0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717

General

Target

0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe
Size

76KB
MD5

0468e071687ca7e8bea498c6e9544b7e
SHA1

219d3785555a627b66abe571dcf13d09dd98ffc9
SHA256

0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717
SHA512

0705faa0554a4dcd5115835510a2cd5011b7f74c74613763a2ce6c20fa106ee64939515aa654378642abc6f758e33961df95f2ad96ea70c23526735e3ec4793b
SSDEEP

1536:iAhTyTTFQNC13U4rtnDb4tmJb09AtOyBTc/S6vbhdDeB7Fb:vhT2137DYmJbztNBA/SOfe/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1828	wg.exe
2044	fz.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00150000000054ab-56.dat	upx
behavioral1/files/0x00150000000054ab-60.dat	upx
behavioral1/memory/1828-63-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1828	wg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1828	wg.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1828	1140	0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe	27
PID 1140 wrote to memory of 1828	1140	0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe	27
PID 1140 wrote to memory of 1828	1140	0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe	27
PID 1140 wrote to memory of 1828	1140	0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe	27
PID 1140 wrote to memory of 1828	1140	0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe	27
PID 1140 wrote to memory of 1828	1140	0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe	27
PID 1140 wrote to memory of 1828	1140	0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe	27
PID 1140 wrote to memory of 2044	1140	0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe	28
PID 1140 wrote to memory of 2044	1140	0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe	28
PID 1140 wrote to memory of 2044	1140	0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe	28
PID 1140 wrote to memory of 2044	1140	0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe	28
PID 1140 wrote to memory of 2044	1140	0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe	28
PID 1140 wrote to memory of 2044	1140	0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe	28
PID 1140 wrote to memory of 2044	1140	0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe	28
PID 1828 wrote to memory of 968	1828	wg.exe	29
PID 1828 wrote to memory of 968	1828	wg.exe	29
PID 1828 wrote to memory of 968	1828	wg.exe	29
PID 1828 wrote to memory of 968	1828	wg.exe	29
PID 1828 wrote to memory of 968	1828	wg.exe	29
PID 1828 wrote to memory of 968	1828	wg.exe	29
PID 1828 wrote to memory of 968	1828	wg.exe	29

C:\Users\Admin\AppData\Local\Temp\0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe
"C:\Users\Admin\AppData\Local\Temp\0a7b8acf55838642e78e58e93866f190d943c194299a8a0bc0d9a41bd7bd1717.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1140
- C:\wg.exe
  "C:\wg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c del "C:\wg.exe"
    3⤵
    PID:968
- C:\fz.exe
  "C:\fz.exe"
  2⤵
  - Executes dropped EXE
  PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\fz.exe

Filesize
36KB

MD5
04180d3fd8c0c82001a18214b15f974b

SHA1
f71501dd1e184cffac99f89d0608725906fac230

SHA256
f6b48da74fa0697689f91b3da41e866831f80fc447ed5a135dff5a88a98ba900

SHA512
eacf076f697c1f42a0cabf82e2895a7786614bb07a906bf204fc1b4c7ca4d970414c61cba546cff6db7fddee9c8bf96a9f31593d6d0f241dc9ab9697b4e0aca2

Download Submit
C:\fz.exe

Filesize
36KB

MD5
04180d3fd8c0c82001a18214b15f974b

SHA1
f71501dd1e184cffac99f89d0608725906fac230

SHA256
f6b48da74fa0697689f91b3da41e866831f80fc447ed5a135dff5a88a98ba900

SHA512
eacf076f697c1f42a0cabf82e2895a7786614bb07a906bf204fc1b4c7ca4d970414c61cba546cff6db7fddee9c8bf96a9f31593d6d0f241dc9ab9697b4e0aca2

Download Submit
C:\wg.exe

Filesize
27KB

MD5
f8f23081bd5b889c437606aef37731dd

SHA1
7e9aefec1f0a66cd5a64b9a683e3a864f1497e3b

SHA256
3eca4380bd9f3e2aa5b7c6a6f2bc3a3c7dd6a54c44f91b3f7afd82839f8f0ab0

SHA512
8b3a7acdde25181232f73d9c881aa9389c1ad9036c05c9fb7c1f534ca6bb15f18bc6460563438091ffcfe7769105bea9b990baf8dea956347726187bd14d32b8

Download Submit
C:\wg.exe

Filesize
27KB

MD5
f8f23081bd5b889c437606aef37731dd

SHA1
7e9aefec1f0a66cd5a64b9a683e3a864f1497e3b

SHA256
3eca4380bd9f3e2aa5b7c6a6f2bc3a3c7dd6a54c44f91b3f7afd82839f8f0ab0

SHA512
8b3a7acdde25181232f73d9c881aa9389c1ad9036c05c9fb7c1f534ca6bb15f18bc6460563438091ffcfe7769105bea9b990baf8dea956347726187bd14d32b8

Download Submit
memory/1140-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1828-65-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1828-64-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1828-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1828-66-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing