2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece

General

Target

b06ca9689a517fa053a77ebce8fab696.exe
Size

605KB
MD5

b06ca9689a517fa053a77ebce8fab696
SHA1

06691dda8b7f412ba4c31f2f78678acbc8262881
SHA256

2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece
SHA512

9af05fe8d4b2ecb0abcc3283af18950912cc0888bc1a98b3f9164cd839c41ddf6a2dea2c62dfcaaf8b53dac0eb8255ef6527e3f81f6908677d1ed5bce557e917

Score

10^/10

spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
10203040eam.

Signatures

Executes dropped EXE 1 IoCs

Processes:

systems.exe

pid process

1460 systems.exe

pid	process
1460	systems.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systems.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systems.exe	cmd.exe

Loads dropped DLL 4 IoCs

Processes:

b06ca9689a517fa053a77ebce8fab696.exe

pid	process
1476	b06ca9689a517fa053a77ebce8fab696.exe
1476	b06ca9689a517fa053a77ebce8fab696.exe
1476	b06ca9689a517fa053a77ebce8fab696.exe
1476	b06ca9689a517fa053a77ebce8fab696.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ifconfig.me
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

systems.exe

pid process

1460 systems.exe
1460 systems.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

systems.exeshutdown.exe

description pid process

Token: SeDebugPrivilege 1460 systems.exe
Token: SeShutdownPrivilege 576 shutdown.exe
Token: SeRemoteShutdownPrivilege 576 shutdown.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

systems.exe

pid process

1460 systems.exe

flow	ioc
3	ifconfig.me

pid	process
1460	systems.exe
1460	systems.exe

description	pid	process
Token: SeDebugPrivilege	1460	systems.exe
Token: SeShutdownPrivilege	576	shutdown.exe
Token: SeRemoteShutdownPrivilege	576	shutdown.exe

pid	process
1460	systems.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b06ca9689a517fa053a77ebce8fab696.exeWScript.execmd.exe

description	pid	process	target process
PID 1476 wrote to memory of 1460	1476	b06ca9689a517fa053a77ebce8fab696.exe	systems.exe
PID 1476 wrote to memory of 1460	1476	b06ca9689a517fa053a77ebce8fab696.exe	systems.exe
PID 1476 wrote to memory of 1460	1476	b06ca9689a517fa053a77ebce8fab696.exe	systems.exe
PID 1476 wrote to memory of 1460	1476	b06ca9689a517fa053a77ebce8fab696.exe	systems.exe
PID 1476 wrote to memory of 1208	1476	b06ca9689a517fa053a77ebce8fab696.exe	WScript.exe
PID 1476 wrote to memory of 1208	1476	b06ca9689a517fa053a77ebce8fab696.exe	WScript.exe
PID 1476 wrote to memory of 1208	1476	b06ca9689a517fa053a77ebce8fab696.exe	WScript.exe
PID 1476 wrote to memory of 1208	1476	b06ca9689a517fa053a77ebce8fab696.exe	WScript.exe
PID 1208 wrote to memory of 676	1208	WScript.exe	cmd.exe
PID 1208 wrote to memory of 676	1208	WScript.exe	cmd.exe
PID 1208 wrote to memory of 676	1208	WScript.exe	cmd.exe
PID 1208 wrote to memory of 676	1208	WScript.exe	cmd.exe
PID 676 wrote to memory of 576	676	cmd.exe	shutdown.exe
PID 676 wrote to memory of 576	676	cmd.exe	shutdown.exe
PID 676 wrote to memory of 576	676	cmd.exe	shutdown.exe
PID 676 wrote to memory of 576	676	cmd.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\b06ca9689a517fa053a77ebce8fab696.exe
"C:\Users\Admin\AppData\Local\Temp\b06ca9689a517fa053a77ebce8fab696.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Public\Downloads\systems.exe
"C:\Users\Public\Downloads\systems.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Downloads\vbs.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Downloads\vbs.bat" "
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 45
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1652

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Downloads\systems.exe

MD5
7dcef4cc1f3f2a74f8fbc0c0166a27c3

SHA1
a9297bdcd7627cdb9f7ad5a2611a0f1c283c272b

SHA256
92fe9be6bf00bc36f978665fc900082dc40e5b863c92c3070f819aeb7113ef93

SHA512
ac358b03013a2ebb7b18ab8adb2ce1f5fc115ea9bd6f1894e625148a206248be6f27d1dc408f014b28934fa63b5b5a80ae5bd2ac3fc85d511d6a27e4405793a3

Download Submit
C:\Users\Public\Downloads\systems.exe

MD5
7dcef4cc1f3f2a74f8fbc0c0166a27c3

SHA1
a9297bdcd7627cdb9f7ad5a2611a0f1c283c272b

SHA256
92fe9be6bf00bc36f978665fc900082dc40e5b863c92c3070f819aeb7113ef93

SHA512
ac358b03013a2ebb7b18ab8adb2ce1f5fc115ea9bd6f1894e625148a206248be6f27d1dc408f014b28934fa63b5b5a80ae5bd2ac3fc85d511d6a27e4405793a3

Download Submit
C:\Users\Public\Downloads\vbs.bat

MD5
ade19598f8dad9f073ae38aa05ddbe6d

SHA1
e354e68fec4371c2dd561aac8507bf9e70c675f9

SHA256
b71c40c6d22b2bf20b9b86c8a6af04097d39e58ef31dbf4e4c73636756177985

SHA512
59f4ec80efa5f4804645fb0ad276177afcf5b70643b47e1d483ee881347d583f1df587289cc11e9972e733b39b9458248475705c7d487c4e109575126ede4ddb

Download Submit
C:\Users\Public\Downloads\vbs.vbs

MD5
703060ffd10943fcc7f9c0eede5d114a

SHA1
5fcd96f61af1d1325a8270b229a182f38f573952

SHA256
309cad9f3be025cc5cc1a62d6ea6e6072bd307a9e9af4ab8ddaf7f7ed6f81e03

SHA512
74530da055f7c386efb98e36fc52553c1d0e3f33031af8fb87c4ded84f3475bf0c983ed044ddefee1020384020f6c848249cd1a238b97567845bcbb4a8371953

Download Submit
\Users\Public\Downloads\systems.exe

MD5
7dcef4cc1f3f2a74f8fbc0c0166a27c3

SHA1
a9297bdcd7627cdb9f7ad5a2611a0f1c283c272b

SHA256
92fe9be6bf00bc36f978665fc900082dc40e5b863c92c3070f819aeb7113ef93

SHA512
ac358b03013a2ebb7b18ab8adb2ce1f5fc115ea9bd6f1894e625148a206248be6f27d1dc408f014b28934fa63b5b5a80ae5bd2ac3fc85d511d6a27e4405793a3

Download Submit
\Users\Public\Downloads\systems.exe

MD5
7dcef4cc1f3f2a74f8fbc0c0166a27c3

SHA1
a9297bdcd7627cdb9f7ad5a2611a0f1c283c272b

SHA256
92fe9be6bf00bc36f978665fc900082dc40e5b863c92c3070f819aeb7113ef93

SHA512
ac358b03013a2ebb7b18ab8adb2ce1f5fc115ea9bd6f1894e625148a206248be6f27d1dc408f014b28934fa63b5b5a80ae5bd2ac3fc85d511d6a27e4405793a3

Download Submit
\Users\Public\Downloads\systems.exe

MD5
7dcef4cc1f3f2a74f8fbc0c0166a27c3

SHA1
a9297bdcd7627cdb9f7ad5a2611a0f1c283c272b

SHA256
92fe9be6bf00bc36f978665fc900082dc40e5b863c92c3070f819aeb7113ef93

SHA512
ac358b03013a2ebb7b18ab8adb2ce1f5fc115ea9bd6f1894e625148a206248be6f27d1dc408f014b28934fa63b5b5a80ae5bd2ac3fc85d511d6a27e4405793a3

Download Submit
\Users\Public\Downloads\systems.exe

MD5
7dcef4cc1f3f2a74f8fbc0c0166a27c3

SHA1
a9297bdcd7627cdb9f7ad5a2611a0f1c283c272b

SHA256
92fe9be6bf00bc36f978665fc900082dc40e5b863c92c3070f819aeb7113ef93

SHA512
ac358b03013a2ebb7b18ab8adb2ce1f5fc115ea9bd6f1894e625148a206248be6f27d1dc408f014b28934fa63b5b5a80ae5bd2ac3fc85d511d6a27e4405793a3

Download Submit
memory/1460-62-0x0000000000F10000-0x0000000000F64000-memory.dmp

Filesize
336KB

Download
memory/1460-64-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/1460-67-0x0000000000E55000-0x0000000000E66000-memory.dmp

Filesize
68KB

Download
memory/1476-53-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1652-68-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/1652-69-0x0000000002830000-0x0000000002931000-memory.dmp

Filesize
1.0MB

Download
memory/1724-71-0x0000000002750000-0x0000000002851000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads