24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c

General

Target

24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe
Size

530KB
MD5

a3a6614e47512951bb08022e63f6cb53
SHA1

1c6448302dfc12335a0f487e9eb26eee9e44fb37
SHA256

24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c
SHA512

bc2cee3810f64a32c9df33efd7fddfd659328476156febaab5872ff052c5dcc35be8f4618239e632fa5ef165dac8fc6f02cb0fc26f395c3efdd0f2df4965ccd4

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

392 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
392	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

808 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 5 WinHttp.WinHttpRequest.5.1

pid	process
808	PING.EXE

description	flow	ioc
HTTP User-Agent header	5	WinHttp.WinHttpRequest.5.1

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.execmd.exe

description	pid	process	target process
PID 452 wrote to memory of 1656	452	24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe	24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe
PID 452 wrote to memory of 1656	452	24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe	24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe
PID 452 wrote to memory of 1656	452	24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe	24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe
PID 452 wrote to memory of 1656	452	24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe	24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe
PID 1656 wrote to memory of 392	1656	24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe	cmd.exe
PID 1656 wrote to memory of 392	1656	24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe	cmd.exe
PID 1656 wrote to memory of 392	1656	24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe	cmd.exe
PID 1656 wrote to memory of 392	1656	24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe	cmd.exe
PID 392 wrote to memory of 808	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 808	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 808	392	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe
"C:\Users\Admin\AppData\Local\Temp\24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\Temp\24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe
C:\Users\Admin\AppData\Local\Temp\24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe dfsr
2⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\cmd.exe
cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\system32\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-60-0x0000000000000000-mapping.dmp

Download
memory/452-56-0x00000000001B0000-0x00000000001BE000-memory.dmp

Filesize
56KB

Download
memory/452-58-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/452-54-0x0000000075361000-0x0000000075363000-memory.dmp

Filesize
8KB

Download
memory/808-61-0x0000000000000000-mapping.dmp

Download
memory/1656-55-0x0000000000000000-mapping.dmp

Download
memory/1656-59-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing