33c3a1918527945f7d2ede01a423b626a051ccfcbd8a6479f340af0fe34752bd

General

Target

Fattoruso Tech Srl RFQ.exe
Size

620KB
MD5

260f6e729e919bef46b9fde9584e62cf
SHA1

f9861fe9d82a7d8ac405b6a4adf8ebae60133692
SHA256

021a0fc05ac41240f0388f147781324d51e1a31ce772a628d7ad9705aad3a8d4
SHA512

6fd3caf7b08706ee8e24c60caf5d90d5a49091ebf362222fbdf4a40d8f20f0f658be318f67ca1f559ac9f5e56e5bfffff395e7b3f3f826a48d4f393016edadd6
SSDEEP

12288:HToPWBv/cpGrU3yx3meidRqvZuyd+ZgBNV9W3PkdE:HTbBv5rUKm20y8ZgN94KE

Score

10^/10

collection spyware stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.lizaneya.com
Port:
21
Username:
[email protected]
Password:
@lizaneya.com

Signatures

Executes dropped EXE 1 IoCs

Processes:

wtwneqwyfkze.exe

pid process

4596 wtwneqwyfkze.exe

pid	process
4596	wtwneqwyfkze.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Fattoruso Tech Srl RFQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Fattoruso Tech Srl RFQ.exe

Loads dropped DLL 1 IoCs

Processes:

wtwneqwyfkze.exe

pid process

5016 wtwneqwyfkze.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5016	wtwneqwyfkze.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wtwneqwyfkze.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wtwneqwyfkze.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wtwneqwyfkze.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wtwneqwyfkze.exe

Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\services.msc mmc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

wtwneqwyfkze.exe

description pid process target process

PID 4596 set thread context of 5016 4596 wtwneqwyfkze.exe wtwneqwyfkze.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2024 4596 WerFault.exe wtwneqwyfkze.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

wtwneqwyfkze.exe

pid process

5016 wtwneqwyfkze.exe
5016 wtwneqwyfkze.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mmc.exe

pid process

4608 mmc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\services.msc	mmc.exe

description	pid	process	target process
PID 4596 set thread context of 5016	4596	wtwneqwyfkze.exe	wtwneqwyfkze.exe

pid	pid_target	process	target process
2024	4596	WerFault.exe	wtwneqwyfkze.exe

pid	process
5016	wtwneqwyfkze.exe
5016	wtwneqwyfkze.exe

pid	process
4608	mmc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

wtwneqwyfkze.exemmc.exe

description	pid	process
Token: SeDebugPrivilege	5016	wtwneqwyfkze.exe
Token: 33	4608	mmc.exe
Token: SeIncBasePriorityPrivilege	4608	mmc.exe
Token: 33	4608	mmc.exe
Token: SeIncBasePriorityPrivilege	4608	mmc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

mmc.exe

pid process

4608 mmc.exe
4608 mmc.exe
4608 mmc.exe
4608 mmc.exe

pid	process
4608	mmc.exe
4608	mmc.exe
4608	mmc.exe
4608	mmc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Fattoruso Tech Srl RFQ.exewtwneqwyfkze.exe

description	pid	process	target process
PID 3300 wrote to memory of 4596	3300	Fattoruso Tech Srl RFQ.exe	wtwneqwyfkze.exe
PID 3300 wrote to memory of 4596	3300	Fattoruso Tech Srl RFQ.exe	wtwneqwyfkze.exe
PID 3300 wrote to memory of 4596	3300	Fattoruso Tech Srl RFQ.exe	wtwneqwyfkze.exe
PID 4596 wrote to memory of 5016	4596	wtwneqwyfkze.exe	wtwneqwyfkze.exe
PID 4596 wrote to memory of 5016	4596	wtwneqwyfkze.exe	wtwneqwyfkze.exe
PID 4596 wrote to memory of 5016	4596	wtwneqwyfkze.exe	wtwneqwyfkze.exe
PID 4596 wrote to memory of 5016	4596	wtwneqwyfkze.exe	wtwneqwyfkze.exe

outlook_office_path 1 IoCs

Processes:

wtwneqwyfkze.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wtwneqwyfkze.exe

outlook_win_path 1 IoCs

Processes:

wtwneqwyfkze.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wtwneqwyfkze.exe

C:\Users\Admin\AppData\Local\Temp\Fattoruso Tech Srl RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\Fattoruso Tech Srl RFQ.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3300

C:\Users\Admin\AppData\Local\Temp\wtwneqwyfkze.exe
"C:\Users\Admin\AppData\Local\Temp\wtwneqwyfkze.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\wtwneqwyfkze.exe
"C:\Users\Admin\AppData\Local\Temp\wtwneqwyfkze.exe"
3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 460
3⤵
- Program crash
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4596 -ip 4596
1⤵
PID:4928

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bezxgqnld.f
Filesize
4KB

MD5
df7b91634fc1d56dd3048980a8bf6d33

SHA1
716b83bec07c9a05d90478d71f456ddabd4877c2

SHA256
272a642d13de5d72710d59b26900bc314569be5b29f220aded6dd81057b352e7

SHA512
893ace0e57401f78e02f42c362aa8579282988c013916580f6736ecfd8b77bce5d086838d4938d49a0eedccd544698bae4fd66bf625adc4d7f85bd44ab2756f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdonaofiwo.y
Filesize
287KB

MD5
b9ed3775ace564793d6474ed8457c7c8

SHA1
e325a2da394bed7a9b3d40106a5949164bcb9ca0

SHA256
a3ad142d0725d1e759c50d76d8e74aff30ead2c3160d088d14eaca17a30bbd72

SHA512
154862300a9c1f1a0125bdcaf69968e58a3e7ff966e3a106d4f1e75226723631ed59c1fe0f82e73c4376ef2344d4645f356cfb7853375b5ed451ea20553a49fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtwneqwyfkze.exe
Filesize
56KB

MD5
1621979c40f8555bcdc436d9ddf1e0d2

SHA1
6632b1e5c58e7df15cdfb47f40f531627138e956

SHA256
194ddf309c2471eccfedd7327bbcdc44e0a5f1b0f692f13b57b166909d52c6ec

SHA512
f393d182487ceebca7f62a506b316a2058b67ea682ad5a533f4563e958e290d35cf954f497177716915aee38b976eb8dae626cee237a1426bf90cbda6572f153

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtwneqwyfkze.exe
Filesize
56KB

MD5
1621979c40f8555bcdc436d9ddf1e0d2

SHA1
6632b1e5c58e7df15cdfb47f40f531627138e956

SHA256
194ddf309c2471eccfedd7327bbcdc44e0a5f1b0f692f13b57b166909d52c6ec

SHA512
f393d182487ceebca7f62a506b316a2058b67ea682ad5a533f4563e958e290d35cf954f497177716915aee38b976eb8dae626cee237a1426bf90cbda6572f153

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtwneqwyfkze.exe
Filesize
56KB

MD5
1621979c40f8555bcdc436d9ddf1e0d2

SHA1
6632b1e5c58e7df15cdfb47f40f531627138e956

SHA256
194ddf309c2471eccfedd7327bbcdc44e0a5f1b0f692f13b57b166909d52c6ec

SHA512
f393d182487ceebca7f62a506b316a2058b67ea682ad5a533f4563e958e290d35cf954f497177716915aee38b976eb8dae626cee237a1426bf90cbda6572f153

Download Submit
memory/4596-132-0x0000000000000000-mapping.dmp

Download
memory/5016-137-0x0000000000000000-mapping.dmp

Download
memory/5016-139-0x0000000005A20000-0x0000000005FC4000-memory.dmp

Filesize
5.6MB

Download
memory/5016-140-0x0000000005560000-0x00000000055FC000-memory.dmp

Filesize
624KB

Download
memory/5016-141-0x00000000064B0000-0x0000000006516000-memory.dmp

Filesize
408KB

Download
memory/5016-142-0x0000000006930000-0x0000000006980000-memory.dmp

Filesize
320KB

Download
memory/5016-143-0x0000000006EA0000-0x0000000006F32000-memory.dmp

Filesize
584KB

Download
memory/5016-144-0x0000000006E50000-0x0000000006E5A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads