e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd

General

Target

e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Size

859KB
MD5

9f29d49aae32c865aa36a4bea4a48820
SHA1

1e061707d14718d7c2a3e8e109a5398f0afc3a19
SHA256

e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd
SHA512

8ffae3b8e4f19d10973b5a911a23ce5106f0ffcfc4035a045e17d008e79d3146543320efba46660c7eadbfc0f6174fe159f33f7fdf2913d2f70df88273173777
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\OFFICE\\c20wwqm9IXBw7jXFyuDJeGJr8H35khHTneSUZxHZlFeqXX.exe\" O"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\Favorites\\Windows Live\\j5ndGYq085q7CHVh2sgs3NDFvbjwPCDIfYOrod.exe\" O"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\PL4zAY8YVRagnDrZXm8Dq0n2M8BYczGlwE3PRpJZ5ps.exe\" O"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Modifies data under HKEY_USERS 35 IoCs

Processes:

e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\\packages\\vcRuntimeMinimum_amd64\\6ysNuLFBZRUFtwwv5ljTgapNPU7.exe\" O"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Y74sd1q2eysEBsttco6keskioRSdyvWPnBltYSd4iqjkIHgMSlRYg5sUoRUk9URHY.exe\" O 2>NUL"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\H89fyjGJ.exe\" O 2>NUL"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\host\\BcrE7VrgHvzr9mlWPepdNQS7loy2dUFbnubzeWpsOOuGyCJgMtHQXwzjDy2vZngy5.exe\" O"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\pe9iawd3.default-release\\djuXyN428iYSPNwy2gHmNIefNyJDReeF1mMV.exe\" O 2>NUL"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\BrCUjnzWgC0KiRyKwTXbPSP3oQTmA9K0EptOQkDy3MaDQGglIgVV.exe\" O"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\8HfAP8yfIyGgy3uu5yCBw8PTidZ5oUVMQYYV8i.exe\" O"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\it-IT\\oStoTn0dOvgcIRkyD83l.exe\" O 2>NUL"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe

Modifies registry class 12 IoCs

Processes:

e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\SOFTWARE\Microsoft\Command Processor	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\BB91xkQE.exe\" O 2>NUL"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\7MJHg4Sd5JxLqPfxMVGsZk017jnsGlCcjqyrEz6ufvOkKZY4HeGXE2tYmvzVUvA0odmNe.exe\" O"	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exeAUDIODG.EXE

description	pid	process
Token: SeBackupPrivilege	652	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Token: SeRestorePrivilege	652	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Token: SeShutdownPrivilege	652	e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
Token: 33	996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	996	AUDIODG.EXE
Token: 33	996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	996	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe
"C:\Users\Admin\AppData\Local\Temp\e5d3eedc0c2547f9c724e874e27873f86bf5059ef5fa3b9d48fe128ea771e6bd.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:996

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/652-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1160-56-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads