ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694

General

Target

ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe
Size

58KB
MD5

7005c454bb652c62da02da60f1205b77
SHA1

0cf302ee60e42cb12b56c394983d53d56fc3c2d1
SHA256

ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694
SHA512

ae9de19c672c80977e009b2e03d577e1c2625843b9dc47179b03fe0e48281010334df47c5b8ecab77788387a635dab1954b4b77ddc21b2f97700d95977d1d759
SSDEEP

1536:PaHLtZfHy0O/JuSkZWeGkqbT3ckFqtLUNCdJ:PaHzHY/JBOQksAkItZJ

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 620 set thread context of 1708	620	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe	27

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}"	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}"	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Google"	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\SearchScopes	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadUpdates = "398336"	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "file://localhost/C:/www.google.com.htm"	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1708	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe
1708	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1708	620	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe	27
PID 620 wrote to memory of 1708	620	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe	27
PID 620 wrote to memory of 1708	620	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe	27
PID 620 wrote to memory of 1708	620	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe	27
PID 620 wrote to memory of 1708	620	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe	27
PID 620 wrote to memory of 1708	620	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe	27
PID 620 wrote to memory of 1708	620	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe	27
PID 1708 wrote to memory of 1192	1708	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe	16
PID 1708 wrote to memory of 1192	1708	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe	16
PID 1708 wrote to memory of 1192	1708	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe	16
PID 1708 wrote to memory of 1192	1708	ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe	16

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe
  "C:\Users\Admin\AppData\Local\Temp\ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Users\Admin\AppData\Local\Temp\ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe
    C:\Users\Admin\AppData\Local\Temp\ebc3cb7fb47e4680b48e8951fcee6d60d1c9f30aab110cc77a122f65f4fe2694.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-63-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1708-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1708-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1708-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1708-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1708-61-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/1708-62-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1708-66-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads