2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece

General

Target

2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe
Size

605KB
MD5

b06ca9689a517fa053a77ebce8fab696
SHA1

06691dda8b7f412ba4c31f2f78678acbc8262881
SHA256

2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece
SHA512

9af05fe8d4b2ecb0abcc3283af18950912cc0888bc1a98b3f9164cd839c41ddf6a2dea2c62dfcaaf8b53dac0eb8255ef6527e3f81f6908677d1ed5bce557e917

Score

10^/10

spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
10203040eam.

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1624	systems.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systems.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systems.exe	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
2044	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe
2044	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe
2044	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe
2044	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ifconfig.me

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1624	systems.exe
1624	systems.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	668	shutdown.exe
Token: SeRemoteShutdownPrivilege	668	shutdown.exe
Token: SeDebugPrivilege	1624	systems.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1624	systems.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1624	2044	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe	27
PID 2044 wrote to memory of 1624	2044	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe	27
PID 2044 wrote to memory of 1624	2044	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe	27
PID 2044 wrote to memory of 1624	2044	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe	27
PID 2044 wrote to memory of 964	2044	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe	28
PID 2044 wrote to memory of 964	2044	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe	28
PID 2044 wrote to memory of 964	2044	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe	28
PID 2044 wrote to memory of 964	2044	2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe	28
PID 964 wrote to memory of 648	964	WScript.exe	29
PID 964 wrote to memory of 648	964	WScript.exe	29
PID 964 wrote to memory of 648	964	WScript.exe	29
PID 964 wrote to memory of 648	964	WScript.exe	29
PID 648 wrote to memory of 668	648	cmd.exe	31
PID 648 wrote to memory of 668	648	cmd.exe	31
PID 648 wrote to memory of 668	648	cmd.exe	31
PID 648 wrote to memory of 668	648	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe
"C:\Users\Admin\AppData\Local\Temp\2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Public\Downloads\systems.exe
  "C:\Users\Public\Downloads\systems.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1624
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\Downloads\vbs.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Public\Downloads\vbs.bat" "
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 45
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:668

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1528

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1528-68-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download
memory/1528-69-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1624-63-0x0000000000190000-0x00000000001E4000-memory.dmp

Filesize
336KB

Download
memory/1624-66-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/1624-67-0x0000000004BD5000-0x0000000004BE6000-memory.dmp

Filesize
68KB

Download
memory/1704-71-0x0000000002750000-0x0000000002851000-memory.dmp

Filesize
1.0MB

Download
memory/2044-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing