a4f4753bf9e076f24a442b5b2405b0f98d40b345d4546fec5376cb096340cb28

General

Target

a4f4753bf9e076f24a442b5b2405b0f98d40b345d4546fec5376cb096340cb28.exe
Size

59KB
MD5

ea2d29e9f69eef9945cff9eeab1fd246
SHA1

ca142f8de3b5ea18d9538a7c5968fcd1542e7f46
SHA256

a4f4753bf9e076f24a442b5b2405b0f98d40b345d4546fec5376cb096340cb28
SHA512

5a4a084b23b290b43b535833083c1e262843802908112cd1731e06e0d9490d8ebadbe376a9d7129575a4d58245c1f40084f32f4d7d33dc93b971e790f8bd9571

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

2498867.exe5225018.exeWinHoster.exe

pid process

4448 2498867.exe
4632 5225018.exe
520 WinHoster.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4448	2498867.exe
4632	5225018.exe
520	WinHoster.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5225018.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5225018.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2498867.exe

pid process

4448 2498867.exe
4448 2498867.exe

pid	process
4448	2498867.exe
4448	2498867.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a4f4753bf9e076f24a442b5b2405b0f98d40b345d4546fec5376cb096340cb28.exe2498867.exe

description	pid	process
Token: SeDebugPrivilege	2324	a4f4753bf9e076f24a442b5b2405b0f98d40b345d4546fec5376cb096340cb28.exe
Token: SeDebugPrivilege	4448	2498867.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a4f4753bf9e076f24a442b5b2405b0f98d40b345d4546fec5376cb096340cb28.exe5225018.exe

description	pid	process	target process
PID 2324 wrote to memory of 4448	2324	a4f4753bf9e076f24a442b5b2405b0f98d40b345d4546fec5376cb096340cb28.exe	2498867.exe
PID 2324 wrote to memory of 4448	2324	a4f4753bf9e076f24a442b5b2405b0f98d40b345d4546fec5376cb096340cb28.exe	2498867.exe
PID 2324 wrote to memory of 4448	2324	a4f4753bf9e076f24a442b5b2405b0f98d40b345d4546fec5376cb096340cb28.exe	2498867.exe
PID 2324 wrote to memory of 4632	2324	a4f4753bf9e076f24a442b5b2405b0f98d40b345d4546fec5376cb096340cb28.exe	5225018.exe
PID 2324 wrote to memory of 4632	2324	a4f4753bf9e076f24a442b5b2405b0f98d40b345d4546fec5376cb096340cb28.exe	5225018.exe
PID 2324 wrote to memory of 4632	2324	a4f4753bf9e076f24a442b5b2405b0f98d40b345d4546fec5376cb096340cb28.exe	5225018.exe
PID 4632 wrote to memory of 520	4632	5225018.exe	WinHoster.exe
PID 4632 wrote to memory of 520	4632	5225018.exe	WinHoster.exe
PID 4632 wrote to memory of 520	4632	5225018.exe	WinHoster.exe

C:\Users\Admin\AppData\Local\Temp\a4f4753bf9e076f24a442b5b2405b0f98d40b345d4546fec5376cb096340cb28.exe
"C:\Users\Admin\AppData\Local\Temp\a4f4753bf9e076f24a442b5b2405b0f98d40b345d4546fec5376cb096340cb28.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Roaming\2498867.exe
  "C:\Users\Admin\AppData\Roaming\2498867.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Users\Admin\AppData\Roaming\5225018.exe
  "C:\Users\Admin\AppData\Roaming\5225018.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
    3⤵
    - Executes dropped EXE
    PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2498867.exe

MD5
37b7463ba0c809a6dd1ab00029772183

SHA1
2aef98dc4d191578a281b33efe426ff32b92aa39

SHA256
41a06ac3fffde5a16bf80b2bc834e50a1f5ac1366a6f42bce53c775433f02c64

SHA512
04d4f28da1be1c1d2ddacf2d2057433d462a61a59c895cb42944933ca1d37894052df9691d181b9e89015e4c04c3ea601d93d4b0cec773d6764ce18da059e039

Download Submit
C:\Users\Admin\AppData\Roaming\2498867.exe

MD5
37b7463ba0c809a6dd1ab00029772183

SHA1
2aef98dc4d191578a281b33efe426ff32b92aa39

SHA256
41a06ac3fffde5a16bf80b2bc834e50a1f5ac1366a6f42bce53c775433f02c64

SHA512
04d4f28da1be1c1d2ddacf2d2057433d462a61a59c895cb42944933ca1d37894052df9691d181b9e89015e4c04c3ea601d93d4b0cec773d6764ce18da059e039

Download Submit
C:\Users\Admin\AppData\Roaming\5225018.exe

MD5
9ec6ecf38cb040515dd99edc3e964c10

SHA1
96013003c9055983f9e9411613364d6c29169738

SHA256
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

SHA512
1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

Download Submit
C:\Users\Admin\AppData\Roaming\5225018.exe

MD5
9ec6ecf38cb040515dd99edc3e964c10

SHA1
96013003c9055983f9e9411613364d6c29169738

SHA256
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

SHA512
1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe

MD5
9ec6ecf38cb040515dd99edc3e964c10

SHA1
96013003c9055983f9e9411613364d6c29169738

SHA256
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

SHA512
1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe

MD5
9ec6ecf38cb040515dd99edc3e964c10

SHA1
96013003c9055983f9e9411613364d6c29169738

SHA256
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

SHA512
1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

Download Submit
memory/520-135-0x0000000000000000-mapping.dmp

Download
memory/520-146-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/520-145-0x000000000B1E0000-0x000000000B1E1000-memory.dmp

Filesize
4KB

Download
memory/520-142-0x000000000A6F0000-0x000000000A6F1000-memory.dmp

Filesize
4KB

Download
memory/2324-115-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2324-118-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/2324-117-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/4448-126-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/4448-124-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/4448-150-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/4448-134-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/4448-147-0x000000000E450000-0x000000000E451000-memory.dmp

Filesize
4KB

Download
memory/4448-119-0x0000000000000000-mapping.dmp

Download
memory/4448-122-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/4448-125-0x0000000005900000-0x0000000005946000-memory.dmp

Filesize
280KB

Download
memory/4448-143-0x000000000E510000-0x000000000E511000-memory.dmp

Filesize
4KB

Download
memory/4448-144-0x000000000EC10000-0x000000000EC11000-memory.dmp

Filesize
4KB

Download
memory/4632-132-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/4632-127-0x0000000000000000-mapping.dmp

Download
memory/4632-130-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/4632-133-0x000000000AC50000-0x000000000AC51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads