1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94

General

Target

308da60a_wxBOPXvJOq.exe
Size

1.6MB
MD5

308da60a9996a07824a1a1ce3a994d05
SHA1

24828b0bbbe4b975e2d73cfbcd6633113145b2f9
SHA256

1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94
SHA512

84a3da30d8ae3891e1b9f0c24de612922512f39c94a743fea2a287a2299df6ceaaedb42b70ec18b1481e2b3c97a9021c83c7722d2521b47c19005ce4523b3afe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1544	cutm3.exe
1680	md8_8eus.exe
464	inst1.exe

Loads dropped DLL 3 IoCs

pid	Process
1788	308da60a_wxBOPXvJOq.exe
1788	308da60a_wxBOPXvJOq.exe
1788	308da60a_wxBOPXvJOq.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	308da60a_wxBOPXvJOq.exe
File created	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	308da60a_wxBOPXvJOq.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	308da60a_wxBOPXvJOq.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst1.exe	308da60a_wxBOPXvJOq.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	308da60a_wxBOPXvJOq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1680	md8_8eus.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1680	1788	308da60a_wxBOPXvJOq.exe	30
PID 1788 wrote to memory of 1680	1788	308da60a_wxBOPXvJOq.exe	30
PID 1788 wrote to memory of 1680	1788	308da60a_wxBOPXvJOq.exe	30
PID 1788 wrote to memory of 1680	1788	308da60a_wxBOPXvJOq.exe	30
PID 1788 wrote to memory of 464	1788	308da60a_wxBOPXvJOq.exe	31
PID 1788 wrote to memory of 464	1788	308da60a_wxBOPXvJOq.exe	31
PID 1788 wrote to memory of 464	1788	308da60a_wxBOPXvJOq.exe	31
PID 1788 wrote to memory of 464	1788	308da60a_wxBOPXvJOq.exe	31

C:\Users\Admin\AppData\Local\Temp\308da60a_wxBOPXvJOq.exe
"C:\Users\Admin\AppData\Local\Temp\308da60a_wxBOPXvJOq.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Program Files (x86)\Company\NewProduct\cutm3.exe
  "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
  "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Program Files (x86)\Company\NewProduct\inst1.exe
  "C:\Program Files (x86)\Company\NewProduct\inst1.exe"
  2⤵
  - Executes dropped EXE
  PID:464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/464-74-0x00000000000B0000-0x00000000000C2000-memory.dmp

Filesize
72KB

Download
memory/464-73-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1680-66-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1680-75-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/1788-60-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing