830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570

General

Target

maui_3.exe
Size

763KB
MD5

2d02f5499d35a8dffb4c8bc0b7fec5c2
SHA1

870ccd59ad2d3808c014c7c1dcc8a54de375db0c
SHA256

830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570
SHA512

a498ae7e85f3aed239b6e7c27ab9f4dd352973706cfbe07d821f7bfae39a5637b3a15acd45e272c669e9674f6ae4fb3a18dcf9276816f376e1fb32ec17d68791

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 5 IoCs

Processes:

maui_3.exe

description	ioc	process
File created	\??\c:\$Recycle.Bin\S-1-5-21-1101907861-274115917-2188613224-1000\desktop.ini	maui_3.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-1101907861-274115917-2188613224-1000\desktop.ini	maui_3.exe
File created	\??\c:\Program Files\desktop.ini	maui_3.exe
File opened for modification	\??\c:\Program Files\desktop.ini	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	maui_3.exe

Drops file in Program Files directory 64 IoCs

Processes:

maui_3.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\glass.dll	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightItalic.ttf	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinGrid.v8.1.dll	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTF	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_col.hxc	maui_3.exe
File created	\??\c:\Program Files\Common Files\System\msadc\msadco.dll	maui_3.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.DLL	maui_3.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\db\bin\dblook.bat	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\JitV.dll	maui_3.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_font_t2k.dll	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	maui_3.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmpersistence_xl.dll	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.Misc.v11.1.dll	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\lib\security\blacklist	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MYSL.ICO	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\DEEPBLUE.ELM	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl	maui_3.exe
File created	\??\c:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.boot.tree.dat	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-string-l1-1-0.dll	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	maui_3.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEODBCI.DLL	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODEXL.DLL	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MOFL.DLL	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\bin\nio.dll	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms	maui_3.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui	maui_3.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\hmmapi.dll	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSO99LRES.DLL	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr.jar	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.ELM	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\resource.dll	maui_3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\zipfs.jar	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-private-l1-1-0.dll	maui_3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms	maui_3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

maui_3.exe

pid process

3820 maui_3.exe
3820 maui_3.exe

pid	process
3820	maui_3.exe
3820	maui_3.exe

C:\Users\Admin\AppData\Local\Temp\maui_3.exe
C:\Users\Admin\AppData\Local\Temp\maui_3.exe c:\
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dgo88D2.tmp

Filesize
480B

MD5
4527be1283a15c0b34e071283357b5cb

SHA1
6892373d9a0fd5872adaf0dbbc5acc9ee5c49585

SHA256
359ad2423d8236b1f0f32685a2ed29b07f780249d0ffbaefcff5f17f91ecdec4

SHA512
6f537eb6e5cc834eb1c5165ef0843182f1f27fd756d78c72fc8e88bd57c1293e033b009554107e3a5f4bda069ff054c1e0c8a61b49a414782fbf7d8126d5ef39

Download Submit

Analysis

Sharing