks.exe
4048 schtasks.exe
4340 schtasks.exe

pid	pid_target	process	target process
1588	4384	WerFault.exe	dllhost.exe

pid	process
3840	schtasks.exe
3308	schtasks.exe
3152	schtasks.exe
3532	schtasks.exe
3488	schtasks.exe
4048	schtasks.exe
4340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exedllhost.exeWerFault.exe

pid	process
4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
4384	dllhost.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exedllhost.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
Token: SeDebugPrivilege	4384	dllhost.exe
Token: SeDebugPrivilege	1588	WerFault.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe

description	pid	process	target process
PID 4652 wrote to memory of 3840	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 4652 wrote to memory of 3840	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 4652 wrote to memory of 3308	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 4652 wrote to memory of 3308	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 4652 wrote to memory of 3152	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 4652 wrote to memory of 3152	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 4652 wrote to memory of 3532	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 4652 wrote to memory of 3532	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 4652 wrote to memory of 3488	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 4652 wrote to memory of 3488	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 4652 wrote to memory of 4048	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 4652 wrote to memory of 4048	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 4652 wrote to memory of 4340	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 4652 wrote to memory of 4340	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 4652 wrote to memory of 4384	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	dllhost.exe
PID 4652 wrote to memory of 4384	4652	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
"C:\Users\Admin\AppData\Local\Temp\b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3840

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89" /sc ONLOGON /tr "'C:\PerfLogs\b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3308

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Mozilla\updates\csrss.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3152

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Offline\csrss.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3532

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Downloads\audiodg.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3488

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\dwm.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4048

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dllhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4340

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dllhost.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dllhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4384 -s 2548
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dllhost.exe
MD5
1578dff0667515e1f9e20fd9667b5793

SHA1
6c18fd0b383162cb9030e4b18a27ecbacd8c34d3

SHA256
b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89

SHA512
0d261eb8c81bef9df5bc0812c1b9e77d8f0728c891bc9e9ffcfd8df89733cff0e2b581891a6e6da05d068d26353ff0992056a2c0198cf484d3050e5e6e534004

Download Submit
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dllhost.exe
MD5
1578dff0667515e1f9e20fd9667b5793

SHA1
6c18fd0b383162cb9030e4b18a27ecbacd8c34d3

SHA256
b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89

SHA512
0d261eb8c81bef9df5bc0812c1b9e77d8f0728c891bc9e9ffcfd8df89733cff0e2b581891a6e6da05d068d26353ff0992056a2c0198cf484d3050e5e6e534004

Download Submit
memory/1588-37-0x0000020F91A90000-0x0000020F91A91000-memory.dmp

Filesize
4KB

Download
memory/1588-36-0x0000020F91A90000-0x0000020F91A91000-memory.dmp

Filesize
4KB

Download
memory/3152-11-0x0000000000000000-mapping.dmp

Download
memory/3308-10-0x0000000000000000-mapping.dmp

Download
memory/3488-13-0x0000000000000000-mapping.dmp

Download
memory/3532-12-0x0000000000000000-mapping.dmp

Download
memory/3840-9-0x0000000000000000-mapping.dmp

Download
memory/4048-14-0x0000000000000000-mapping.dmp

Download
memory/4340-15-0x0000000000000000-mapping.dmp

Download
memory/4384-19-0x00007FFBE03C0000-0x00007FFBE0DAC000-memory.dmp

Filesize
9.9MB

Download
memory/4384-30-0x000001D2C5507000-0x000001D2C5509000-memory.dmp

Filesize
8KB

Download
memory/4384-35-0x000001D2C6A9C000-0x000001D2C6AA1000-memory.dmp

Filesize
20KB

Download
memory/4384-34-0x000001D2C6A97000-0x000001D2C6A9C000-memory.dmp

Filesize
20KB

Download
memory/4384-22-0x000001D2C5500000-0x000001D2C5502000-memory.dmp

Filesize
8KB

Download
memory/4384-26-0x000001D2AB570000-0x000001D2AB571000-memory.dmp

Filesize
4KB

Download
memory/4384-28-0x000001D2C5502000-0x000001D2C5504000-memory.dmp

Filesize
8KB

Download
memory/4384-27-0x000001D2C5504000-0x000001D2C5505000-memory.dmp

Filesize
4KB

Download
memory/4384-29-0x000001D2C5505000-0x000001D2C5507000-memory.dmp

Filesize
8KB

Download
memory/4384-16-0x0000000000000000-mapping.dmp

Download
memory/4384-31-0x000001D2C5509000-0x000001D2C550F000-memory.dmp

Filesize
24KB

Download
memory/4384-32-0x000001D2C6A90000-0x000001D2C6A94000-memory.dmp

Filesize
16KB

Download
memory/4384-33-0x000001D2C6A94000-0x000001D2C6A97000-memory.dmp

Filesize
12KB

Download
memory/4652-2-0x00007FFBE03C0000-0x00007FFBE0DAC000-memory.dmp

Filesize
9.9MB

Download
memory/4652-6-0x000001FD2AAA0000-0x000001FD2AAA1000-memory.dmp

Filesize
4KB

Download
memory/4652-5-0x000001FD44C30000-0x000001FD44C32000-memory.dmp

Filesize
8KB

Download
memory/4652-3-0x000001FD2A670000-0x000001FD2A671000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads