3b0dd80fe69341c8c788647b73e8eace9b9ce28d5393de9350993c43f978819d

General

Target

11.bin.exe
Size

1.2MB
MD5

b75c7acd1f22f27112a92743c1e690b1
SHA1

213a9b0791dd4a33633920d9327f226b9db5c827
SHA256

28d2e300adc2a932e546456edb9439f2edc216c737aa68665887979e3512dde0
SHA512

0c0581cef5fee7a09d72bc58a03b9d08f4c1bb0388fefeb603e7001f5c73db73d8d172ed53d2e0da62c78ab710b9d96246c1a175dbbced296605ca00dfe3aa1f

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Lucky Fixed.exe

pid process

1744 Lucky Fixed.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
6 api.ipify.org
7 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
10	ip-api.com
6	api.ipify.org
7	api.ipify.org

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Lucky Fixed.exe

pid	process
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe
1744	Lucky Fixed.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Lucky Fixed.exe

description pid process

Token: SeDebugPrivilege 1744 Lucky Fixed.exe

description	pid	process
Token: SeDebugPrivilege	1744	Lucky Fixed.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

11.bin.execmd.exe

description	pid	process	target process
PID 1644 wrote to memory of 1752	1644	11.bin.exe	cmd.exe
PID 1644 wrote to memory of 1752	1644	11.bin.exe	cmd.exe
PID 1644 wrote to memory of 1752	1644	11.bin.exe	cmd.exe
PID 1752 wrote to memory of 1788	1752	cmd.exe	cmd.exe
PID 1752 wrote to memory of 1788	1752	cmd.exe	cmd.exe
PID 1752 wrote to memory of 1788	1752	cmd.exe	cmd.exe
PID 1644 wrote to memory of 1744	1644	11.bin.exe	Lucky Fixed.exe
PID 1644 wrote to memory of 1744	1644	11.bin.exe	Lucky Fixed.exe
PID 1644 wrote to memory of 1744	1644	11.bin.exe	Lucky Fixed.exe

C:\Users\Admin\AppData\Local\Temp\11.bin.exe
"C:\Users\Admin\AppData\Local\Temp\11.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\11.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:1788
- C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe
  "C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11.bat

MD5
9d90fceafccbb5fcb99d4b5561c1ee1e

SHA1
047a96822761e48649f0c68c7f17a055c5dd6ca3

SHA256
a5e1970266b0f9cc93252b41191a0a0a6b30cb907ca9d8f2b5beef9d550886da

SHA512
615b4ec0ca22bb04239aa9f72d235960d191885526827dc241e72b8bc08a4f1c83e64fc2d4ae832340cd476d3acfc2eb540b875f2980eda0e4847d2b29604023

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe

MD5
c287b77c245838cb2434eb92ae94703d

SHA1
580e0781c185063f8a193bb650bb91df79f73fd0

SHA256
9c20d4054d168863670376c4961b29c50f03b3c76d307c9f894e5ba25d5605c2

SHA512
308537568c896e78ccdf7d1003d3e92e853343991cc8b175d8a432de0a0a5d6c04ef3562b7ad0af396c114dd645b5bf32e5b6a156867db2cbad9835b18229c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe

MD5
c287b77c245838cb2434eb92ae94703d

SHA1
580e0781c185063f8a193bb650bb91df79f73fd0

SHA256
9c20d4054d168863670376c4961b29c50f03b3c76d307c9f894e5ba25d5605c2

SHA512
308537568c896e78ccdf7d1003d3e92e853343991cc8b175d8a432de0a0a5d6c04ef3562b7ad0af396c114dd645b5bf32e5b6a156867db2cbad9835b18229c5c

Download Submit
memory/1644-59-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/1644-69-0x000000001B2C0000-0x000000001B2C2000-memory.dmp

Filesize
8KB

Download
memory/1744-64-0x0000000000000000-mapping.dmp

Download
memory/1744-67-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/1744-70-0x0000000000A40000-0x0000000000AB1000-memory.dmp

Filesize
452KB

Download
memory/1744-71-0x000000001B1B0000-0x000000001B1B2000-memory.dmp

Filesize
8KB

Download
memory/1752-61-0x0000000000000000-mapping.dmp

Download
memory/1788-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing