1617312694ff78615ceee4b38553cd2c7f3a0819a94de39e09dcdd3800c1ce1c

General

Target

Setup12.exe_.exe
Size

3.0MB
MD5

96c6b5a436880dca627c18da77fb7048
SHA1

c906eb0bd5caad620137a1f83fca4eaba4654022
SHA256

1617312694ff78615ceee4b38553cd2c7f3a0819a94de39e09dcdd3800c1ce1c
SHA512

277fb59ff99fc47e309883f159de5bc1ecbd4d03d19813697bd1bdd995cb48046b7fa62ca4aab337c776acd25c80cbd182466e9783ddd47f2601670736fad454

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

cutm3.exeinst3.exemd8_8eus.exeDownFlSetup999.exe

pid process

3912 cutm3.exe
4036 inst3.exe
744 md8_8eus.exe
1940 DownFlSetup999.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md8_8eus.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md8_8eus.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com

pid	process
3912	cutm3.exe
4036	inst3.exe
744	md8_8eus.exe
1940	DownFlSetup999.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md8_8eus.exe

flow	ioc
8	ip-api.com

Drops file in Program Files directory 12 IoCs

Processes:

Setup12.exe_.exemd8_8eus.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	Setup12.exe_.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst3.exe	Setup12.exe_.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\d.jfm	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.jfm	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	Setup12.exe_.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe	Setup12.exe_.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	Setup12.exe_.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	Setup12.exe_.exe
File created	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	md8_8eus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

DownFlSetup999.exemd8_8eus.exe

description	pid	process
Token: SeDebugPrivilege	1940	DownFlSetup999.exe
Token: SeManageVolumePrivilege	744	md8_8eus.exe
Token: SeManageVolumePrivilege	744	md8_8eus.exe
Token: SeManageVolumePrivilege	744	md8_8eus.exe
Token: SeManageVolumePrivilege	744	md8_8eus.exe
Token: SeManageVolumePrivilege	744	md8_8eus.exe
Token: SeManageVolumePrivilege	744	md8_8eus.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Setup12.exe_.exe

description	pid	process	target process
PID 3680 wrote to memory of 3912	3680	Setup12.exe_.exe	cutm3.exe
PID 3680 wrote to memory of 3912	3680	Setup12.exe_.exe	cutm3.exe
PID 3680 wrote to memory of 4036	3680	Setup12.exe_.exe	inst3.exe
PID 3680 wrote to memory of 4036	3680	Setup12.exe_.exe	inst3.exe
PID 3680 wrote to memory of 4036	3680	Setup12.exe_.exe	inst3.exe
PID 3680 wrote to memory of 744	3680	Setup12.exe_.exe	md8_8eus.exe
PID 3680 wrote to memory of 744	3680	Setup12.exe_.exe	md8_8eus.exe
PID 3680 wrote to memory of 744	3680	Setup12.exe_.exe	md8_8eus.exe
PID 3680 wrote to memory of 1940	3680	Setup12.exe_.exe	DownFlSetup999.exe
PID 3680 wrote to memory of 1940	3680	Setup12.exe_.exe	DownFlSetup999.exe

C:\Users\Admin\AppData\Local\Temp\Setup12.exe_.exe
"C:\Users\Admin\AppData\Local\Temp\Setup12.exe_.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3680

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
2⤵
- Executes dropped EXE
PID:3912

C:\Program Files (x86)\Company\NewProduct\inst3.exe
"C:\Program Files (x86)\Company\NewProduct\inst3.exe"
2⤵
- Executes dropped EXE
PID:4036

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
MD5
17f6f3213a5a5d2fb1ef8793081c5ddd

SHA1
4601bd223fd7c52b12bc186ec9a0eb94167aaebb

SHA256
6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

SHA512
b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

Download Submit
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
MD5
17f6f3213a5a5d2fb1ef8793081c5ddd

SHA1
4601bd223fd7c52b12bc186ec9a0eb94167aaebb

SHA256
6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

SHA512
b640e80f1aec1302ad95f88b3fa10d16df39f9ecf498eadcd602bbd945550c8843393ef6176a2fc3120cf3db487edd400f3a633ef944faae5abcef67637d7276

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst3.exe
MD5
a41adbdafc72a86a7a74c494659954b4

SHA1
d43696a0e3704a141fc0cf6a1098525c00ce882f

SHA256
d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e

SHA512
44a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst3.exe
MD5
a41adbdafc72a86a7a74c494659954b4

SHA1
d43696a0e3704a141fc0cf6a1098525c00ce882f

SHA256
d6d48be25063b05a78a013810ef21ed4a64a2122f91fadcbaf609dee8cce6f7e

SHA512
44a1bd50cf1bed0ef1adaf7839ae8549c752b9825f542daa51730019f8f3186af0c12621789668e8a083625b90680d804d8a7a7de8f46da2df5cb7550afd45d2

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
12ef159d590b06aa7673987b5b66df62

SHA1
0daaa15a5880766b22318e58dc7895f5c5a3f8dc

SHA256
c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d

SHA512
c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
12ef159d590b06aa7673987b5b66df62

SHA1
0daaa15a5880766b22318e58dc7895f5c5a3f8dc

SHA256
c8941c8ce0a127aa4d032eb85a3358a831ce5b2001f4664340daeba2f5b0853d

SHA512
c2b6a54674c1d984b2f4cc2350e66c2edf7ec70398466f12e5ca7aae4e1497ac36f294441ea34b443e35846e3d7ee4c04300709ba539e6c9c26eb70e8cd43337

Download Submit
memory/744-130-0x0000000000660000-0x0000000000663000-memory.dmp

Filesize
12KB

Download
memory/744-154-0x0000000004CF0000-0x0000000004CF8000-memory.dmp

Filesize
32KB

Download
memory/744-160-0x0000000004CF0000-0x0000000004CF8000-memory.dmp

Filesize
32KB

Download
memory/744-121-0x0000000000000000-mapping.dmp

Download
memory/744-159-0x0000000004CF0000-0x0000000004CF8000-memory.dmp

Filesize
32KB

Download
memory/744-158-0x0000000004CF0000-0x0000000004CF8000-memory.dmp

Filesize
32KB

Download
memory/744-157-0x0000000004CF0000-0x0000000004CF8000-memory.dmp

Filesize
32KB

Download
memory/744-156-0x0000000004CF0000-0x0000000004CF8000-memory.dmp

Filesize
32KB

Download
memory/744-155-0x0000000004CF0000-0x0000000004CF8000-memory.dmp

Filesize
32KB

Download
memory/744-133-0x0000000003C10000-0x0000000003C20000-memory.dmp

Filesize
64KB

Download
memory/744-139-0x0000000003E50000-0x0000000003E60000-memory.dmp

Filesize
64KB

Download
memory/744-152-0x0000000004E10000-0x0000000004E18000-memory.dmp

Filesize
32KB

Download
memory/744-153-0x0000000004CF0000-0x0000000004CF8000-memory.dmp

Filesize
32KB

Download
memory/1940-127-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/1940-132-0x000000001BDF0000-0x000000001BDF2000-memory.dmp

Filesize
8KB

Download
memory/1940-124-0x0000000000000000-mapping.dmp

Download
memory/3912-115-0x0000000000000000-mapping.dmp

Download
memory/4036-131-0x0000000001140000-0x0000000001152000-memory.dmp

Filesize
72KB

Download
memory/4036-129-0x0000000000FA0000-0x000000000104E000-memory.dmp

Filesize
696KB

Download
memory/4036-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads