e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28

General

Target

e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
Size

361KB
MD5

e2eb762d6d248fec5b8af8ab437cfdc2
SHA1

c6be1c85d65136e6ce2cc098db499837d2c5ea9e
SHA256

e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28
SHA512

0c85ede00a5ae7d0fe5aabfb9b662c6329922e6278bc80b59384234891a1383fe53d7931b9ca7d52ac95a355cd10840a4886a268238e347077d91fb0ba7d3a33

Score

9^/10

evasion spyware stealer

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

SendShow.exe

pid process

1708 SendShow.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

pid	process
1708	SendShow.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1484 cmd.exe

pid	process
1484	cmd.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\WINE	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\WINE	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe

Loads dropped DLL 1 IoCs

Processes:

e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe

pid process

1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe

pid	process
1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe

description pid process

Token: SeSecurityPrivilege 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe

description	pid	process
Token: SeSecurityPrivilege	1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exeSendShow.exe

description	pid	process	target process
PID 1592 wrote to memory of 1708	1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe	SendShow.exe
PID 1592 wrote to memory of 1708	1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe	SendShow.exe
PID 1592 wrote to memory of 1708	1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe	SendShow.exe
PID 1592 wrote to memory of 1708	1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe	SendShow.exe
PID 1708 wrote to memory of 2012	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 2012	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 2012	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 2012	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 2012	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 2012	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 2012	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 2012	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 596	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 596	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 596	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 596	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 596	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 596	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 596	1708	SendShow.exe	svchost.exe
PID 1708 wrote to memory of 596	1708	SendShow.exe	svchost.exe
PID 1592 wrote to memory of 1484	1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe	cmd.exe
PID 1592 wrote to memory of 1484	1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe	cmd.exe
PID 1592 wrote to memory of 1484	1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe	cmd.exe
PID 1592 wrote to memory of 1484	1592	e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
"C:\Users\Admin\AppData\Local\Temp\e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SendShow.exe
"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SendShow.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
3⤵
PID:2012

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
3⤵
PID:596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd09fdb9da.bat"
2⤵
- Deletes itself
PID:1484

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

5

T1012

Virtualization/Sandbox Evasion

4

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\upd09fdb9da.bat
Filesize
313B

MD5
77b1708671aa3b400e3b8678e80eff47

SHA1
5c4e1b8ecbf91d9dcf9e00a39c41bfbf296f57a9

SHA256
c569b573250d66c8d34328937f0463abb21e0e6d20db496511d88683b44c182f

SHA512
ef00d1405b9d638ed1a4f3215c19ba1cc2ec92989c51173e87d92118aa19be5fccfa87a36a7dfb13bed174b18f60792f5bb60ec3e0152c6cb4630a48fa7a2a64

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SendShow.exe
Filesize
361KB

MD5
e2eb762d6d248fec5b8af8ab437cfdc2

SHA1
c6be1c85d65136e6ce2cc098db499837d2c5ea9e

SHA256
e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28

SHA512
0c85ede00a5ae7d0fe5aabfb9b662c6329922e6278bc80b59384234891a1383fe53d7931b9ca7d52ac95a355cd10840a4886a268238e347077d91fb0ba7d3a33

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SendShow.exe
Filesize
361KB

MD5
e2eb762d6d248fec5b8af8ab437cfdc2

SHA1
c6be1c85d65136e6ce2cc098db499837d2c5ea9e

SHA256
e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28

SHA512
0c85ede00a5ae7d0fe5aabfb9b662c6329922e6278bc80b59384234891a1383fe53d7931b9ca7d52ac95a355cd10840a4886a268238e347077d91fb0ba7d3a33

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SendShow.exe
Filesize
361KB

MD5
e2eb762d6d248fec5b8af8ab437cfdc2

SHA1
c6be1c85d65136e6ce2cc098db499837d2c5ea9e

SHA256
e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28

SHA512
0c85ede00a5ae7d0fe5aabfb9b662c6329922e6278bc80b59384234891a1383fe53d7931b9ca7d52ac95a355cd10840a4886a268238e347077d91fb0ba7d3a33

Download Submit
memory/596-73-0x0000000000100000-0x0000000000124000-memory.dmp

Filesize
144KB

Download
memory/596-74-0x0000000000100000-0x0000000000124000-memory.dmp

Filesize
144KB

Download
memory/596-77-0x0000000000100000-0x0000000000124000-memory.dmp

Filesize
144KB

Download
memory/596-76-0x0000000000000000-mapping.dmp

Download
memory/596-75-0x0000000000100000-0x0000000000124000-memory.dmp

Filesize
144KB

Download
memory/1484-78-0x0000000000000000-mapping.dmp

Download
memory/1592-56-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1592-55-0x0000000002180000-0x00000000021AA000-memory.dmp

Filesize
168KB

Download
memory/1592-54-0x0000000076781000-0x0000000076783000-memory.dmp

Filesize
8KB

Download
memory/1708-61-0x0000000002370000-0x000000000239A000-memory.dmp

Filesize
168KB

Download
memory/1708-62-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1708-58-0x0000000000000000-mapping.dmp

Download
memory/2012-64-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/2012-70-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/2012-69-0x0000000000000000-mapping.dmp

Download
memory/2012-67-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/2012-68-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download
memory/2012-66-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads