138a3dd2730be8b076caf28f85d3fbd5a987f9587c8b629ca565ac8de1cc9637

General

Target

main_setup_x86x64.bin.exe
Size

1.8MB
MD5

51da3eb43302642233928bd69ca6e219
SHA1

7d7d696126bde5e8dbab7382d278e40d22cf47da
SHA256

138a3dd2730be8b076caf28f85d3fbd5a987f9587c8b629ca565ac8de1cc9637
SHA512

6956d4a9331ad8b6cf563427c36ddf4981f1cdebd30ec8cdbc6ec2845e0f4762ed2c4d8d3285b0bcd18d698569d2067f58e9fa1e22d77d4be97efd97d1898561

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Fresche.exe.comFresche.exe.com

pid process

3032 Fresche.exe.com
1120 Fresche.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3032	Fresche.exe.com
1120	Fresche.exe.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Fresche.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fresche.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Fresche.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3404 PING.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Fresche.exe.com

pid process

1120 Fresche.exe.com
1120 Fresche.exe.com

pid	process
3404	PING.EXE

pid	process
1120	Fresche.exe.com
1120	Fresche.exe.com

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

main_setup_x86x64.bin.execmd.execmd.exeFresche.exe.com

description	pid	process	target process
PID 3152 wrote to memory of 1372	3152	main_setup_x86x64.bin.exe	makecab.exe
PID 3152 wrote to memory of 1372	3152	main_setup_x86x64.bin.exe	makecab.exe
PID 3152 wrote to memory of 1372	3152	main_setup_x86x64.bin.exe	makecab.exe
PID 3152 wrote to memory of 1832	3152	main_setup_x86x64.bin.exe	cmd.exe
PID 3152 wrote to memory of 1832	3152	main_setup_x86x64.bin.exe	cmd.exe
PID 3152 wrote to memory of 1832	3152	main_setup_x86x64.bin.exe	cmd.exe
PID 1832 wrote to memory of 2332	1832	cmd.exe	cmd.exe
PID 1832 wrote to memory of 2332	1832	cmd.exe	cmd.exe
PID 1832 wrote to memory of 2332	1832	cmd.exe	cmd.exe
PID 2332 wrote to memory of 3792	2332	cmd.exe	findstr.exe
PID 2332 wrote to memory of 3792	2332	cmd.exe	findstr.exe
PID 2332 wrote to memory of 3792	2332	cmd.exe	findstr.exe
PID 2332 wrote to memory of 3032	2332	cmd.exe	Fresche.exe.com
PID 2332 wrote to memory of 3032	2332	cmd.exe	Fresche.exe.com
PID 2332 wrote to memory of 3032	2332	cmd.exe	Fresche.exe.com
PID 2332 wrote to memory of 3404	2332	cmd.exe	PING.EXE
PID 2332 wrote to memory of 3404	2332	cmd.exe	PING.EXE
PID 2332 wrote to memory of 3404	2332	cmd.exe	PING.EXE
PID 3032 wrote to memory of 1120	3032	Fresche.exe.com	Fresche.exe.com
PID 3032 wrote to memory of 1120	3032	Fresche.exe.com	Fresche.exe.com
PID 3032 wrote to memory of 1120	3032	Fresche.exe.com	Fresche.exe.com

C:\Users\Admin\AppData\Local\Temp\main_setup_x86x64.bin.exe
"C:\Users\Admin\AppData\Local\Temp\main_setup_x86x64.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  PID:1372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mtGCHFXHhSVuwQmJLT & EmCeqebftHqwLnhIhSxEfgLn & cmd < Cui.jar
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PGjCsNUUOkulVUDgTCsLgwbtgnrtaMjQyMxswDFobKDrInIVqUHEnjBNoihSKQBwYdtpmkjfXohDnxcQQitnyHsSkGpTfMbHpBtszncOHsHdZXfOMbeCLrWsZkXTezZlKGxWfrv$" Sete.jar
      4⤵
      PID:3792
  - - C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Fresche.exe.com
      Fresche.exe.com d
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Fresche.exe.com
        
        C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Fresche.exe.com d
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        
        PID:1120
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:3404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Cui.jar

MD5
74782a69568baa6b7e9c28c2509bc249

SHA1
1a5fa3fe08641e9d8d7563dedddbf9c1efeed936

SHA256
192994d9d03d0d4ac8959de4758d37b1a38ebefdbc2001241172edd193eecbc2

SHA512
d7bf2b4824b1904b97a40325fcfea5d2c2a392c761536ecd32ee86d3b5b56108efd0b0744f045a9aaff731b98d3e2f70de45524d019e79b126e45e97352e3bdb

Download Submit
C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Fresche.exe.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Fresche.exe.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Ora.jar

MD5
079f8e8f2e14c388746ea548609c4bbd

SHA1
0bf6e331f374d61fdfe7c4686b9a8f139cbea6bc

SHA256
0862c5c2b7cd015d55d89492de8b411bd02950e7deebeb6eab3eade0503d2056

SHA512
e9c27e787fbd56d22fffb01180ada7456e6786ab0a3ca0aec8670275bfd31571a136782c79bc6af825a75d0bc5fb607b21152ba79ba7d2ece83e97c4bc9fb6de

Download Submit
C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Sete.jar

MD5
22f4d6e3a977155d4be5138c8ca47c7a

SHA1
21dc8b51d83c446f642bfdddf673ec709d31e7dc

SHA256
c6a653d1dc7a142e940cf7446a585354bd45b8de8b161c98de2d336c55299462

SHA512
5d302ccba231d9ff4cbc3a0e496b72d8297678f42890e57704f0637cf63fc4da5fb1e5287b1e7bea89521d223b9b4375c04666adb07ae8d0604ca5a089e423f3

Download Submit
C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Sua.jar

MD5
4e969bbb36847533d3e748b43c28a0f5

SHA1
b3e5582fb2fb042df8c0f2f013f79bfdfb505666

SHA256
5e909f9bb0db6c2578633ae116572c6422d91cc129a5be9a5d9944b00cb2dff3

SHA512
dc831bc5cd97bd2740237b274c0940f841f882ac85836bc46b7b799746b9ee13572ecc0009546043d5c9dcf87a588dfb627b4ce81a62bf441711b35fb7b03760

Download Submit
C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\d

MD5
4e969bbb36847533d3e748b43c28a0f5

SHA1
b3e5582fb2fb042df8c0f2f013f79bfdfb505666

SHA256
5e909f9bb0db6c2578633ae116572c6422d91cc129a5be9a5d9944b00cb2dff3

SHA512
dc831bc5cd97bd2740237b274c0940f841f882ac85836bc46b7b799746b9ee13572ecc0009546043d5c9dcf87a588dfb627b4ce81a62bf441711b35fb7b03760

Download Submit
memory/1120-125-0x0000000000000000-mapping.dmp

Download
memory/1120-128-0x00000000009C0000-0x00000000009E3000-memory.dmp

Filesize
140KB

Download
memory/1372-114-0x0000000000000000-mapping.dmp

Download
memory/1832-115-0x0000000000000000-mapping.dmp

Download
memory/2332-117-0x0000000000000000-mapping.dmp

Download
memory/3032-121-0x0000000000000000-mapping.dmp

Download
memory/3404-123-0x0000000000000000-mapping.dmp

Download
memory/3792-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing