9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb

General

Target

9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe
Size

821KB
MD5

026f391b1d51a4a3704fa5b04e60b71c
SHA1

665984e68ec6c14e5c993cc091fed6acff1f657e
SHA256

9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb
SHA512

35363ea7cbd11f391f9f3f3916007fe78d7f49c24159f920cc8fb6ca9928156435fd79b0184ec50c45f2202ce016732d8f33d469faf1a8db18211eb759855dec
SSDEEP

24576:Ebcr1kKQVqv+aHz0j2Fof53IP3ZomLurWGsMDSgFiaul:EbcrZQVaLzLoRYPJFyh+glul

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1104 cmd.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1104	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe

pid	process
1604	9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe
1604	9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe
1604	9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1260 DllHost.exe

pid	process
1260	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe

description	pid	process	target process
PID 1604 wrote to memory of 1104	1604	9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe	cmd.exe
PID 1604 wrote to memory of 1104	1604	9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe	cmd.exe
PID 1604 wrote to memory of 1104	1604	9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe	cmd.exe
PID 1604 wrote to memory of 1104	1604	9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe
"C:\Users\Admin\AppData\Local\Temp\9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\9d08e5d9cb0e0f7a4819d39e94d29a89e04a2a739ebcbe24becda189a51da6fb.exe" >> NUL
2⤵
- Deletes itself
PID:1104

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jellyfish.jpg

Filesize
757KB

MD5
5a44c7ba5bbe4ec867233d67e4806848

SHA1
3b15be84aff20b322a93c0b9aaa62e25ad33b4b4

SHA256
6ca0eafb20496edf23fc1480e8b545399f484a630698324be652ed10f45fa2fc

SHA512
b69615f8f303eed22fdf0677a8d57b4b61df3487e385b5c2f108774a75a195b6f0dee1f0161c46118821b6b4478af68450db8620e735d13c518a565f4708a680

Download Submit
memory/1104-58-0x0000000000000000-mapping.dmp

Download
memory/1604-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1604-55-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1604-59-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads