1617312694ff78615ceee4b38553cd2c7f3a0819a94de39e09dcdd3800c1ce1c

Analysis

max time kernel
136s
max time network
148s
platform
windows7_x64
resource
win7-en-20211014
submitted
24-10-2021 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup12.exe_.exe
Size

3.0MB
MD5

96c6b5a436880dca627c18da77fb7048
SHA1

c906eb0bd5caad620137a1f83fca4eaba4654022
SHA256

1617312694ff78615ceee4b38553cd2c7f3a0819a94de39e09dcdd3800c1ce1c
SHA512

277fb59ff99fc47e309883f159de5bc1ecbd4d03d19813697bd1bdd995cb48046b7fa62ca4aab337c776acd25c80cbd182466e9783ddd47f2601670736fad454

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

cutm3.exeinst3.exemd8_8eus.exeDownFlSetup999.exe

pid process

1168 cutm3.exe
1516 inst3.exe
1924 md8_8eus.exe
1292 DownFlSetup999.exe
Loads dropped DLL 4 IoCs

Processes:

Setup12.exe_.exe

pid process

836 Setup12.exe_.exe
836 Setup12.exe_.exe
836 Setup12.exe_.exe
836 Setup12.exe_.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com

pid	process
1168	cutm3.exe
1516	inst3.exe
1924	md8_8eus.exe
1292	DownFlSetup999.exe

pid	process
836	Setup12.exe_.exe
836	Setup12.exe_.exe
836	Setup12.exe_.exe
836	Setup12.exe_.exe

flow	ioc
9	ip-api.com

Drops file in Program Files directory 9 IoCs

Processes:

Setup12.exe_.exemd8_8eus.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst3.exe	Setup12.exe_.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe	Setup12.exe_.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	Setup12.exe_.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	Setup12.exe_.exe
File created	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	Setup12.exe_.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	Setup12.exe_.exe
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	md8_8eus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DownFlSetup999.exemd8_8eus.exe

description pid process

Token: SeDebugPrivilege 1292 DownFlSetup999.exe
Token: SeManageVolumePrivilege 1924 md8_8eus.exe

description	pid	process
Token: SeDebugPrivilege	1292	DownFlSetup999.exe
Token: SeManageVolumePrivilege	1924	md8_8eus.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Setup12.exe_.exe

description	pid	process	target process
PID 836 wrote to memory of 1168	836	Setup12.exe_.exe	cutm3.exe
PID 836 wrote to memory of 1168	836	Setup12.exe_.exe	cutm3.exe
PID 836 wrote to memory of 1168	836	Setup12.exe_.exe	cutm3.exe
PID 836 wrote to memory of 1168	836	Setup12.exe_.exe	cutm3.exe
PID 836 wrote to memory of 1516	836	Setup12.exe_.exe	inst3.exe
PID 836 wrote to memory of 1516	836	Setup12.exe_.exe	inst3.exe
PID 836 wrote to memory of 1516	836	Setup12.exe_.exe	inst3.exe
PID 836 wrote to memory of 1516	836	Setup12.exe_.exe	inst3.exe
PID 836 wrote to memory of 1924	836	Setup12.exe_.exe	md8_8eus.exe
PID 836 wrote to memory of 1924	836	Setup12.exe_.exe	md8_8eus.exe
PID 836 wrote to memory of 1924	836	Setup12.exe_.exe	md8_8eus.exe
PID 836 wrote to memory of 1924	836	Setup12.exe_.exe	md8_8eus.exe
PID 836 wrote to memory of 1292	836	Setup12.exe_.exe	DownFlSetup999.exe
PID 836 wrote to memory of 1292	836	Setup12.exe_.exe	DownFlSetup999.exe
PID 836 wrote to memory of 1292	836	Setup12.exe_.exe	DownFlSetup999.exe
PID 836 wrote to memory of 1292	836	Setup12.exe_.exe	DownFlSetup999.exe

C:\Users\Admin\AppData\Local\Temp\Setup12.exe_.exe
"C:\Users\Admin\AppData\Local\Temp\Setup12.exe_.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:836

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
2⤵
- Executes dropped EXE
PID:1168

C:\Program Files (x86)\Company\NewProduct\inst3.exe
"C:\Program Files (x86)\Company\NewProduct\inst3.exe"
2⤵
- Executes dropped EXE
PID:1516

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
MD5
17f6f3213a5a5d2fb1ef8793081c5ddd

SHA1
4601bd223fd7c52b12bc186ec9a0eb94167aaebb

SHA256
6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

SHA512
b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

Download Submit
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
MD5
17f6f3213a5a5d2fb1ef8793081c5ddd

SHA1
4601bd223fd7c52b12bc186ec9a0eb94167aaebb

SHA256
6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

SHA512
b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst3.exe
MD5
a41adbdafc72a86a7a74c494659954b4

SHA1
d43696a0e3704a141fc0cf6a1098525c00ce882f

SHA256
d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e

SHA512
44a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
12ef159d590b06aa7673987b5b66df62

SHA1
0daaa15a5880766b22318e58dc7895f5c5a3f8dc

SHA256
c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d

SHA512
c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
12ef159d590b06aa7673987b5b66df62

SHA1
0daaa15a5880766b22318e58dc7895f5c5a3f8dc

SHA256
c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d

SHA512
c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337

Download Submit
\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
MD5
17f6f3213a5a5d2fb1ef8793081c5ddd

SHA1
4601bd223fd7c52b12bc186ec9a0eb94167aaebb

SHA256
6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

SHA512
b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

Download Submit
\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
\Program Files (x86)\Company\NewProduct\inst3.exe
MD5
a41adbdafc72a86a7a74c494659954b4

SHA1
d43696a0e3704a141fc0cf6a1098525c00ce882f

SHA256
d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e

SHA512
44a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2

Download Submit
\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
12ef159d590b06aa7673987b5b66df62

SHA1
0daaa15a5880766b22318e58dc7895f5c5a3f8dc

SHA256
c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d

SHA512
c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337

Download Submit
memory/836-55-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1168-57-0x0000000000000000-mapping.dmp

Download
memory/1292-77-0x000000001B000000-0x000000001B002000-memory.dmp

Filesize
8KB

Download
memory/1292-75-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/1292-69-0x0000000000000000-mapping.dmp

Download
memory/1516-60-0x0000000000000000-mapping.dmp

Download
memory/1516-64-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/1516-63-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1924-66-0x0000000000000000-mapping.dmp

Download
memory/1924-74-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1924-78-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download