d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f

General

Target

d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Size

2.2MB
MD5

918e8a42969bf7116f9fee3920f69452
SHA1

36f62373783a63c52f7987cb696c3a00c8ad3ddb
SHA256

d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f
SHA512

745e2df16ede25dfbba03e6a359b5c48177121643931f5b861701455c34e1e45c00eff80e29fddbf62d60be9b0714158f726ee3a5582442ad342c9b21c540645
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Code Cache\\wasm\\ngDSErWn2HZnJnXyqeJKewVEfILcbgzd.exe\" O"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\Ymgt6CNPme0HOABm9Z9.exe\" O"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\\AC\\INetCache\\RsTsf8V6uAitoM2NBU9maEsA3IPNhxRcjlRbKed3NmFyAp.exe\" O"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Modifies data under HKEY_USERS 35 IoCs

Processes:

d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\qml\\QtQuick\\Templates.2\\CNWs7TpASFdhOVA4LosLUJz2v7bPgkoDHa6Tmu.exe\" O 2>NUL"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\NcsiUwpApp_8wekyb3d8bbwe\\AC\\INetCache\\w0umssE65FOy40HcNNc3aq2Q.exe\" O 2>NUL"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\9Ad1cXdgsQMrUFqv5sIGjIWJW90tn5QFOb16Ttvl4OfABNAK.exe\" O"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\mk\\6GDJsMDbiNTyTpvAyd4lfilma1UnXUTMadSIiOD.exe\" O"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\GufluPtWwaYaWyViYTJ.exe\" O 2>NUL"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\8OBGegS2ePnrivYjCA67GUyUVGKXZR00Im2R9ZTt3io3KXSkVSIKg5FMwkauUlFDah.exe\" O 2>NUL"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\\AC\\Temp\\kyxbMTIYm.exe\" O"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe

Modifies registry class 4 IoCs

Processes:

d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\SOFTWARE\Microsoft\Command Processor	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\SOFTWARE	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\SOFTWARE\Microsoft	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\xe0bNXAufO0A8JfpvWg5OVJb7xMNmXqFPwrDRW0ZRGJF86ZAa.exe\" O 2>NUL"	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe

description	pid	process
Token: SeBackupPrivilege	2220	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
Token: SeRestorePrivilege	2220	d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe

C:\Users\Admin\AppData\Local\Temp\d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe
"C:\Users\Admin\AppData\Local\Temp\d53612557b5266cdc7b68f433ac079f52d2fca618f239a1a788a904eecec3a9f.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2220-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2220-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads