c92233690bfbe0085091a4d3eaef1c6a3e1da06636144e88933d8c7278587227

Analysis

max time kernel
134s
max time network
158s
platform
windows7_x64
resource
win7-en-20210920
submitted
23-10-2021 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup12.exe
Size

3.0MB
MD5

1d0e65c9adccd36e64e17ef283f272e6
SHA1

4f96cd93bb88aa0af573e3e7ad689f753d55a488
SHA256

c92233690bfbe0085091a4d3eaef1c6a3e1da06636144e88933d8c7278587227
SHA512

c0ee10ac49cadf02a6a534a9a28ebe79bc4e6fd9a53d0fa1fc3d80b704a3bf577bda79433d93bb5559205792d12718016203595d324b98ac9e9e93bfae383de1

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

cutm3.exeinst3.exeDownFlSetup999.exemd8_8eus.exe

pid process

1504 cutm3.exe
628 inst3.exe
1828 DownFlSetup999.exe
1400 md8_8eus.exe
Loads dropped DLL 4 IoCs

Processes:

Setup12.exe

pid process

516 Setup12.exe
516 Setup12.exe
516 Setup12.exe
516 Setup12.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com

pid	process
1504	cutm3.exe
628	inst3.exe
1828	DownFlSetup999.exe
1400	md8_8eus.exe

pid	process
516	Setup12.exe
516	Setup12.exe
516	Setup12.exe
516	Setup12.exe

flow	ioc
11	ip-api.com

Drops file in Program Files directory 9 IoCs

Processes:

Setup12.exemd8_8eus.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	Setup12.exe
File created	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	Setup12.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	Setup12.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst3.exe	Setup12.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe	Setup12.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	Setup12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DownFlSetup999.exemd8_8eus.exe

description pid process

Token: SeDebugPrivilege 1828 DownFlSetup999.exe
Token: SeManageVolumePrivilege 1400 md8_8eus.exe

description	pid	process
Token: SeDebugPrivilege	1828	DownFlSetup999.exe
Token: SeManageVolumePrivilege	1400	md8_8eus.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Setup12.exe

description	pid	process	target process
PID 516 wrote to memory of 1504	516	Setup12.exe	cutm3.exe
PID 516 wrote to memory of 1504	516	Setup12.exe	cutm3.exe
PID 516 wrote to memory of 1504	516	Setup12.exe	cutm3.exe
PID 516 wrote to memory of 1504	516	Setup12.exe	cutm3.exe
PID 516 wrote to memory of 628	516	Setup12.exe	inst3.exe
PID 516 wrote to memory of 628	516	Setup12.exe	inst3.exe
PID 516 wrote to memory of 628	516	Setup12.exe	inst3.exe
PID 516 wrote to memory of 628	516	Setup12.exe	inst3.exe
PID 516 wrote to memory of 1828	516	Setup12.exe	DownFlSetup999.exe
PID 516 wrote to memory of 1828	516	Setup12.exe	DownFlSetup999.exe
PID 516 wrote to memory of 1828	516	Setup12.exe	DownFlSetup999.exe
PID 516 wrote to memory of 1828	516	Setup12.exe	DownFlSetup999.exe
PID 516 wrote to memory of 1400	516	Setup12.exe	md8_8eus.exe
PID 516 wrote to memory of 1400	516	Setup12.exe	md8_8eus.exe
PID 516 wrote to memory of 1400	516	Setup12.exe	md8_8eus.exe
PID 516 wrote to memory of 1400	516	Setup12.exe	md8_8eus.exe

C:\Users\Admin\AppData\Local\Temp\Setup12.exe
"C:\Users\Admin\AppData\Local\Temp\Setup12.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:516

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
2⤵
- Executes dropped EXE
PID:1504

C:\Program Files (x86)\Company\NewProduct\inst3.exe
"C:\Program Files (x86)\Company\NewProduct\inst3.exe"
2⤵
- Executes dropped EXE
PID:628

C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
MD5
17f6f3213a5a5d2fb1ef8793081c5ddd

SHA1
4601bd223fd7c52b12bc186ec9a0eb94167aaebb

SHA256
6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

SHA512
b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

Download Submit
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
MD5
17f6f3213a5a5d2fb1ef8793081c5ddd

SHA1
4601bd223fd7c52b12bc186ec9a0eb94167aaebb

SHA256
6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

SHA512
b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst3.exe
MD5
a41adbdafc72a86a7a74c494659954b4

SHA1
d43696a0e3704a141fc0cf6a1098525c00ce882f

SHA256
d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e

SHA512
44a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
12ef159d590b06aa7673987b5b66df62

SHA1
0daaa15a5880766b22318e58dc7895f5c5a3f8dc

SHA256
c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d

SHA512
c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
12ef159d590b06aa7673987b5b66df62

SHA1
0daaa15a5880766b22318e58dc7895f5c5a3f8dc

SHA256
c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d

SHA512
c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337

Download Submit
\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
MD5
17f6f3213a5a5d2fb1ef8793081c5ddd

SHA1
4601bd223fd7c52b12bc186ec9a0eb94167aaebb

SHA256
6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

SHA512
b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

Download Submit
\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
\Program Files (x86)\Company\NewProduct\inst3.exe
MD5
a41adbdafc72a86a7a74c494659954b4

SHA1
d43696a0e3704a141fc0cf6a1098525c00ce882f

SHA256
d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e

SHA512
44a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2

Download Submit
\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
12ef159d590b06aa7673987b5b66df62

SHA1
0daaa15a5880766b22318e58dc7895f5c5a3f8dc

SHA256
c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d

SHA512
c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337

Download Submit
memory/516-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download
memory/628-59-0x0000000000000000-mapping.dmp

Download
memory/628-66-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/628-67-0x0000000000120000-0x0000000000132000-memory.dmp

Filesize
72KB

Download
memory/1400-69-0x0000000000000000-mapping.dmp

Download
memory/1400-75-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1400-77-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

Filesize
64KB

Download
memory/1400-83-0x0000000002D10000-0x0000000002D20000-memory.dmp

Filesize
64KB

Download
memory/1504-56-0x0000000000000000-mapping.dmp

Download
memory/1828-63-0x0000000000000000-mapping.dmp

Download
memory/1828-72-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1828-76-0x000000001B1B0000-0x000000001B1B2000-memory.dmp

Filesize
8KB

Download