800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a

General

Target

800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
Size

184KB
MD5

9d24c5085948664b6646aa53668697ba
SHA1

f90ae6424cc532804fc1c58637b5f77781bc68ec
SHA256

800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a
SHA512

7a8d0429e1e93eed853a736c3961e1860227e4601c70b62b56aafbe087d6ae878eac58567985f11e8e495b268559313e9e850a4247430bdd2ac81a23c4fe3097
SSDEEP

3072:wSVXqlrzCAIxhUWi4SMy6yFuLmV/VhkYhaTe/TY6tMfLpWpOo:ToIUWi/MvyaqrsTKG0Oo

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe

pid	process
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.execmd.exe

description	pid	process	target process
PID 5088 wrote to memory of 3124	5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe	cmd.exe
PID 5088 wrote to memory of 3124	5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe	cmd.exe
PID 5088 wrote to memory of 3124	5088	800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe	cmd.exe
PID 3124 wrote to memory of 4292	3124	cmd.exe	attrib.exe
PID 3124 wrote to memory of 4292	3124	cmd.exe	attrib.exe
PID 3124 wrote to memory of 4292	3124	cmd.exe	attrib.exe
PID 3124 wrote to memory of 4240	3124	cmd.exe	attrib.exe
PID 3124 wrote to memory of 4240	3124	cmd.exe	attrib.exe
PID 3124 wrote to memory of 4240	3124	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4240 attrib.exe
4292 attrib.exe

pid	process
4240	attrib.exe
4292	attrib.exe

C:\Users\Admin\AppData\Local\Temp\800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe
"C:\Users\Admin\AppData\Local\Temp\800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\TKBLMJ~1.DEF\crashes\events\A45ETM~1.BAT
2⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\attrib.exe
attrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\800734bbcf398b473feefb61fc0a757bf01f83c7e1055063fc097f1f3e93e06a.exe"
3⤵
- Views/modifies file attributes
PID:4292

C:\Windows\SysWOW64\attrib.exe
attrib -R -S -H "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tkblmjt0.default-release\crashes\events\A45E.tmp.bat"
3⤵
- Views/modifies file attributes
PID:4240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\TKBLMJ~1.DEF\crashes\events\A45E.tmp.bat
Filesize
630B

MD5
f978336c69a0e0f4067579ca5c8497b6

SHA1
882a15c5ec784ec999216e371f3d56c31b7a23d2

SHA256
11db65d21b5e865a95b74d89ac736314362173f4f5884bd46d3c7f0b08607955

SHA512
8af2d42ab8bd9e3d90ec7416870b1ef4c5bff2da5df111a5c436876e20e61ddcaa2470a85a87efa5570b7a9364e9f751f22c3c5da6665a32fe6f83d418f367a3

Download Submit
memory/3124-138-0x0000000000000000-mapping.dmp

Download
memory/4240-142-0x0000000000000000-mapping.dmp

Download
memory/4292-141-0x0000000000000000-mapping.dmp

Download
memory/5088-132-0x00000000021C0000-0x0000000002202000-memory.dmp

Filesize
264KB

Download
memory/5088-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5088-136-0x00000000021C0000-0x0000000002202000-memory.dmp

Filesize
264KB

Download
memory/5088-137-0x00000000021C0000-0x0000000002202000-memory.dmp

Filesize
264KB

Download
memory/5088-139-0x00000000021C0000-0x0000000002202000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads