525290a0b745ca14629504364609587f123d5b924004c5e542703d8eaf127c3f

Analysis

Target

525290a0b745ca14629504364609587f123d5b924004c5e542703d8eaf127c3f.exe
Size

1.1MB
MD5

f61b6543fa50129b2a18c778c10c8f9c
SHA1

ff73721c5a733765db6a850b56c602a5fe39af70
SHA256

525290a0b745ca14629504364609587f123d5b924004c5e542703d8eaf127c3f
SHA512

d00bb238c3b64b88c1037074835777e0154ca0aabcb05965c07b67c965a07bfc8cc3ef63971ad5499c233ce6bd3d7fef650f39a6de775f68f29ad25439526984

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4436	525290a0b745ca14629504364609587f123d5b924004c5e542703d8eaf127c3f.exe
4436	525290a0b745ca14629504364609587f123d5b924004c5e542703d8eaf127c3f.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2780	svchost.exe
Token: SeCreatePagefilePrivilege	2780	svchost.exe
Token: SeShutdownPrivilege	2780	svchost.exe
Token: SeCreatePagefilePrivilege	2780	svchost.exe
Token: SeShutdownPrivilege	2780	svchost.exe
Token: SeCreatePagefilePrivilege	2780	svchost.exe

C:\Users\Admin\AppData\Local\Temp\525290a0b745ca14629504364609587f123d5b924004c5e542703d8eaf127c3f.exe
"C:\Users\Admin\AppData\Local\Temp\525290a0b745ca14629504364609587f123d5b924004c5e542703d8eaf127c3f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/2780-347-0x00000269B8F90000-0x00000269B8FA0000-memory.dmp

Filesize
64KB

Download
memory/2780-354-0x00000269BBD10000-0x00000269BBD14000-memory.dmp

Filesize
16KB

Download