b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a

General

Target

b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe
Size

11.1MB
MD5

bb75006881acf08328e61ee174853fa5
SHA1

b93e32bd55354bc67be5b50a364c67e760fca62b
SHA256

b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a
SHA512

78feb1e62e5394ccd57eb834643c9d23e85e857c8077e5262f7b0d37555cb8275b8b0ae903659e99224ce4c06d705a69a4388ff9fc49a63a1bc1a2a1735f1a89
SSDEEP

196608:9Vg6dKfSwWpQn1c+uGIJm2iNq+/t+D/BHlAqr+9U2jsINu3lRDGFQVqTzJyLFDfp:9Vg64fSsOXm2mzw/5lt+9aIN4KF5KFjp

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	whatismyip.akamai.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
848	vlc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1164	b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe
1164	b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe
1164	b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe
1164	b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
848	vlc.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
848	vlc.exe
848	vlc.exe
848	vlc.exe
848	vlc.exe
848	vlc.exe
848	vlc.exe
848	vlc.exe
848	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
848	vlc.exe
848	vlc.exe
848	vlc.exe
848	vlc.exe
848	vlc.exe
848	vlc.exe
848	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
848	vlc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1620	1164	b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe	27
PID 1164 wrote to memory of 1620	1164	b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe	27
PID 1164 wrote to memory of 1620	1164	b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe	27
PID 1164 wrote to memory of 1620	1164	b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe	27
PID 1164 wrote to memory of 1620	1164	b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe	27
PID 1164 wrote to memory of 1620	1164	b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe	27
PID 1164 wrote to memory of 1620	1164	b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe	27
PID 1620 wrote to memory of 848	1620	rundll32.exe	29
PID 1620 wrote to memory of 848	1620	rundll32.exe	29
PID 1620 wrote to memory of 848	1620	rundll32.exe	29
PID 1620 wrote to memory of 848	1620	rundll32.exe	29

C:\Users\Admin\AppData\Local\Temp\b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe
"C:\Users\Admin\AppData\Local\Temp\b3fe78dad4be7e49a19ab77c4e01c59381dbf5b1a0c37c7e117916038323d51a.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\stripdurak_)-spaces.ru.rar
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\stripdurak_)-spaces.ru.rar"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\stripdurak_)-spaces.ru.rar

Filesize
11.0MB

MD5
1b04344861d067b461c714c642bb370c

SHA1
15d142b802606cb877761769c4604e23c36f2d46

SHA256
ae18f157dd6ba4b7fe9463ca5df35f21caa72bf7f925b10fb89e8117f99b788a

SHA512
6271b70aff8439f5fb7a4fab2f27c6bc646865d7473f3940bbb84e89ca5eebf0b4de01ae55ac993882c16226a18a4b4c3cfd3a0a1c341dfba317c03b17c15fbc

Download Submit
memory/848-59-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download
memory/1164-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1164-55-0x0000000000400000-0x0000000000F5F000-memory.dmp

Filesize
11.4MB

Download
memory/1164-61-0x0000000000400000-0x0000000000F5F000-memory.dmp

Filesize
11.4MB

Download

Analysis

Sharing