7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce

General

Target

7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe
Size

868KB
MD5

1c995e8f4af85982a6bd26019369ef62
SHA1

9cd0055ad7599440f852329e4ba3f2e6d7b76565
SHA256

7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce
SHA512

73a454656de2dbe2c402b750b9961f43184fa5c9670eba561bbf3d3126917fa3ee3f74e20c0f676d4536613ee3840fa63bda9f8ba12af2d1f1293938342aaf31

Score

9^/10

spyware

Malware Config

Signatures

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/3728-121-0x0000000004DE0000-0x0000000004DE5000-memory.dmp	CustAttr

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3728 set thread context of 2676	3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	79
PID 2676 set thread context of 1284	2676	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
580	1284	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe
3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2676	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2676	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe
2676	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 3960	3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	78
PID 3728 wrote to memory of 3960	3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	78
PID 3728 wrote to memory of 3960	3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	78
PID 3728 wrote to memory of 2676	3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	79
PID 3728 wrote to memory of 2676	3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	79
PID 3728 wrote to memory of 2676	3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	79
PID 3728 wrote to memory of 2676	3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	79
PID 3728 wrote to memory of 2676	3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	79
PID 3728 wrote to memory of 2676	3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	79
PID 3728 wrote to memory of 2676	3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	79
PID 3728 wrote to memory of 2676	3728	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	79
PID 2676 wrote to memory of 1284	2676	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	80
PID 2676 wrote to memory of 1284	2676	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	80
PID 2676 wrote to memory of 1284	2676	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	80
PID 2676 wrote to memory of 1284	2676	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe	80

C:\Users\Admin\AppData\Local\Temp\7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe
"C:\Users\Admin\AppData\Local\Temp\7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe
  "C:\Users\Admin\AppData\Local\Temp\7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe"
  2⤵
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe
  "C:\Users\Admin\AppData\Local\Temp\7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    PID:1284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 92
      4⤵
      Program crash
      PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2676-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-118-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/3728-120-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/3728-121-0x0000000004DE0000-0x0000000004DE5000-memory.dmp

Filesize
20KB

Download
memory/3728-122-0x0000000005A90000-0x0000000005B42000-memory.dmp

Filesize
712KB

Download
memory/3728-123-0x0000000007FE0000-0x0000000008055000-memory.dmp

Filesize
468KB

Download
memory/3728-119-0x0000000004CA0000-0x000000000519E000-memory.dmp

Filesize
5.0MB

Download
memory/3728-114-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3728-117-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/3728-116-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing