aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd

General

Target

aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
Size

276KB
MD5

327a0eba2f61ff0c60633747bba87247
SHA1

071ad241da72cdce4d58305dc0a5f429a7ef1ff1
SHA256

aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd
SHA512

9e227a9c8033814aaa7ed374bf0e2b22ee176b4de07de94a0c9df6d39a41999fb067b7e78e8d0b7c2661fbc6309bc3b9dad723e63caba448765a4670dd08c221
SSDEEP

3072:gDYoYtDr6j72xKX6+67C3xpYUUCQCCuKtVkJ/WnWUC4w0lq6A6xHXSE:ZdIBX6k3xpYSQCWW/b4BHBx

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ixkfg.exe

pid process

2032 ixkfg.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1700 cmd.exe

pid	process
2032	ixkfg.exe

pid	process
1700	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe

pid	process
2044	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
2044	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qkcn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Ixkfg\\ixkfg.exe\""	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe

Modifies Internet Explorer Protected Mode 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

ixkfg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	ixkfg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	ixkfg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1600 PING.EXE

pid	process
1600	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exeixkfg.execmd.exePING.EXE

pid	process
2044	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
2044	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
2032	ixkfg.exe
1700	cmd.exe
1700	cmd.exe
1700	cmd.exe
1600	PING.EXE
1600	PING.EXE
1600	PING.EXE
2032	ixkfg.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

ixkfg.exe

description	pid	process
Token: SeDebugPrivilege	2032	ixkfg.exe
Token: SeDebugPrivilege	2032	ixkfg.exe
Token: SeDebugPrivilege	2032	ixkfg.exe
Token: SeDebugPrivilege	2032	ixkfg.exe
Token: SeDebugPrivilege	2032	ixkfg.exe
Token: SeDebugPrivilege	2032	ixkfg.exe
Token: SeDebugPrivilege	2032	ixkfg.exe
Token: SeDebugPrivilege	2032	ixkfg.exe
Token: SeDebugPrivilege	2032	ixkfg.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.execmd.exeixkfg.exe

description	pid	process	target process
PID 2044 wrote to memory of 1380	2044	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	Explorer.EXE
PID 2044 wrote to memory of 2032	2044	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	ixkfg.exe
PID 2044 wrote to memory of 2032	2044	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	ixkfg.exe
PID 2044 wrote to memory of 2032	2044	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	ixkfg.exe
PID 2044 wrote to memory of 2032	2044	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	ixkfg.exe
PID 2044 wrote to memory of 1380	2044	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	Explorer.EXE
PID 2044 wrote to memory of 1700	2044	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	cmd.exe
PID 2044 wrote to memory of 1700	2044	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	cmd.exe
PID 2044 wrote to memory of 1700	2044	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	cmd.exe
PID 2044 wrote to memory of 1700	2044	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	cmd.exe
PID 1700 wrote to memory of 1600	1700	cmd.exe	PING.EXE
PID 1700 wrote to memory of 1600	1700	cmd.exe	PING.EXE
PID 1700 wrote to memory of 1600	1700	cmd.exe	PING.EXE
PID 1700 wrote to memory of 1600	1700	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1700	2032	ixkfg.exe	cmd.exe
PID 2032 wrote to memory of 1700	2032	ixkfg.exe	cmd.exe
PID 2032 wrote to memory of 1700	2032	ixkfg.exe	cmd.exe
PID 2032 wrote to memory of 1600	2032	ixkfg.exe	PING.EXE
PID 2032 wrote to memory of 1600	2032	ixkfg.exe	PING.EXE
PID 2032 wrote to memory of 1600	2032	ixkfg.exe	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
"C:\Users\Admin\AppData\Local\Temp\aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Roaming\Microsoft\Ixkfg\ixkfg.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Ixkfg\ixkfg.exe"
3⤵
- Executes dropped EXE
- Modifies Internet Explorer Protected Mode
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe"
3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
- Suspicious behavior: EnumeratesProcesses
PID:1600

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Ixkfg\ixkfg.exe
Filesize
276KB

MD5
327a0eba2f61ff0c60633747bba87247

SHA1
071ad241da72cdce4d58305dc0a5f429a7ef1ff1

SHA256
aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd

SHA512
9e227a9c8033814aaa7ed374bf0e2b22ee176b4de07de94a0c9df6d39a41999fb067b7e78e8d0b7c2661fbc6309bc3b9dad723e63caba448765a4670dd08c221

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.Admin\user.js
Filesize
325B

MD5
2d3be5ac1378ee1860aaeca693e5a1d1

SHA1
3c232144e306cf4d80ee5c01f0170c8f377fef68

SHA256
106428b158de026222063464a40666dcab971c1102da6f3d40a36416f79dd502

SHA512
ec0322e77b4af31de73f3dda176fc67a7e9851c953b5d8c5c7a96ed5343a852c11ac6c380659f4741e37097602cd5a3e25a41d419496235cd7e1d01db8f25049

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\user.js
Filesize
325B

MD5
2d3be5ac1378ee1860aaeca693e5a1d1

SHA1
3c232144e306cf4d80ee5c01f0170c8f377fef68

SHA256
106428b158de026222063464a40666dcab971c1102da6f3d40a36416f79dd502

SHA512
ec0322e77b4af31de73f3dda176fc67a7e9851c953b5d8c5c7a96ed5343a852c11ac6c380659f4741e37097602cd5a3e25a41d419496235cd7e1d01db8f25049

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Ixkfg\ixkfg.exe
Filesize
276KB

MD5
327a0eba2f61ff0c60633747bba87247

SHA1
071ad241da72cdce4d58305dc0a5f429a7ef1ff1

SHA256
aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd

SHA512
9e227a9c8033814aaa7ed374bf0e2b22ee176b4de07de94a0c9df6d39a41999fb067b7e78e8d0b7c2661fbc6309bc3b9dad723e63caba448765a4670dd08c221

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Ixkfg\ixkfg.exe
Filesize
276KB

MD5
327a0eba2f61ff0c60633747bba87247

SHA1
071ad241da72cdce4d58305dc0a5f429a7ef1ff1

SHA256
aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd

SHA512
9e227a9c8033814aaa7ed374bf0e2b22ee176b4de07de94a0c9df6d39a41999fb067b7e78e8d0b7c2661fbc6309bc3b9dad723e63caba448765a4670dd08c221

Download Submit
memory/1600-99-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-112-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-71-0x0000000000000000-mapping.dmp

Download
memory/1600-113-0x0000000000A40000-0x0000000000A8B000-memory.dmp

Filesize
300KB

Download
memory/1600-108-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-109-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-95-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-110-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-111-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-106-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-98-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-100-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-101-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-103-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-102-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-104-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-105-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1600-107-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1700-70-0x0000000000000000-mapping.dmp

Download
memory/1700-89-0x00000000003D0000-0x000000000041B000-memory.dmp

Filesize
300KB

Download
memory/1700-74-0x0000000000420000-0x000000000046C000-memory.dmp

Filesize
304KB

Download
memory/1700-72-0x00000000003D0000-0x000000000041B000-memory.dmp

Filesize
300KB

Download
memory/2032-62-0x0000000000000000-mapping.dmp

Download
memory/2044-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/2044-55-0x0000000070000000-0x0000000070044000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads