51247a58f41ba112ce31ed44b0a68bc4db8f39763250071fe35957d1e3eaf9cb

General

Target

51247a58f41ba112ce31ed44b0a68bc4db8f39763250071fe35957d1e3eaf9cb.exe
Size

88KB
MD5

d3344243a5c6929fc3cf6402ca054eea
SHA1

bb96f66544cdd513ee96ae03cd4eae1f7b51218a
SHA256

51247a58f41ba112ce31ed44b0a68bc4db8f39763250071fe35957d1e3eaf9cb
SHA512

2b258c35d057bb7681fa88dc0d853713da6bdb2ff1d47c1cbfe5f7c18ad6e24065ea9814b38fda456b379838ef7322721a33a2c68411f2fc532617de4984379b
SSDEEP

1536:psbJO6kyhioBVsevhW0Bj1j9gMpgRxZxJXzXb0+PMpgRxZxJXzXb0+PgX:2bJO9yhioB6ep9XSRxZxJXzXb0+PMSRu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
216	credentials.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	51247a58f41ba112ce31ed44b0a68bc4db8f39763250071fe35957d1e3eaf9cb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 4288	4100	51247a58f41ba112ce31ed44b0a68bc4db8f39763250071fe35957d1e3eaf9cb.exe	83
PID 4100 wrote to memory of 4288	4100	51247a58f41ba112ce31ed44b0a68bc4db8f39763250071fe35957d1e3eaf9cb.exe	83
PID 4100 wrote to memory of 4288	4100	51247a58f41ba112ce31ed44b0a68bc4db8f39763250071fe35957d1e3eaf9cb.exe	83
PID 4288 wrote to memory of 4432	4288	csc.exe	85
PID 4288 wrote to memory of 4432	4288	csc.exe	85
PID 4288 wrote to memory of 4432	4288	csc.exe	85
PID 4100 wrote to memory of 216	4100	51247a58f41ba112ce31ed44b0a68bc4db8f39763250071fe35957d1e3eaf9cb.exe	86
PID 4100 wrote to memory of 216	4100	51247a58f41ba112ce31ed44b0a68bc4db8f39763250071fe35957d1e3eaf9cb.exe	86

C:\Users\Admin\AppData\Local\Temp\51247a58f41ba112ce31ed44b0a68bc4db8f39763250071fe35957d1e3eaf9cb.exe
"C:\Users\Admin\AppData\Local\Temp\51247a58f41ba112ce31ed44b0a68bc4db8f39763250071fe35957d1e3eaf9cb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @".\bfn3bfuk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25C8.tmp" "c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CSCBAFBF44336144B9B5885060886B17D.TMP"
    3⤵
    PID:4432
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.exe"
  2⤵
  - Executes dropped EXE
  PID:216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES25C8.tmp

Filesize
1KB

MD5
41e71563ecdbae413c00713e5a5d61aa

SHA1
0e298401dcc464d3c1b01b79f43d0a6b456f0aa5

SHA256
62e9b615cea6e5779fca4046c3285d7080626b3d2572d8db47e214d300df6379

SHA512
b3789c005e6c2677993839512ce99532bddcbd62a42d353593922170aa66abae2fa368c07103da1c74374628a9d834d8414755c5b387027d7cdb1c5cb7d01637

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.exe

Filesize
31KB

MD5
fc5c20bfc281594184bbc349f30e4e4a

SHA1
bf1f54f2a0d8b799567d60a7e526d169407e9443

SHA256
226c52dfaaa7debcd1681d9a79976e0099a335112d53c1deda3aa1f6b3265b4b

SHA512
7464827a8752328d33a208a05ce2961115bd88cc09819f7cace47f29ff9e1d18091485445f5123713d3a18ae43dec1e3183bb65c5febefa26662417a25aad68f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.exe

Filesize
31KB

MD5
fc5c20bfc281594184bbc349f30e4e4a

SHA1
bf1f54f2a0d8b799567d60a7e526d169407e9443

SHA256
226c52dfaaa7debcd1681d9a79976e0099a335112d53c1deda3aa1f6b3265b4b

SHA512
7464827a8752328d33a208a05ce2961115bd88cc09819f7cace47f29ff9e1d18091485445f5123713d3a18ae43dec1e3183bb65c5febefa26662417a25aad68f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.pdb

Filesize
47KB

MD5
25219c37ee3bde87b3d60d8dd8d1ce03

SHA1
2179630421501bd9c8cb5500bb8a725785a58b70

SHA256
55b3e5f31e452de68f2ada9aaea7a7eb0045f0303f260f0361e210b56895ea61

SHA512
86171aa79961c26ce244aa126a7475574973cdd5a9ba3893ee0e0474c23bd21f90d777c716a999bebf8a05f441f5f2d5ea25a919406fb96b96649d69e4cb52e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bfn3bfuk.0.cs

Filesize
52KB

MD5
e187c935e54aad97b7fad3532546cc9b

SHA1
07283057567d160618050b15f20da63e3a3117cc

SHA256
0b9a89956a9af8b5a307fd7e0b08972409055022722a1213d246f8bd0a0f4e76

SHA512
589c757324576edbe177ae6b94e557aeb77c7808e87aa3db8c63bd040347305024130fabb7ee72b95f7782dd0e0a605962c22cf8007e4a23181d1038637eed37

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bfn3bfuk.cmdline

Filesize
319B

MD5
a8edfb4e7315239d70e8705f8034560e

SHA1
4567f5470b688a5ebc8a0995c190fd3028f44ea5

SHA256
31bd9828ec47be7524d7dcc100f94fd88b22ff4f0f9da8bb028bf6db5f86c5b7

SHA512
76b5b76c20884ba19e307a049291a6afd643c814456f0ab70b0e4184e768e7b9d6556a848433bf07b7218f40af008a1fe9a95e695e1b399a6c915fe40655d96e

Download Submit
\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CSCBAFBF44336144B9B5885060886B17D.TMP

Filesize
1KB

MD5
0373b9d11bb24d0a0bbccb1874f85f23

SHA1
012fd21f0cfdfabdda6c77acee6d2e48c0d07436

SHA256
a74ac62c89282fdf46276afca79d8c3f32578505d589f8932a89474106c0bbb9

SHA512
8975beedbd6237de33e753ae341c05119e599637894b68f02e5e456a86c083c62975e36f1bb2ef8a5d9e459e55f206ab1f8a4c08faf253916f92b512c276be24

Download Submit
memory/216-142-0x0000000000A80000-0x0000000000A8E000-memory.dmp

Filesize
56KB

Download
memory/216-143-0x00007FF82F1A0000-0x00007FF82FC61000-memory.dmp

Filesize
10.8MB

Download
memory/4100-132-0x0000000000FA0000-0x0000000000FBC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing