812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80

General

Target

812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
Size

213KB
MD5

b9a51b09291f4b33c6301070e9ab8360
SHA1

4c493b8a46f9ded53cb7b8e2edc80eb4db0928ae
SHA256

812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80
SHA512

f3a468a8983c40762e1ffa1560d36605bfe94b63e53e4241baa4c575a220acd7be21d90266407df0e46f08eaf6f0a6a8bf7abecf1d3afca480ce6bc6cd44239f

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.usr

pid process

1508 812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.usr

pid	process
1508	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.usr

Loads dropped DLL 2 IoCs

Processes:

812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe

pid	process
1060	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
1060	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 2 IoCs

Processes:

812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe

description	ioc	process
File created	C:\Windows\SysWOW64\USR_Shohdi_Photo_USR.rsu	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	C:\Windows\SysWOW64\USR_Shohdi_Photo_USR.rsu	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe

Drops file in Program Files directory 64 IoCs

Processes:

812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe

description	ioc	process
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\IEContentService.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files\VideoLAN\VLC\uninstall.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Google\Update\Install\{A290E22C-E339-4EA1-B140-FE44A71CE551}\89.0.4389.114_chrome_installer.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\javacpl.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files\Mozilla Firefox\firefox.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\GROOVE.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\OIS.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOUC.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\chrome.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Wordconv.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files\Java\jre7\bin\javaws.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\misc.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.usr	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe

Drops file in Windows directory 1 IoCs

Processes:

812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe

description ioc process

File created C:\Windows\USR_Shohdi_Photo_USR.exe 812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe

description	ioc	process
File created	C:\Windows\USR_Shohdi_Photo_USR.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe

description	pid	process	target process
PID 1060 wrote to memory of 1508	1060	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.usr
PID 1060 wrote to memory of 1508	1060	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.usr
PID 1060 wrote to memory of 1508	1060	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.usr
PID 1060 wrote to memory of 1508	1060	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe	812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.usr

C:\Users\Admin\AppData\Local\Temp\812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe
"C:\Users\Admin\AppData\Local\Temp\812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.usr
C:\Users\Admin\AppData\Local\Temp\812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.usr
2⤵
- Executes dropped EXE
PID:1508

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.usr
MD5
1075d51b46f61f4fdd3489387468efa7

SHA1
a7eb662d7d2e644d8b481891425a8bdd7bbbc4c7

SHA256
4a6400c8dea8437b320953d87fe7ef95c5272594b1a456bbfc0b926ca360f956

SHA512
2593ce01d1d19724f10fc2a4df4dec167e8ff4b11d6b9128b7d6caaff478915215b5c8e26b5449c756f534dffb38b8f2b722afdd26acb194e248760e967c2d01

Download Submit
\Users\Admin\AppData\Local\Temp\812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.usr
MD5
1075d51b46f61f4fdd3489387468efa7

SHA1
a7eb662d7d2e644d8b481891425a8bdd7bbbc4c7

SHA256
4a6400c8dea8437b320953d87fe7ef95c5272594b1a456bbfc0b926ca360f956

SHA512
2593ce01d1d19724f10fc2a4df4dec167e8ff4b11d6b9128b7d6caaff478915215b5c8e26b5449c756f534dffb38b8f2b722afdd26acb194e248760e967c2d01

Download Submit
\Users\Admin\AppData\Local\Temp\812804c3d424a60f3f24eb743ca555d9e022436e139bab8cc6f2ceb3382a0b80.usr
MD5
1075d51b46f61f4fdd3489387468efa7

SHA1
a7eb662d7d2e644d8b481891425a8bdd7bbbc4c7

SHA256
4a6400c8dea8437b320953d87fe7ef95c5272594b1a456bbfc0b926ca360f956

SHA512
2593ce01d1d19724f10fc2a4df4dec167e8ff4b11d6b9128b7d6caaff478915215b5c8e26b5449c756f534dffb38b8f2b722afdd26acb194e248760e967c2d01

Download Submit
memory/1060-65-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1060-66-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1508-62-0x0000000000000000-mapping.dmp

Download
memory/1508-64-0x0000000075AF1000-0x0000000075AF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads