e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d

General

Target

e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Size

622KB
MD5

59fc21b36599cf9da3bdea1d4890782e
SHA1

47a1c92077dbffa039948c012c1630712157bae8
SHA256

e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d
SHA512

f310c7752ec61b232d8ef242a3ee0601593e775fce4cb938264f8b3c22d115e29e8e2e841e5f608effa290b27cd45b10fdc2c1296b5ddc83f4192e5c0d149875
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\\packages\\vcRuntimeMinimum_amd64\\hlaIUVmkfySH7UoyYJfhfGarWB8SoZEnJpLQELkyyhosKYvIE1pjjVMChwhwB28l6DDpBK.exe\" O"	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1214520366-621468234-4062160515-1000\\0aP9GbB4ka7vlAo3oHxkgzmWQYE45TVWe22LYTQPIVUpoL9tMMHZ0jKjbnchKKxYjsE.exe\" O"	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\d4GO3lSGrhtdlVmcqX40dBHNi72c3N479Q3pT6Me1lSKJVE043ZdGUr1bQSSN.exe\" O"	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Modifies data under HKEY_USERS 35 IoCs

Processes:

e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\.DEFAULT	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-20	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Adobe\\Updater6\\WaerNQgHS4EFY4GLEfGEJIa6BGeQHRzhtI3WxJ.exe\" O 2>NUL"	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Java Development Kit\\lsYtDKbRbdT0PR9Nt8FrbV4tsi82Y8SGPa255mV41hDjgc9AbXsjWJfpa1kARTLUWF.exe\" O"	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\NnUBhjU4BqI0kmSgTEepQVxp8ubJZkpu32tZiqmAwxnjY4iEhpO5GEy6aEOOh2GBw0I.exe\" O 2>NUL"	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-19	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\3PEfCZGWRaMWGm352oMUJX3U9gcYwOhlpfRFhNh5H3vbPRZ2hAcTREs.exe\" O 2>NUL"	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\DRM\\4HeGWxeokmMsAMjA9EUOGhD3y.exe\" O"	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\BrowserMetrics\\mhDiZNFGhemNNGtdnjfyYYeX4qj1MJCqUEaMWbAFiz27NpzVoQF.exe\" O 2>NUL"	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\bMqhCAr1YaX3lmdPfnS5D9Vk0WwPl8hpYyZCJbXR6KJ9bix1godMDoSywYhoG3.exe\" O"	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\pXMKRFlSrnXL569RI6umATR9GhwoQLYZontM1qBpLBy6oL8E3PHcEnylZ.exe\" O"	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe

Modifies registry class 12 IoCs

Processes:

e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Command Processor	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\16\\Gm1vXn70OIhiY1bEeYbvtawInuRhVg9mmAoffYWzIGFmysTw.exe\" O"	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\SOFTWARE\Microsoft\Command Processor	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\7ZSAvpl2zLtC80SniaoNS9ppjy.exe\" O 2>NUL"	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exeAUDIODG.EXE

description	pid	process
Token: SeBackupPrivilege	1500	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Token: SeRestorePrivilege	1500	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Token: SeShutdownPrivilege	1500	e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
Token: 33	1748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1748	AUDIODG.EXE
Token: 33	1748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1748	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
"C:\Users\Admin\AppData\Local\Temp\e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x15c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1160-57-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/1500-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1500-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1500-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads