ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c

General

Target

ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe
Size

1.3MB
MD5

05346ee80d041822a94e82cecf495d02
SHA1

eed7314ac09767dde281249fd4568a7a10c7e3ee
SHA256

ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c
SHA512

c8e60f3fe18ecd6e3a4d5b0f3ac3ff8908ba3c06d6d0ab2e9da0e878ca4b8c8fee1ffc667712f6916f9e40f2d514ab5bd291eac359c3ada4d79693079488927b
SSDEEP

24576:xbwzN9leQIpYpohcAznlT8jIdNqn/V+pj4E4a9/nnFII+yDFmq3QOwc/s5rn:aBLeQIpYpmc4nx8jMq9k4/W/nn1+yR3I

Score

9^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oC7s317 = "\"C:\\Users\\Admin\\AppData\\Roaming\\oC7s317.exe\" opt"	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\SearchScopes	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}"	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe
Key created	\REGISTRY\USER\	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4964	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe
4964	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe
4964	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe
4964	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe
Token: SeCreateGlobalPrivilege	4964	ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe

C:\Users\Admin\AppData\Local\Temp\ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe
"C:\Users\Admin\AppData\Local\Temp\ed776dca9647532964a09cb10867624bd13e0981e592f65d5a3c5e0e2ed63c6c.exe"
1⤵
- Enumerates VirtualBox registry keys
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

Software Discovery

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4964-132-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4964-133-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4964-134-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4964-136-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4964-137-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4964-138-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4964-139-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4964-140-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4964-141-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads