a752e6646589c8b6f273ef47f91b8290ae41ed81ec2e18f56aa42aefaad1f47f

General

Target

Software-update-patc_828811790.exe
Size

3.6MB
MD5

6e9eb03a3eb0f09e4080d9c8ab1912d4
SHA1

f9c72350b8daa26d9305588ed6012d0282db70a8
SHA256

cc87d298ec17242a0cdb49c08067af27b51b97ac386c7955c04799e9d8770049
SHA512

d3d2df27be23aa68646753da2bff49bb4328fa7fefb8d5bcce80ea795b89bd16af12d409953ee374ea4240423598f6777de98f5030e60b9d64e55f0a43a7b8e1

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Software-update-patc_828811790.tmpAssumenda.exe

pid process

1512 Software-update-patc_828811790.tmp
752 Assumenda.exe

pid	process
1512	Software-update-patc_828811790.tmp
752	Assumenda.exe

Loads dropped DLL 5 IoCs

Processes:

Software-update-patc_828811790.exeSoftware-update-patc_828811790.tmp

pid	process
1200	Software-update-patc_828811790.exe
1512	Software-update-patc_828811790.tmp
1512	Software-update-patc_828811790.tmp
1512	Software-update-patc_828811790.tmp
1512	Software-update-patc_828811790.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 14 IoCs

Processes:

Software-update-patc_828811790.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Accusantium\tempore\Assumenda.exe	Software-update-patc_828811790.tmp
File created	C:\Program Files (x86)\Accusantium\is-ITTQN.tmp	Software-update-patc_828811790.tmp
File created	C:\Program Files (x86)\Accusantium\maiores\is-QCOHA.tmp	Software-update-patc_828811790.tmp
File created	C:\Program Files (x86)\Accusantium\tempore\is-4145P.tmp	Software-update-patc_828811790.tmp
File created	C:\Program Files (x86)\Accusantium\is-BRK8R.tmp	Software-update-patc_828811790.tmp
File created	C:\Program Files (x86)\Accusantium\tempore\is-E3S7A.tmp	Software-update-patc_828811790.tmp
File opened for modification	C:\Program Files (x86)\Accusantium\unins000.dat	Software-update-patc_828811790.tmp
File created	C:\Program Files (x86)\Accusantium\unins000.dat	Software-update-patc_828811790.tmp
File created	C:\Program Files (x86)\Accusantium\is-DDTNI.tmp	Software-update-patc_828811790.tmp
File created	C:\Program Files (x86)\Accusantium\is-D1SSN.tmp	Software-update-patc_828811790.tmp
File created	C:\Program Files (x86)\Accusantium\itaque\is-TSUA7.tmp	Software-update-patc_828811790.tmp
File created	C:\Program Files (x86)\Accusantium\maiores\is-0IBM0.tmp	Software-update-patc_828811790.tmp
File created	C:\Program Files (x86)\Accusantium\tempore\is-R83JM.tmp	Software-update-patc_828811790.tmp
File created	C:\Program Files (x86)\Accusantium\is-4F461.tmp	Software-update-patc_828811790.tmp

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Software-update-patc_828811790.tmpAssumenda.exe

pid process

1512 Software-update-patc_828811790.tmp
1512 Software-update-patc_828811790.tmp
752 Assumenda.exe
752 Assumenda.exe
752 Assumenda.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Software-update-patc_828811790.tmp

pid process

1512 Software-update-patc_828811790.tmp

pid	process
1512	Software-update-patc_828811790.tmp
1512	Software-update-patc_828811790.tmp
752	Assumenda.exe
752	Assumenda.exe
752	Assumenda.exe

pid	process
1512	Software-update-patc_828811790.tmp

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Software-update-patc_828811790.exeSoftware-update-patc_828811790.tmp

description	pid	process	target process
PID 1200 wrote to memory of 1512	1200	Software-update-patc_828811790.exe	Software-update-patc_828811790.tmp
PID 1200 wrote to memory of 1512	1200	Software-update-patc_828811790.exe	Software-update-patc_828811790.tmp
PID 1200 wrote to memory of 1512	1200	Software-update-patc_828811790.exe	Software-update-patc_828811790.tmp
PID 1200 wrote to memory of 1512	1200	Software-update-patc_828811790.exe	Software-update-patc_828811790.tmp
PID 1200 wrote to memory of 1512	1200	Software-update-patc_828811790.exe	Software-update-patc_828811790.tmp
PID 1200 wrote to memory of 1512	1200	Software-update-patc_828811790.exe	Software-update-patc_828811790.tmp
PID 1200 wrote to memory of 1512	1200	Software-update-patc_828811790.exe	Software-update-patc_828811790.tmp
PID 1512 wrote to memory of 752	1512	Software-update-patc_828811790.tmp	Assumenda.exe
PID 1512 wrote to memory of 752	1512	Software-update-patc_828811790.tmp	Assumenda.exe
PID 1512 wrote to memory of 752	1512	Software-update-patc_828811790.tmp	Assumenda.exe
PID 1512 wrote to memory of 752	1512	Software-update-patc_828811790.tmp	Assumenda.exe

C:\Users\Admin\AppData\Local\Temp\Software-update-patc_828811790.exe
"C:\Users\Admin\AppData\Local\Temp\Software-update-patc_828811790.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\is-TG015.tmp\Software-update-patc_828811790.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TG015.tmp\Software-update-patc_828811790.tmp" /SL5="$40118,3377883,240640,C:\Users\Admin\AppData\Local\Temp\Software-update-patc_828811790.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1512

C:\Program Files (x86)\Accusantium\tempore\Assumenda.exe
"C:\Program Files (x86)\Accusantium/\tempore\Assumenda.exe" d3b0aed80a2fbfbbd35503deae29785f
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Accusantium\tempore\Assumenda.exe
MD5
cf8c93518bc76bd27b8d1ecb082be2f1

SHA1
873c20fd50df777775884b5e428ac77770faa342

SHA256
431cee50177d918a68251b7816bfcddac8d3f94a8d0ac129b7d1bb2698b61cd6

SHA512
bdaeb5e49ec341eb191842752aecb98569ab8f28711ce27a84902876501e0c16eabde1cb0952d2d4461756c7f6aba9031e08676b8ed95af4a3f41a4ff0fc1f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TG015.tmp\Software-update-patc_828811790.tmp
MD5
0f1c4126626a086cae867c2df9a56040

SHA1
31f024a4013976458502ec45739eac11a1d0595d

SHA256
34fe3e23223976b89c48ae03587dd077e70bb9a65e501894924b6173b557fff6

SHA512
eef50dfd3854815086d561b92dbcfba7fcd6b6e4a8f96f495419b0adc608e22cbd7d57b788b3034e340e5f3fd39de09404f77b52d748562fce67b0e251d09cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TG015.tmp\Software-update-patc_828811790.tmp
MD5
0f1c4126626a086cae867c2df9a56040

SHA1
31f024a4013976458502ec45739eac11a1d0595d

SHA256
34fe3e23223976b89c48ae03587dd077e70bb9a65e501894924b6173b557fff6

SHA512
eef50dfd3854815086d561b92dbcfba7fcd6b6e4a8f96f495419b0adc608e22cbd7d57b788b3034e340e5f3fd39de09404f77b52d748562fce67b0e251d09cdf

Download Submit
\Program Files (x86)\Accusantium\tempore\Assumenda.exe
MD5
cf8c93518bc76bd27b8d1ecb082be2f1

SHA1
873c20fd50df777775884b5e428ac77770faa342

SHA256
431cee50177d918a68251b7816bfcddac8d3f94a8d0ac129b7d1bb2698b61cd6

SHA512
bdaeb5e49ec341eb191842752aecb98569ab8f28711ce27a84902876501e0c16eabde1cb0952d2d4461756c7f6aba9031e08676b8ed95af4a3f41a4ff0fc1f38

Download Submit
\Users\Admin\AppData\Local\Temp\is-MFD4P.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-MFD4P.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-MFD4P.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-TG015.tmp\Software-update-patc_828811790.tmp
MD5
0f1c4126626a086cae867c2df9a56040

SHA1
31f024a4013976458502ec45739eac11a1d0595d

SHA256
34fe3e23223976b89c48ae03587dd077e70bb9a65e501894924b6173b557fff6

SHA512
eef50dfd3854815086d561b92dbcfba7fcd6b6e4a8f96f495419b0adc608e22cbd7d57b788b3034e340e5f3fd39de09404f77b52d748562fce67b0e251d09cdf

Download Submit
memory/752-68-0x0000000000000000-mapping.dmp

Download
memory/752-71-0x0000000000400000-0x00000000016D8000-memory.dmp

Filesize
18.8MB

Download
memory/752-72-0x0000000000400000-0x00000000016D8000-memory.dmp

Filesize
18.8MB

Download
memory/752-73-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

Filesize
4KB

Download
memory/1200-63-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1200-53-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1512-65-0x0000000074351000-0x0000000074353000-memory.dmp

Filesize
8KB

Download
memory/1512-64-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1512-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads