9b09757ac96b9560ef40880d542b3a97fbff5118739ed748590f4e47a83b2026

General

Target

PO23294248429.exe
Size

320KB
MD5

1eae5284068cbc12ec56e10c79a7373a
SHA1

22c8709aac17b8854ac9733123c7a964f1f9d090
SHA256

e8f02457c0ce811c8b7e3574ec86609d52021d2cb59782ee6ef1efb0bb6e0af2
SHA512

a51ed3bb0d9a6c6130e83584b68d06b316c1628b0abaa37ddf5a5141f312b1cd22aa6ae13c9a21afa8c8cd59e54ca2d1f21d423f072bcf31229e2dc0dbf2618c

Score

8^/10

collection spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

3364 svhost.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3364	svhost.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

svhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svhost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ifconfig.me
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO23294248429.exe

description pid process target process

PID 4980 set thread context of 3364 4980 PO23294248429.exe svhost.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1020 3364 WerFault.exe svhost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

PO23294248429.exesvhost.exe

pid process

4980 PO23294248429.exe
3364 svhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO23294248429.exesvhost.exe

description pid process

Token: SeDebugPrivilege 4980 PO23294248429.exe
Token: SeDebugPrivilege 3364 svhost.exe

flow	ioc
4	ifconfig.me

description	pid	process	target process
PID 4980 set thread context of 3364	4980	PO23294248429.exe	svhost.exe

pid	pid_target	process	target process
1020	3364	WerFault.exe	svhost.exe

pid	process
4980	PO23294248429.exe
3364	svhost.exe

description	pid	process
Token: SeDebugPrivilege	4980	PO23294248429.exe
Token: SeDebugPrivilege	3364	svhost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

PO23294248429.exe

description	pid	process	target process
PID 4980 wrote to memory of 3364	4980	PO23294248429.exe	svhost.exe
PID 4980 wrote to memory of 3364	4980	PO23294248429.exe	svhost.exe
PID 4980 wrote to memory of 3364	4980	PO23294248429.exe	svhost.exe
PID 4980 wrote to memory of 3364	4980	PO23294248429.exe	svhost.exe
PID 4980 wrote to memory of 3364	4980	PO23294248429.exe	svhost.exe
PID 4980 wrote to memory of 3364	4980	PO23294248429.exe	svhost.exe
PID 4980 wrote to memory of 3364	4980	PO23294248429.exe	svhost.exe

outlook_office_path 1 IoCs

Processes:

svhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svhost.exe

outlook_win_path 1 IoCs

Processes:

svhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svhost.exe

C:\Users\Admin\AppData\Local\Temp\PO23294248429.exe
"C:\Users\Admin\AppData\Local\Temp\PO23294248429.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 1512
    3⤵
    - Program crash
    PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3364 -ip 3364
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
memory/3364-132-0x0000000000000000-mapping.dmp

Download
memory/3364-133-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3364-136-0x0000000005BD0000-0x0000000006174000-memory.dmp

Filesize
5.6MB

Download
memory/3364-137-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/3364-138-0x0000000006180000-0x0000000006342000-memory.dmp

Filesize
1.8MB

Download
memory/4980-130-0x0000000000A90000-0x0000000000AE6000-memory.dmp

Filesize
344KB

Download
memory/4980-131-0x0000000005460000-0x00000000054FC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads