2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece

General

Target

2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe
Size

605KB
MD5

b06ca9689a517fa053a77ebce8fab696
SHA1

06691dda8b7f412ba4c31f2f78678acbc8262881
SHA256

2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece
SHA512

9af05fe8d4b2ecb0abcc3283af18950912cc0888bc1a98b3f9164cd839c41ddf6a2dea2c62dfcaaf8b53dac0eb8255ef6527e3f81f6908677d1ed5bce557e917

Score

10^/10

spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
10203040eam.

Signatures

Executes dropped EXE 1 IoCs

Processes:

systems.exe

pid process

2188 systems.exe

pid	process
2188	systems.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systems.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systems.exe	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ifconfig.me
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
9	ifconfig.me

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

systems.exe

pid process

2188 systems.exe
2188 systems.exe

pid	process
2188	systems.exe
2188	systems.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

shutdown.exesystems.exe

description	pid	process
Token: SeShutdownPrivilege	2352	shutdown.exe
Token: SeRemoteShutdownPrivilege	2352	shutdown.exe
Token: SeDebugPrivilege	2188	systems.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

systems.exeLogonUI.exe

pid process

2188 systems.exe
3792 LogonUI.exe

pid	process
2188	systems.exe
3792	LogonUI.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exeWScript.execmd.exe

description	pid	process	target process
PID 1816 wrote to memory of 2188	1816	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe	systems.exe
PID 1816 wrote to memory of 2188	1816	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe	systems.exe
PID 1816 wrote to memory of 2188	1816	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe	systems.exe
PID 1816 wrote to memory of 2680	1816	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe	WScript.exe
PID 1816 wrote to memory of 2680	1816	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe	WScript.exe
PID 1816 wrote to memory of 2680	1816	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe	WScript.exe
PID 2680 wrote to memory of 3188	2680	WScript.exe	cmd.exe
PID 2680 wrote to memory of 3188	2680	WScript.exe	cmd.exe
PID 2680 wrote to memory of 3188	2680	WScript.exe	cmd.exe
PID 3188 wrote to memory of 2352	3188	cmd.exe	shutdown.exe
PID 3188 wrote to memory of 2352	3188	cmd.exe	shutdown.exe
PID 3188 wrote to memory of 2352	3188	cmd.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe
"C:\Users\Admin\AppData\Local\Temp\2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Public\Downloads\systems.exe
"C:\Users\Public\Downloads\systems.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Downloads\vbs.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\vbs.bat" "
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 45
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad2055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Downloads\systems.exe

MD5
7dcef4cc1f3f2a74f8fbc0c0166a27c3

SHA1
a9297bdcd7627cdb9f7ad5a2611a0f1c283c272b

SHA256
92fe9be6bf00bc36f978665fc900082dc40e5b863c92c3070f819aeb7113ef93

SHA512
ac358b03013a2ebb7b18ab8adb2ce1f5fc115ea9bd6f1894e625148a206248be6f27d1dc408f014b28934fa63b5b5a80ae5bd2ac3fc85d511d6a27e4405793a3

Download Submit
C:\Users\Public\Downloads\systems.exe

MD5
7dcef4cc1f3f2a74f8fbc0c0166a27c3

SHA1
a9297bdcd7627cdb9f7ad5a2611a0f1c283c272b

SHA256
92fe9be6bf00bc36f978665fc900082dc40e5b863c92c3070f819aeb7113ef93

SHA512
ac358b03013a2ebb7b18ab8adb2ce1f5fc115ea9bd6f1894e625148a206248be6f27d1dc408f014b28934fa63b5b5a80ae5bd2ac3fc85d511d6a27e4405793a3

Download Submit
C:\Users\Public\Downloads\vbs.bat

MD5
ade19598f8dad9f073ae38aa05ddbe6d

SHA1
e354e68fec4371c2dd561aac8507bf9e70c675f9

SHA256
b71c40c6d22b2bf20b9b86c8a6af04097d39e58ef31dbf4e4c73636756177985

SHA512
59f4ec80efa5f4804645fb0ad276177afcf5b70643b47e1d483ee881347d583f1df587289cc11e9972e733b39b9458248475705c7d487c4e109575126ede4ddb

Download Submit
C:\Users\Public\Downloads\vbs.vbs

MD5
703060ffd10943fcc7f9c0eede5d114a

SHA1
5fcd96f61af1d1325a8270b229a182f38f573952

SHA256
309cad9f3be025cc5cc1a62d6ea6e6072bd307a9e9af4ab8ddaf7f7ed6f81e03

SHA512
74530da055f7c386efb98e36fc52553c1d0e3f33031af8fb87c4ded84f3475bf0c983ed044ddefee1020384020f6c848249cd1a238b97567845bcbb4a8371953

Download Submit
memory/2188-120-0x00000000007B0000-0x0000000000804000-memory.dmp

Filesize
336KB

Download
memory/2188-122-0x00000000055B0000-0x0000000005AAE000-memory.dmp

Filesize
5.0MB

Download
memory/2188-123-0x00000000050B0000-0x000000000514C000-memory.dmp

Filesize
624KB

Download
memory/2188-124-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download
memory/2188-125-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/2188-126-0x00000000066F0000-0x0000000006782000-memory.dmp

Filesize
584KB

Download
memory/2188-127-0x0000000006690000-0x000000000669A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads