fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3

General

Target

fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
Size

204KB
MD5

746ff3610cdc083a885e38f7cb60f514
SHA1

41580ad0d1dd4699503ddccc2f97a048837c40b0
SHA256

fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3
SHA512

3ea21cbd9e92f47eb886e46d4236896cb9881f3943e7a5b6ffc6a88d25b0aa55e49e021719499eb96ae526e2f8ebac04bafee9b3d0ec2333f2fd49ea795cc217
SSDEEP

3072:fV1rnlzPUkCuW3zykixxTakHhY6pd23LaXfR6MnJnmjF:NVCjmWGplBRmjF

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

964 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
964	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe

pid	process
1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.execmd.exe

description	pid	process	target process
PID 1508 wrote to memory of 964	1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe	cmd.exe
PID 1508 wrote to memory of 964	1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe	cmd.exe
PID 1508 wrote to memory of 964	1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe	cmd.exe
PID 1508 wrote to memory of 964	1508	fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe	cmd.exe
PID 964 wrote to memory of 928	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 928	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 928	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 928	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1192	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1192	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1192	964	cmd.exe	attrib.exe
PID 964 wrote to memory of 1192	964	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

928 attrib.exe
1192 attrib.exe

pid	process
928	attrib.exe
1192	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe
"C:\Users\Admin\AppData\Local\Temp\fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\AE6VYT~1.DEF\storage\PERMAN~1\chrome\idb\165711~1.FIL\32D4TM~1.BAT
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\attrib.exe
attrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\fc1b0a099146e9839ea978deb2fa554ab434c183a47e414c684f6209fc6962c3.exe"
3⤵
- Views/modifies file attributes
PID:928

C:\Windows\SysWOW64\attrib.exe
attrib -R -S -H "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\32D4.tmp.bat"
3⤵
- Views/modifies file attributes
PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\AE6VYT~1.DEF\storage\PERMAN~1\chrome\idb\165711~1.FIL\32D4.tmp.bat

Filesize
720B

MD5
480725344bc6b149733f54717d356a2b

SHA1
7230767990b55f419d1f35254745fbe51b885e64

SHA256
86a4c2d3e1977aaf363f9c2b82cce842f60a1276c421c9801fb4d74d22f14e19

SHA512
aae0ce52c0d373e729eba078f94dfafea880debb62d2038d090216fca4f3368dd5204a0e558991b774f9f307365fbd0d82cd7477e7383559d2ba7d8c6cbda989

Download Submit
memory/928-64-0x0000000000000000-mapping.dmp

Download
memory/964-61-0x0000000000000000-mapping.dmp

Download
memory/1192-65-0x0000000000000000-mapping.dmp

Download
memory/1508-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1508-55-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/1508-59-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/1508-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1508-60-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/1508-62-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads