b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7

General

Target

b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe
Size

1.3MB
MD5

b3bd36c13ec6c9cf0436064a5bead336
SHA1

2b7579230c629d44f6b1bd854b958954ddfa207f
SHA256

b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7
SHA512

b4756964af56a46c739d7f0f558001d9faa275f0a4b96aaad9eae684b39e6933835cd08a8b0700b2fe21dbbc60ea7f4c0fd11daa850ffdf2761131dd4ec1dfd7
SSDEEP

24576:+s5jVdqt7MREUwiMzyPLKUe/YCix/Brm3ig93BtWDp8x:+s5jrA7MRg7wLK7gF/8SgBBtWD

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Sex mashine.exe

pid process

1108 Sex mashine.exe

pid	process
1108	Sex mashine.exe

Loads dropped DLL 2 IoCs

Processes:

b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe

pid	process
1672	b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe
1672	b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe

pid	process
1672	b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe
1672	b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe
1672	b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	320	AUDIODG.EXE
Token: 33	320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	320	AUDIODG.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe

description	pid	process	target process
PID 1672 wrote to memory of 1108	1672	b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe	Sex mashine.exe
PID 1672 wrote to memory of 1108	1672	b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe	Sex mashine.exe
PID 1672 wrote to memory of 1108	1672	b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe	Sex mashine.exe
PID 1672 wrote to memory of 1108	1672	b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe	Sex mashine.exe

C:\Users\Admin\AppData\Local\Temp\b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe
"C:\Users\Admin\AppData\Local\Temp\b5f94e2e83eb4dbf4022650338fb9b66d9daff9ccef2c6e1f0599a9e605280f7.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\Sex mashine.exe
  "C:\Users\Admin\AppData\Local\Temp\Sex mashine.exe"
  2⤵
  - Executes dropped EXE
  PID:1108

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sex mashine.exe

Filesize
1.1MB

MD5
386263d0f48b65645fb32cd461985b96

SHA1
53059d9805fb36777d383a2c5c0f2875aa682b35

SHA256
691b44afde634b48c5a532af7e8ef5861d4424a9d962d740d78a58ad546f919c

SHA512
35e2c24e0c28e0969fb5f001047fba8bc989235ba7c39a9d263779b6516d2851ce382caf560de0a3db108b91f8f945b1cda23b152b2b970f7e3ed8e171a5a5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sex mashine.exe

Filesize
1.1MB

MD5
386263d0f48b65645fb32cd461985b96

SHA1
53059d9805fb36777d383a2c5c0f2875aa682b35

SHA256
691b44afde634b48c5a532af7e8ef5861d4424a9d962d740d78a58ad546f919c

SHA512
35e2c24e0c28e0969fb5f001047fba8bc989235ba7c39a9d263779b6516d2851ce382caf560de0a3db108b91f8f945b1cda23b152b2b970f7e3ed8e171a5a5a7

Download Submit
\Users\Admin\AppData\Local\Temp\Sex mashine.exe

Filesize
1.1MB

MD5
386263d0f48b65645fb32cd461985b96

SHA1
53059d9805fb36777d383a2c5c0f2875aa682b35

SHA256
691b44afde634b48c5a532af7e8ef5861d4424a9d962d740d78a58ad546f919c

SHA512
35e2c24e0c28e0969fb5f001047fba8bc989235ba7c39a9d263779b6516d2851ce382caf560de0a3db108b91f8f945b1cda23b152b2b970f7e3ed8e171a5a5a7

Download Submit
\Users\Admin\AppData\Local\Temp\Sex mashine.exe

Filesize
1.1MB

MD5
386263d0f48b65645fb32cd461985b96

SHA1
53059d9805fb36777d383a2c5c0f2875aa682b35

SHA256
691b44afde634b48c5a532af7e8ef5861d4424a9d962d740d78a58ad546f919c

SHA512
35e2c24e0c28e0969fb5f001047fba8bc989235ba7c39a9d263779b6516d2851ce382caf560de0a3db108b91f8f945b1cda23b152b2b970f7e3ed8e171a5a5a7

Download Submit
memory/1108-59-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1672-56-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1672-61-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads