1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94

General

Target

308da60a_wxBOPXvJOq.exe
Size

1.6MB
MD5

308da60a9996a07824a1a1ce3a994d05
SHA1

24828b0bbbe4b975e2d73cfbcd6633113145b2f9
SHA256

1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94
SHA512

84a3da30d8ae3891e1b9f0c24de612922512f39c94a743fea2a287a2299df6ceaaedb42b70ec18b1481e2b3c97a9021c83c7722d2521b47c19005ce4523b3afe

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

cutm3.exemd8_8eus.exeinst1.exe

pid process

416 cutm3.exe
2204 md8_8eus.exe
4256 inst1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md8_8eus.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md8_8eus.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 ip-api.com

pid	process
416	cutm3.exe
2204	md8_8eus.exe
4256	inst1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md8_8eus.exe

flow	ioc
21	ip-api.com

Drops file in Program Files directory 11 IoCs

Processes:

308da60a_wxBOPXvJOq.exemd8_8eus.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	308da60a_wxBOPXvJOq.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	308da60a_wxBOPXvJOq.exe
File created	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	308da60a_wxBOPXvJOq.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst1.exe	308da60a_wxBOPXvJOq.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	308da60a_wxBOPXvJOq.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\d.jfm	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.jfm	md8_8eus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

md8_8eus.exe

description	pid	process
Token: SeManageVolumePrivilege	2204	md8_8eus.exe
Token: SeManageVolumePrivilege	2204	md8_8eus.exe
Token: SeManageVolumePrivilege	2204	md8_8eus.exe
Token: SeManageVolumePrivilege	2204	md8_8eus.exe
Token: SeManageVolumePrivilege	2204	md8_8eus.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

308da60a_wxBOPXvJOq.exe

description	pid	process	target process
PID 4648 wrote to memory of 416	4648	308da60a_wxBOPXvJOq.exe	cutm3.exe
PID 4648 wrote to memory of 416	4648	308da60a_wxBOPXvJOq.exe	cutm3.exe
PID 4648 wrote to memory of 2204	4648	308da60a_wxBOPXvJOq.exe	md8_8eus.exe
PID 4648 wrote to memory of 2204	4648	308da60a_wxBOPXvJOq.exe	md8_8eus.exe
PID 4648 wrote to memory of 2204	4648	308da60a_wxBOPXvJOq.exe	md8_8eus.exe
PID 4648 wrote to memory of 4256	4648	308da60a_wxBOPXvJOq.exe	inst1.exe
PID 4648 wrote to memory of 4256	4648	308da60a_wxBOPXvJOq.exe	inst1.exe
PID 4648 wrote to memory of 4256	4648	308da60a_wxBOPXvJOq.exe	inst1.exe

C:\Users\Admin\AppData\Local\Temp\308da60a_wxBOPXvJOq.exe
"C:\Users\Admin\AppData\Local\Temp\308da60a_wxBOPXvJOq.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Program Files (x86)\Company\NewProduct\cutm3.exe
  "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
  2⤵
  - Executes dropped EXE
  PID:416
- C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
  "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Program Files (x86)\Company\NewProduct\inst1.exe
  "C:\Program Files (x86)\Company\NewProduct\inst1.exe"
  2⤵
  - Executes dropped EXE
  PID:4256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\cutm3.exe

MD5
7714deedb24c3dcfa81dc660dd383492

SHA1
56fae3ab1186009430e175c73b914c77ed714cc0

SHA256
435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c

SHA512
2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe

MD5
7714deedb24c3dcfa81dc660dd383492

SHA1
56fae3ab1186009430e175c73b914c77ed714cc0

SHA256
435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c

SHA512
2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst1.exe

MD5
c06d807e7287add5d460530e3d87648c

SHA1
d288550f1e35ba9406886906920f1afe7c965f71

SHA256
d5855e6292d04c6ab247c1b550168cde3d4a73831ed792cf15c1d0c650137e3d

SHA512
592b4cafe1d1060f8f05f54832e9c0f4baeb29c91dc9912f2f6f63819d96b766ae888c1483c5fc6b6c14093f8fd85ff03b4b76cc2910472740339a0305a5a20b

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst1.exe

MD5
c06d807e7287add5d460530e3d87648c

SHA1
d288550f1e35ba9406886906920f1afe7c965f71

SHA256
d5855e6292d04c6ab247c1b550168cde3d4a73831ed792cf15c1d0c650137e3d

SHA512
592b4cafe1d1060f8f05f54832e9c0f4baeb29c91dc9912f2f6f63819d96b766ae888c1483c5fc6b6c14093f8fd85ff03b4b76cc2910472740339a0305a5a20b

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
memory/416-138-0x0000018E2AB00000-0x0000018E2ABE4000-memory.dmp

Filesize
912KB

Download
memory/416-139-0x0000018E2AD50000-0x0000018E2AEB1000-memory.dmp

Filesize
1.4MB

Download
memory/416-114-0x0000000000000000-mapping.dmp

Download
memory/2204-140-0x00000000037B0000-0x0000000003810000-memory.dmp

Filesize
384KB

Download
memory/2204-126-0x00000000037B0000-0x00000000037C0000-memory.dmp

Filesize
64KB

Download
memory/2204-132-0x0000000003950000-0x0000000003960000-memory.dmp

Filesize
64KB

Download
memory/2204-123-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2204-117-0x0000000000000000-mapping.dmp

Download
memory/2204-146-0x0000000003950000-0x00000000039B0000-memory.dmp

Filesize
384KB

Download
memory/2204-152-0x0000000004710000-0x0000000004718000-memory.dmp

Filesize
32KB

Download
memory/2204-153-0x0000000004710000-0x0000000004718000-memory.dmp

Filesize
32KB

Download
memory/2204-154-0x0000000004710000-0x0000000004718000-memory.dmp

Filesize
32KB

Download
memory/4256-124-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download
memory/4256-125-0x0000000000EC0000-0x0000000000ED2000-memory.dmp

Filesize
72KB

Download
memory/4256-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads