fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e

General

Target

stub.bin.exe
Size

561KB
MD5

68260e77a8d3f9f51e06d351f9ec4a9a
SHA1

11dad0b9986ed9f8da5b8021bf1fdcef7aeba159
SHA256

fddde87baeb78e0cbd56e87bf6e27052c13a42b5c808331b39157a605851164e
SHA512

7801cfdf9786d14c5386c900e42b8228c8242be13e5f6d3e8fd8b4c93f6796faec7caf0f93077ecc5933e912113ea6dfb735160b0289e34073a7f0a337ff66f1

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 6 IoCs

Processes:

stub.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\7884e5c8d073104ae541abc0f9567b09\Admin@RSSLLXYN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	stub.bin.exe
File created	C:\Users\Admin\AppData\Local\7884e5c8d073104ae541abc0f9567b09\Admin@RSSLLXYN_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	stub.bin.exe
File created	C:\Users\Admin\AppData\Local\7884e5c8d073104ae541abc0f9567b09\Admin@RSSLLXYN_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	stub.bin.exe
File created	C:\Users\Admin\AppData\Local\7884e5c8d073104ae541abc0f9567b09\Admin@RSSLLXYN_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	stub.bin.exe
File created	C:\Users\Admin\AppData\Local\7884e5c8d073104ae541abc0f9567b09\Admin@RSSLLXYN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	stub.bin.exe
File created	C:\Users\Admin\AppData\Local\7884e5c8d073104ae541abc0f9567b09\Admin@RSSLLXYN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	stub.bin.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2040 4356 WerFault.exe stub.bin.exe

pid	pid_target	process	target process
2040	4356	WerFault.exe	stub.bin.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

stub.bin.exeWerFault.exe

pid	process
4356	stub.bin.exe
4356	stub.bin.exe
4356	stub.bin.exe
4356	stub.bin.exe
4356	stub.bin.exe
4356	stub.bin.exe
4356	stub.bin.exe
4356	stub.bin.exe
4356	stub.bin.exe
4356	stub.bin.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

stub.bin.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4356	stub.bin.exe
Token: SeRestorePrivilege	2040	WerFault.exe
Token: SeBackupPrivilege	2040	WerFault.exe
Token: SeDebugPrivilege	2040	WerFault.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

stub.bin.execmd.execmd.exe

description	pid	process	target process
PID 4356 wrote to memory of 4700	4356	stub.bin.exe	cmd.exe
PID 4356 wrote to memory of 4700	4356	stub.bin.exe	cmd.exe
PID 4356 wrote to memory of 4700	4356	stub.bin.exe	cmd.exe
PID 4700 wrote to memory of 852	4700	cmd.exe	chcp.com
PID 4700 wrote to memory of 852	4700	cmd.exe	chcp.com
PID 4700 wrote to memory of 852	4700	cmd.exe	chcp.com
PID 4700 wrote to memory of 296	4700	cmd.exe	netsh.exe
PID 4700 wrote to memory of 296	4700	cmd.exe	netsh.exe
PID 4700 wrote to memory of 296	4700	cmd.exe	netsh.exe
PID 4700 wrote to memory of 1036	4700	cmd.exe	findstr.exe
PID 4700 wrote to memory of 1036	4700	cmd.exe	findstr.exe
PID 4700 wrote to memory of 1036	4700	cmd.exe	findstr.exe
PID 4356 wrote to memory of 1280	4356	stub.bin.exe	cmd.exe
PID 4356 wrote to memory of 1280	4356	stub.bin.exe	cmd.exe
PID 4356 wrote to memory of 1280	4356	stub.bin.exe	cmd.exe
PID 1280 wrote to memory of 1796	1280	cmd.exe	chcp.com
PID 1280 wrote to memory of 1796	1280	cmd.exe	chcp.com
PID 1280 wrote to memory of 1796	1280	cmd.exe	chcp.com
PID 1280 wrote to memory of 1860	1280	cmd.exe	netsh.exe
PID 1280 wrote to memory of 1860	1280	cmd.exe	netsh.exe
PID 1280 wrote to memory of 1860	1280	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\stub.bin.exe
"C:\Users\Admin\AppData\Local\Temp\stub.bin.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
2⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:852

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
3⤵
PID:296

C:\Windows\SysWOW64\findstr.exe
findstr All
3⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
2⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1796

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
3⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 2620
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/296-123-0x0000000000000000-mapping.dmp

Download
memory/852-122-0x0000000000000000-mapping.dmp

Download
memory/1036-124-0x0000000000000000-mapping.dmp

Download
memory/1280-125-0x0000000000000000-mapping.dmp

Download
memory/1796-126-0x0000000000000000-mapping.dmp

Download
memory/1860-127-0x0000000000000000-mapping.dmp

Download
memory/4356-115-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/4356-117-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/4356-118-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/4356-119-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/4356-121-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/4700-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads