55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681

General

Target

55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe
Size

55KB
MD5

710850ca169e4e00e0adbba52e379a00
SHA1

dfda4a0dd6e745d8d4f53f66db2371c4a667933d
SHA256

55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681
SHA512

92b27e26a2694aa6d3581ea27a1bf5879a3b2aee030ef01abcdefa61de90b63f231770d6be32c114345bf5d2e2abdbbf9c165f0e216b8f4e7ec033e44bd4d244
SSDEEP

768:DWiGwTJCwVnwnBx9yuwaGjhyEouqWcPlgLEVQZ3AJ47IIMbLJrxAAMoBRYkqHrk5:tLMjnpR6Kl0EVQ774rxVMoBR0kAc

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	whatismyip.akamai.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 1632	1108	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe	27

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1632	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe
1632	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe
1632	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe
1632	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1632	1108	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe	27
PID 1108 wrote to memory of 1632	1108	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe	27
PID 1108 wrote to memory of 1632	1108	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe	27
PID 1108 wrote to memory of 1632	1108	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe	27
PID 1108 wrote to memory of 1632	1108	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe	27
PID 1108 wrote to memory of 1632	1108	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe	27
PID 1108 wrote to memory of 1632	1108	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe	27
PID 1108 wrote to memory of 1632	1108	55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe	27

C:\Users\Admin\AppData\Local\Temp\55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe
"C:\Users\Admin\AppData\Local\Temp\55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe
  "C:\Users\Admin\AppData\Local\Temp\55fb62900c40991ad9d5c43dc13b3012beaa599f53d31ec3a4a85515da3f8681.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-54-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1632-55-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1632-57-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1632-59-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1632-63-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1632-64-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1632-65-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1632-66-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1632-67-0x0000000000456000-0x000000000045C000-memory.dmp

Filesize
24KB

Download
memory/1632-68-0x0000000000456000-0x000000000045C000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing