17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355

General

Target

17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
Size

3.0MB
MD5

7ec8ecb42a68d7064babb5bee18c8251
SHA1

70f81f6cd550981bf97665f19730c0cf696022c1
SHA256

17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355
SHA512

85429f2dc6bdcc558910b30118741f1c401f7a33557dc5c8ab3e56969d22ab9840506c916f83c8af48b722d6f26c848c166bfa21d6ba8fe4f0bbb2ad7d26bdf5
SSDEEP

49152:jggTws/XWGgeLB45FkmCMYghoFfSbqgG23TSPfxWw8zJFtpWvgi/CmpVyR96S:cU/XPByFDNhoFfSbqgGEGPfx1cdu/l

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 4 IoCs

Processes:

17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe

pid	process
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe

pid	process
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe

description pid process

Token: SeDebugPrivilege 1352 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe

description	pid	process
Token: SeDebugPrivilege	1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe

description	pid	process	target process
PID 1324 wrote to memory of 1352	1324	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
PID 1324 wrote to memory of 1352	1324	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
PID 1324 wrote to memory of 1352	1324	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
PID 1324 wrote to memory of 1352	1324	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
PID 1352 wrote to memory of 1756	1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe	cmd.exe
PID 1352 wrote to memory of 1756	1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe	cmd.exe
PID 1352 wrote to memory of 1756	1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe	cmd.exe
PID 1352 wrote to memory of 1756	1352	17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
"C:\Users\Admin\AppData\Local\Temp\17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe
"C:\Users\Admin\AppData\Local\Temp\17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy 17c2070f9c9c0c9086d1cbfc78080478737a90523cd1add67eb233be806e0355.exe C:\SystemVolume\Program\
3⤵
PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI13242\_psutil_mswindows.pyd

Filesize
35KB

MD5
24a624cfac7d2982c8e3a653a3babe8a

SHA1
444cd7c84b74667c920c879dc8d2fb7b4d702aa8

SHA256
195374f37ff4271fbd2f4def5305d30af703633e542fe6f7636b173de197d8af

SHA512
5fb7232b4708b89cd1b5cba5124836f6f5ac7c6dbab3be66feddceb38f346032783c618c20b247b572598340c55e7146f384d157c0ed35e85d0e15ea3493326e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\_socket.pyd

Filesize
40KB

MD5
b7c3e334648a6cbb03b550b842818409

SHA1
767be295f1e4adedf0e10532f9c1b7908d17383a

SHA256
f0781a1b879584f494d984e31869eab13f0535825f68862e6597b1639df708bd

SHA512
43ee04452b685022bfdbaca5b3603d4c0e406599b8da70c6a25fa2c4ac5543ada4521eba9bbf0ca86a2a4775ce474ab89da7d27f842d63df62048a1b7ca431d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\_ssl.pyd

Filesize
704KB

MD5
27a7a40b2b83578e0c3bffb5a167d67a

SHA1
d20a7d3308990ce04839569b66f8639d6ed55848

SHA256
ea0efcab32e6572f61a3c765356e283bd6a8f75ec2a4c8b12f1fb3db76ca68d4

SHA512
7b97690b9ab68562ca85ce0ffc56ae517f8fafe44caff846d66bb4c2003aa6d1b0b321d9ea4526c4652b5152ec46dc600671f427957e6e847ba75ced0d09acef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13242\python27.dll

Filesize
2.3MB

MD5
676fc65e4a49a525df0ecde3596f3ae5

SHA1
e125975958b08207be081e94ca1674fec0bcec98

SHA256
c9192fe69d7eef69b1e27e630ae643dcb0838b7bc0ac43e69a979f5a726256c1

SHA512
3a4dde17cbe3eb60c5ce6f3bc58c24769835c9fcef091df5883b47e058516b15be2dc28a49e3a360ee3e5da8e4c6845cbcfc05e0042ae2d592efc13778a23c42

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13242\_psutil_mswindows.pyd

Filesize
35KB

MD5
24a624cfac7d2982c8e3a653a3babe8a

SHA1
444cd7c84b74667c920c879dc8d2fb7b4d702aa8

SHA256
195374f37ff4271fbd2f4def5305d30af703633e542fe6f7636b173de197d8af

SHA512
5fb7232b4708b89cd1b5cba5124836f6f5ac7c6dbab3be66feddceb38f346032783c618c20b247b572598340c55e7146f384d157c0ed35e85d0e15ea3493326e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13242\_socket.pyd

Filesize
40KB

MD5
b7c3e334648a6cbb03b550b842818409

SHA1
767be295f1e4adedf0e10532f9c1b7908d17383a

SHA256
f0781a1b879584f494d984e31869eab13f0535825f68862e6597b1639df708bd

SHA512
43ee04452b685022bfdbaca5b3603d4c0e406599b8da70c6a25fa2c4ac5543ada4521eba9bbf0ca86a2a4775ce474ab89da7d27f842d63df62048a1b7ca431d1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13242\_ssl.pyd

Filesize
704KB

MD5
27a7a40b2b83578e0c3bffb5a167d67a

SHA1
d20a7d3308990ce04839569b66f8639d6ed55848

SHA256
ea0efcab32e6572f61a3c765356e283bd6a8f75ec2a4c8b12f1fb3db76ca68d4

SHA512
7b97690b9ab68562ca85ce0ffc56ae517f8fafe44caff846d66bb4c2003aa6d1b0b321d9ea4526c4652b5152ec46dc600671f427957e6e847ba75ced0d09acef

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13242\python27.dll

Filesize
2.3MB

MD5
676fc65e4a49a525df0ecde3596f3ae5

SHA1
e125975958b08207be081e94ca1674fec0bcec98

SHA256
c9192fe69d7eef69b1e27e630ae643dcb0838b7bc0ac43e69a979f5a726256c1

SHA512
3a4dde17cbe3eb60c5ce6f3bc58c24769835c9fcef091df5883b47e058516b15be2dc28a49e3a360ee3e5da8e4c6845cbcfc05e0042ae2d592efc13778a23c42

Download Submit
memory/1352-57-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1352-65-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/1352-60-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/1352-54-0x0000000000000000-mapping.dmp

Download
memory/1756-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads