32644bca80e32c4cabe236c15a31aa9538c64349ae8d0a9a9371d9707b71821d

General

Target

32644bca80e32c4cabe236c15a31aa9538c64349ae8d0a9a9371d9707b71821d.exe
Size

69KB
MD5

87809bbb605f9a0446f9f4e289dde0b4
SHA1

9ca27dc11bb6428c47cceb0f62bab494474ff408
SHA256

32644bca80e32c4cabe236c15a31aa9538c64349ae8d0a9a9371d9707b71821d
SHA512

918e8d12c2490b4359212c913894f78c40f596697229c03736d5abb589cf4fc85ae8b917242442a7eae608fdd7e296c00033b606dd8d4c00bcb78b469f993547

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

476705.exe5084254.exeWinHoster.exe

pid process

4368 476705.exe
4600 5084254.exe
4648 WinHoster.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4368	476705.exe
4600	5084254.exe
4648	WinHoster.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5084254.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5084254.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

476705.exe

pid process

4368 476705.exe
4368 476705.exe

pid	process
4368	476705.exe
4368	476705.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

32644bca80e32c4cabe236c15a31aa9538c64349ae8d0a9a9371d9707b71821d.exe476705.exe

description	pid	process
Token: SeDebugPrivilege	3592	32644bca80e32c4cabe236c15a31aa9538c64349ae8d0a9a9371d9707b71821d.exe
Token: SeDebugPrivilege	4368	476705.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

32644bca80e32c4cabe236c15a31aa9538c64349ae8d0a9a9371d9707b71821d.exe5084254.exe

description	pid	process	target process
PID 3592 wrote to memory of 4368	3592	32644bca80e32c4cabe236c15a31aa9538c64349ae8d0a9a9371d9707b71821d.exe	476705.exe
PID 3592 wrote to memory of 4368	3592	32644bca80e32c4cabe236c15a31aa9538c64349ae8d0a9a9371d9707b71821d.exe	476705.exe
PID 3592 wrote to memory of 4368	3592	32644bca80e32c4cabe236c15a31aa9538c64349ae8d0a9a9371d9707b71821d.exe	476705.exe
PID 3592 wrote to memory of 4600	3592	32644bca80e32c4cabe236c15a31aa9538c64349ae8d0a9a9371d9707b71821d.exe	5084254.exe
PID 3592 wrote to memory of 4600	3592	32644bca80e32c4cabe236c15a31aa9538c64349ae8d0a9a9371d9707b71821d.exe	5084254.exe
PID 3592 wrote to memory of 4600	3592	32644bca80e32c4cabe236c15a31aa9538c64349ae8d0a9a9371d9707b71821d.exe	5084254.exe
PID 4600 wrote to memory of 4648	4600	5084254.exe	WinHoster.exe
PID 4600 wrote to memory of 4648	4600	5084254.exe	WinHoster.exe
PID 4600 wrote to memory of 4648	4600	5084254.exe	WinHoster.exe

C:\Users\Admin\AppData\Local\Temp\32644bca80e32c4cabe236c15a31aa9538c64349ae8d0a9a9371d9707b71821d.exe
"C:\Users\Admin\AppData\Local\Temp\32644bca80e32c4cabe236c15a31aa9538c64349ae8d0a9a9371d9707b71821d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592

C:\Users\Admin\AppData\Roaming\476705.exe
"C:\Users\Admin\AppData\Roaming\476705.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Users\Admin\AppData\Roaming\5084254.exe
"C:\Users\Admin\AppData\Roaming\5084254.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4600

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
3⤵
- Executes dropped EXE
PID:4648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\476705.exe
MD5
37b7463ba0c809a6dd1ab00029772183

SHA1
2aef98dc4d191578a281b33efe426ff32b92aa39

SHA256
41a06ac3fffde5a16bf80b2bc834e50a1f5ac1366a6f42bce53c775433f02c64

SHA512
04d4f28da1be1c1d2ddacf2d2057433d462a61a59c895cb42944933ca1d37894052df9691d181b9e89015e4c04c3ea601d93d4b0cec773d6764ce18da059e039

Download Submit
C:\Users\Admin\AppData\Roaming\476705.exe
MD5
37b7463ba0c809a6dd1ab00029772183

SHA1
2aef98dc4d191578a281b33efe426ff32b92aa39

SHA256
41a06ac3fffde5a16bf80b2bc834e50a1f5ac1366a6f42bce53c775433f02c64

SHA512
04d4f28da1be1c1d2ddacf2d2057433d462a61a59c895cb42944933ca1d37894052df9691d181b9e89015e4c04c3ea601d93d4b0cec773d6764ce18da059e039

Download Submit
C:\Users\Admin\AppData\Roaming\5084254.exe
MD5
9ec6ecf38cb040515dd99edc3e964c10

SHA1
96013003c9055983f9e9411613364d6c29169738

SHA256
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

SHA512
1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

Download Submit
C:\Users\Admin\AppData\Roaming\5084254.exe
MD5
9ec6ecf38cb040515dd99edc3e964c10

SHA1
96013003c9055983f9e9411613364d6c29169738

SHA256
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

SHA512
1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
9ec6ecf38cb040515dd99edc3e964c10

SHA1
96013003c9055983f9e9411613364d6c29169738

SHA256
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

SHA512
1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
9ec6ecf38cb040515dd99edc3e964c10

SHA1
96013003c9055983f9e9411613364d6c29169738

SHA256
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

SHA512
1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

Download Submit
memory/3592-117-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/3592-115-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/4368-123-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/4368-139-0x000000000E260000-0x000000000E261000-memory.dmp

Filesize
4KB

Download
memory/4368-147-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/4368-125-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/4368-124-0x00000000052D0000-0x0000000005316000-memory.dmp

Filesize
280KB

Download
memory/4368-126-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/4368-118-0x0000000000000000-mapping.dmp

Download
memory/4368-121-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4368-134-0x000000000DFF0000-0x000000000DFF1000-memory.dmp

Filesize
4KB

Download
memory/4368-135-0x000000000E6F0000-0x000000000E6F1000-memory.dmp

Filesize
4KB

Download
memory/4600-133-0x000000000B1C0000-0x000000000B1C1000-memory.dmp

Filesize
4KB

Download
memory/4600-132-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4600-130-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/4600-127-0x0000000000000000-mapping.dmp

Download
memory/4648-136-0x0000000000000000-mapping.dmp

Download
memory/4648-144-0x000000000AC70000-0x000000000AC71000-memory.dmp

Filesize
4KB

Download
memory/4648-148-0x000000000B0B0000-0x000000000B0B1000-memory.dmp

Filesize
4KB

Download
memory/4648-149-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads