b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01

General

Target

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe
Size

198KB
MD5

06881454143376beb76a127d1758524d
SHA1

4c6957bee8f43be7a44918f7a418270134bc4e9c
SHA256

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01
SHA512

abba15ced8006c48468b4375bded848c5e16cfa97006c10f09db716aac946f3d4c25f2a6f55ea7e1f473f83ba83f3cc25617ea159fd4be29c9ed9f517c0a3c67

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Executes dropped EXE 1 IoCs

Processes:

NiceProcessX64.bmp.exe

pid process

1144 NiceProcessX64.bmp.exe

pid	process
1144	NiceProcessX64.bmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe

Loads dropped DLL 1 IoCs

Processes:

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe

pid process

1816 b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1760 1816 WerFault.exe b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe

pid	pid_target	process	target process
1760	1816	WerFault.exe	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exeNiceProcessX64.bmp.exe

pid	process
1816	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe
1144	NiceProcessX64.bmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe

description	pid	process	target process
PID 1816 wrote to memory of 1144	1816	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	NiceProcessX64.bmp.exe
PID 1816 wrote to memory of 1144	1816	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	NiceProcessX64.bmp.exe
PID 1816 wrote to memory of 1144	1816	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	NiceProcessX64.bmp.exe
PID 1816 wrote to memory of 1144	1816	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	NiceProcessX64.bmp.exe
PID 1816 wrote to memory of 1760	1816	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	WerFault.exe
PID 1816 wrote to memory of 1760	1816	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	WerFault.exe
PID 1816 wrote to memory of 1760	1816	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	WerFault.exe
PID 1816 wrote to memory of 1760	1816	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe
"C:\Users\Admin\AppData\Local\Temp\b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1412
2⤵
- Program crash
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

1

T1089

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
22KB

MD5
c0eec07beaa2f3e6fabf34b3b5a7a668

SHA1
ab115bcb4b2a4ce626f499f50c373e963799121e

SHA256
347f056079693a6016c287d08f696d24d5b283046defa5a7863c29e6f30adadf

SHA512
b1970cd6de01451413135479a2ab658e4b52d0ed4daff28cf7e2156bb1b4c0884bbd0ed5fa0caf393f9380293e481aa36592a061721d82e3cffb748cfeb5775e

Download Submit
memory/1144-57-0x0000000000000000-mapping.dmp

Download
memory/1760-59-0x0000000000000000-mapping.dmp

Download
memory/1816-54-0x0000000075D21000-0x0000000075D23000-memory.dmp

Filesize
8KB

Download
memory/1816-55-0x0000000003DC0000-0x0000000003F80000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads