1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567

General

Target

1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe
Size

1.0MB
MD5

b38094dd1906ba24beb97ec7055b21b1
SHA1

6aabc056817369549cb8c0c857395aa3ec6530ed
SHA256

1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567
SHA512

54a1347d8e63e54ed6781323384a22d16a3cf5cac1e477508ac7b59cee12b6642b2cfbdab46d2bb9cbc898af6e7149214a9564dcb2e694e8d3d94e3e3c18119b

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

DePass_Micro.exe

pid process

800 DePass_Micro.exe

pid	process
800	DePass_Micro.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe

Loads dropped DLL 1 IoCs

Processes:

DePass_Micro.exe

pid process

800 DePass_Micro.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
800	DePass_Micro.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.execmd.execmd.exe

description	pid	process	target process
PID 4368 wrote to memory of 624	4368	1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe	cmd.exe
PID 4368 wrote to memory of 624	4368	1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe	cmd.exe
PID 4368 wrote to memory of 624	4368	1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe	cmd.exe
PID 624 wrote to memory of 1432	624	cmd.exe	cmd.exe
PID 624 wrote to memory of 1432	624	cmd.exe	cmd.exe
PID 624 wrote to memory of 1432	624	cmd.exe	cmd.exe
PID 1432 wrote to memory of 800	1432	cmd.exe	DePass_Micro.exe
PID 1432 wrote to memory of 800	1432	cmd.exe	DePass_Micro.exe
PID 1432 wrote to memory of 800	1432	cmd.exe	DePass_Micro.exe

C:\Users\Admin\AppData\Local\Temp\1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe
"C:\Users\Admin\AppData\Local\Temp\1a537f30ab47f00b70f867ff3864c2c7ab30224ce2d443f23474054f31463567.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Local\RSA\1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\H8563f34fR_7T45Basd35S4E\DePass_Micro.exe
DePass_Micro.exe /Silent /nm
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\H8563f34fR_7T45Basd35S4E\DePass_Micro.exe
Filesize
1.7MB

MD5
85ebf9e998f85b243775f42df3d79047

SHA1
7b8d3bda72e8911c3a18f6b0d14aec8b0d6d6bad

SHA256
72e7492411ac46f5309fe9ba075fcc8097fd766f269aca04aca10c787f4e69e7

SHA512
62f8246aef6271a34700542484362988f6873437b0ca49b1e25fb1932ee3d330795041dcee8cb9dd3bb5c0e7b93f8f3b2ffc5edc973c8a1efba19d257b0ca168

Download Submit
C:\Users\Admin\AppData\Local\Temp\H8563f34fR_7T45Basd35S4E\DePass_Micro.exe
Filesize
1.7MB

MD5
85ebf9e998f85b243775f42df3d79047

SHA1
7b8d3bda72e8911c3a18f6b0d14aec8b0d6d6bad

SHA256
72e7492411ac46f5309fe9ba075fcc8097fd766f269aca04aca10c787f4e69e7

SHA512
62f8246aef6271a34700542484362988f6873437b0ca49b1e25fb1932ee3d330795041dcee8cb9dd3bb5c0e7b93f8f3b2ffc5edc973c8a1efba19d257b0ca168

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.tmp
Filesize
590KB

MD5
9120403115f68fc32af4a1794e39cc8e

SHA1
43c29dcd4594436e2007900fd9d45a68e443ad44

SHA256
079f4cfc92f694308376df5339e72eeda850f81664a510405d563c0a711ca2a3

SHA512
c2c22500cee61b1328c1d28820b1003bae00118255ff9dfc49359a13af841a17df2032f74d42e3e61fceb1cd53d61ab606b38a45ea7a7ae113189a33dd6f919a

Download Submit
C:\Users\Admin\AppData\Roaming\Local\RSA\1.bat
Filesize
37B

MD5
b5cc8da101df807fc8c932b3d26b6e47

SHA1
e2e36f03d4c61dcd351763b677b84fa099dc2604

SHA256
d1c5e037e959eb214638ec6630b9f1e4a58082c11439d23a17e7bae097631d61

SHA512
2f3cb8c3d54c499d1fd1cccc6b7e9c24595bcc8a5e91a0294ac07712f4311b3cb2f6d606ec1d82163d55e8f98b5b3a11942a4af6ab6e97dcf08fef5c4cd873b7

Download Submit
C:\Users\Admin\AppData\Roaming\Local\RSA\2.bat
Filesize
547B

MD5
4bdd56492f538d4e8eef5d7c879b64a6

SHA1
28a2e301887b65171ee35bcd460aa1e360ebb874

SHA256
59687b9bdd72edaa3519504f5b7688a659b9d66ee03c29686dcd68470034e827

SHA512
f45a202f86562f65f5a1d280dbc7ba7c57ca26a684bcc40eb3ce3b8e4405e1570d85d24975bc7d6eb7ba62fbeaac0203deca4224d688f4368d113101ec54dd67

Download Submit
C:\Users\Admin\AppData\Roaming\Local\RSA\DePass_Micro.exe
Filesize
1.7MB

MD5
85ebf9e998f85b243775f42df3d79047

SHA1
7b8d3bda72e8911c3a18f6b0d14aec8b0d6d6bad

SHA256
72e7492411ac46f5309fe9ba075fcc8097fd766f269aca04aca10c787f4e69e7

SHA512
62f8246aef6271a34700542484362988f6873437b0ca49b1e25fb1932ee3d330795041dcee8cb9dd3bb5c0e7b93f8f3b2ffc5edc973c8a1efba19d257b0ca168

Download Submit
C:\Users\Admin\AppData\Roaming\Local\RSA\fcp.exe
Filesize
472KB

MD5
d86fd26b2340cead820b2a905c177c63

SHA1
313334f1d8e1a8a9c7473dead0a839c3f9855b86

SHA256
6ece2458ddfc2bc9be6d14d1c377b2a52bf502f3757ba8024de383d85899e21b

SHA512
b3dc478779d0e2a93e8fcac0e0a34e3737c8a08b0479203c73fda8f3e3345618d06485a070f17cc6d880d07c3436af4b4ba8df29dc184b0717f3a2753cbb6413

Download Submit
C:\Users\Admin\AppData\Roaming\Local\RSA\pthreadGC.dll
Filesize
50KB

MD5
2d6a905cbe6766adf6da9d4f5a461571

SHA1
4700349f065e96c40eb5f50aff554bf5b2eb2c21

SHA256
d47dc7d06a2873c65758568a16aee0349d87de35d8d6e7c4249f1276e81f14fa

SHA512
84e79aa2cf1d7d1d31224572f193ce5527504fb58ef79aa5e4fb672188b9dae4a5ebb4e1ba3a7d2958a0a43095023ed9ba2d36604570575fdd594d9b42786848

Download Submit
memory/624-130-0x0000000000000000-mapping.dmp

Download
memory/800-137-0x0000000000000000-mapping.dmp

Download
memory/1432-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing