65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53

General

Target

65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53.exe
Size

556KB
MD5

0f5c4d2cd391b5fe98f5fbc275a6cc5f
SHA1

f2ce06133b55ae287c48caf493d8763a9d170c21
SHA256

65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53
SHA512

d22764fce82d35fa325c6b52a9b21283eebeef9c9062bfb4e2ced172ed79ccf12a9f7797d3f59e19d1b5a890c400ffe7b18ba6567afce1b3d8e849d165dcf501
SSDEEP

12288:ObYco+gunfCEAWfykqVNe3U24eFtMqa0Jl3s4Ew:O0ZunjaVNe3U21tMqaOl84Ew

Score

9^/10

Malware Config

Signatures

Nirsoft 4 IoCs

resource	yara_rule
behavioral2/memory/5008-136-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/4072-141-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3788-145-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft
behavioral2/memory/3788-147-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
5008	ProduKey.exe
4072	iepv.exe
3788	passwordfox.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001e726-134.dat	upx
behavioral2/files/0x000200000001e726-135.dat	upx
behavioral2/memory/5008-136-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x0006000000022e48-139.dat	upx
behavioral2/files/0x0006000000022e48-140.dat	upx
behavioral2/memory/4072-141-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0006000000022e4a-143.dat	upx
behavioral2/files/0x0006000000022e4a-144.dat	upx
behavioral2/memory/3788-145-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/3788-147-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4072	iepv.exe
Token: SeRestorePrivilege	4072	iepv.exe
Token: SeBackupPrivilege	4072	iepv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4656	65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 5008	4656	65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53.exe	82
PID 4656 wrote to memory of 5008	4656	65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53.exe	82
PID 4656 wrote to memory of 5008	4656	65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53.exe	82
PID 4656 wrote to memory of 4072	4656	65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53.exe	83
PID 4656 wrote to memory of 4072	4656	65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53.exe	83
PID 4656 wrote to memory of 4072	4656	65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53.exe	83
PID 4656 wrote to memory of 3788	4656	65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53.exe	84
PID 4656 wrote to memory of 3788	4656	65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53.exe	84
PID 4656 wrote to memory of 3788	4656	65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53.exe	84

C:\Users\Admin\AppData\Local\Temp\65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53.exe
"C:\Users\Admin\AppData\Local\Temp\65525fc590ba9017e6a9fe583040370b4102dbb21f543b6624c7f76b1a394b53.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\ProduKey.exe
  C:\Users\Admin\AppData\Local\Temp\ProduKey.exe /stext C:\Users\Admin\AppData\Local\Temp\ProduKey.txt
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Users\Admin\AppData\Local\Temp\iepv.exe
  C:\Users\Admin\AppData\Local\Temp\iepv.exe /stext C:\Users\Admin\AppData\Local\Temp\iepv.txt
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Users\Admin\AppData\Local\Temp\passwordfox.exe
  C:\Users\Admin\AppData\Local\Temp\passwordfox.exe /stext C:\Users\Admin\AppData\Local\Temp\firefox.txt
  2⤵
  - Executes dropped EXE
  PID:3788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ProduKey.exe

Filesize
35KB

MD5
279c6d1ff7c0dc77d68b6013288b40a8

SHA1
21e3620bfab7fa8c9c8ff0414b52a8e3f23d1fc2

SHA256
8e2373e94bff10ecb08e9e0cdeaa65ed57aec89f99312d3bbd90ab72de4f98f3

SHA512
a7ab94cac449b9494419d1e6fb9ea3cdd58a1c455fb003b3376b5717655aa15669eebdcfefffd18958326f15526afdac9b8978b47769e901f06ac2c782fc7ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProduKey.exe

Filesize
35KB

MD5
279c6d1ff7c0dc77d68b6013288b40a8

SHA1
21e3620bfab7fa8c9c8ff0414b52a8e3f23d1fc2

SHA256
8e2373e94bff10ecb08e9e0cdeaa65ed57aec89f99312d3bbd90ab72de4f98f3

SHA512
a7ab94cac449b9494419d1e6fb9ea3cdd58a1c455fb003b3376b5717655aa15669eebdcfefffd18958326f15526afdac9b8978b47769e901f06ac2c782fc7ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProduKey.txt

Filesize
725B

MD5
2a98a84f69f1c7f4cf7c0323d293e1fd

SHA1
28291a4aeb3352e8a03139b417bde240590058b0

SHA256
297a3e1c4ae94423f4974c1acaa1be58ee6f6f8e06058be40a006e0cb4f9473d

SHA512
38b6b2998bc86d3575d4d8e3948048181d904a2a1793d9161302a72762342814cd9b5f67d0ae9d9f5a48e9ad6c565a7f179f3a9d6eadc3c19db8100f81fec126

Download Submit
C:\Users\Admin\AppData\Local\Temp\iepv.exe

Filesize
42KB

MD5
28c110b8d0ad095131c8d06043678086

SHA1
c684cf321e890e0e766a97609a4cde866156d6c5

SHA256
dbc2216d5f31f5218e940e3d802998dee90eeb69af69cbeb063c69c6a5a3f1e1

SHA512
065e043b76b0e1163e73f4a1c257bae793ae9b46bff1951956c2174ef91deb2528730da77aab76b9e7246d705c3b8c1d23f05dc3b161cacabf3e52d0f563c922

Download Submit
C:\Users\Admin\AppData\Local\Temp\iepv.exe

Filesize
42KB

MD5
28c110b8d0ad095131c8d06043678086

SHA1
c684cf321e890e0e766a97609a4cde866156d6c5

SHA256
dbc2216d5f31f5218e940e3d802998dee90eeb69af69cbeb063c69c6a5a3f1e1

SHA512
065e043b76b0e1163e73f4a1c257bae793ae9b46bff1951956c2174ef91deb2528730da77aab76b9e7246d705c3b8c1d23f05dc3b161cacabf3e52d0f563c922

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwordfox.exe

Filesize
37KB

MD5
a1d6a37917dcf4471486bc5a0e725cc6

SHA1
5b09f10dc215078ae44f535de12630c38f3b86e3

SHA256
8a06acd1158060a54d67098f07c1ff7895f799bc5834179b8aae04d28fb60e17

SHA512
5798a5d85052d5c2f6b781b91a400c85bc96c0127cc4e18079bff1f17bd302dc07c0f015ddf1105621a841680057322eb0172ba06063f55d795b7b079f1d26d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwordfox.exe

Filesize
37KB

MD5
a1d6a37917dcf4471486bc5a0e725cc6

SHA1
5b09f10dc215078ae44f535de12630c38f3b86e3

SHA256
8a06acd1158060a54d67098f07c1ff7895f799bc5834179b8aae04d28fb60e17

SHA512
5798a5d85052d5c2f6b781b91a400c85bc96c0127cc4e18079bff1f17bd302dc07c0f015ddf1105621a841680057322eb0172ba06063f55d795b7b079f1d26d2

Download Submit
memory/3788-145-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3788-147-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4072-141-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4656-132-0x00007FF962490000-0x00007FF962EC6000-memory.dmp

Filesize
10.2MB

Download
memory/4656-146-0x0000000000B4A000-0x0000000000B4F000-memory.dmp

Filesize
20KB

Download
memory/4656-148-0x0000000000B4A000-0x0000000000B4F000-memory.dmp

Filesize
20KB

Download
memory/5008-136-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing