9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90

General

Target

9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe
Size

251KB
MD5

07674572cf79953c21898b8014967e52
SHA1

fd6c764b9b4fbd2c1dec2f26a5386bc48e769346
SHA256

9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90
SHA512

7c947f210c575d6b38a7fb5e5dd4ecee409c2df389fb285644175be1e713ca29d0a9dc321bcb37fa85ed26a7a08e9a12c3e9d9be45de7f42e1fae3c8015a8f0b
SSDEEP

3072:4ar2vYb/wk6D6EWOzYQjqRbC+h7jTBLjF5FemO9QbBLUcLTUEwhdI:4ayvYb/wk6TWOALhXTB0meQlUcLQEw

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

OutDisable.exe

pid process

872 OutDisable.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

432 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe

pid process

624 9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
872	OutDisable.exe

pid	process
432	cmd.exe

pid	process
624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmd.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe

description pid process target process

PID 624 set thread context of 432 624 9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe cmd.exe

description	pid	process	target process
PID 624 set thread context of 432	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	cmd.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\693A73FD-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

OutDisable.exe

pid process

872 OutDisable.exe
872 OutDisable.exe

pid	process
872	OutDisable.exe
872	OutDisable.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe
Token: SeSecurityPrivilege	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe
Token: SeManageVolumePrivilege	280	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

280 WinMail.exe

pid	process
280	WinMail.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exeOutDisable.execmd.exeexplorer.exe

description	pid	process	target process
PID 624 wrote to memory of 872	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	OutDisable.exe
PID 624 wrote to memory of 872	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	OutDisable.exe
PID 624 wrote to memory of 872	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	OutDisable.exe
PID 624 wrote to memory of 872	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	OutDisable.exe
PID 872 wrote to memory of 776	872	OutDisable.exe	explorer.exe
PID 872 wrote to memory of 776	872	OutDisable.exe	explorer.exe
PID 872 wrote to memory of 776	872	OutDisable.exe	explorer.exe
PID 872 wrote to memory of 776	872	OutDisable.exe	explorer.exe
PID 872 wrote to memory of 776	872	OutDisable.exe	explorer.exe
PID 872 wrote to memory of 776	872	OutDisable.exe	explorer.exe
PID 872 wrote to memory of 776	872	OutDisable.exe	explorer.exe
PID 872 wrote to memory of 776	872	OutDisable.exe	explorer.exe
PID 872 wrote to memory of 776	872	OutDisable.exe	explorer.exe
PID 872 wrote to memory of 776	872	OutDisable.exe	explorer.exe
PID 872 wrote to memory of 624	872	OutDisable.exe	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe
PID 872 wrote to memory of 624	872	OutDisable.exe	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe
PID 872 wrote to memory of 624	872	OutDisable.exe	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe
PID 872 wrote to memory of 624	872	OutDisable.exe	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe
PID 872 wrote to memory of 624	872	OutDisable.exe	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe
PID 872 wrote to memory of 624	872	OutDisable.exe	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe
PID 624 wrote to memory of 432	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	cmd.exe
PID 624 wrote to memory of 432	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	cmd.exe
PID 624 wrote to memory of 432	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	cmd.exe
PID 624 wrote to memory of 432	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	cmd.exe
PID 624 wrote to memory of 432	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	cmd.exe
PID 624 wrote to memory of 432	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	cmd.exe
PID 624 wrote to memory of 432	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	cmd.exe
PID 624 wrote to memory of 432	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	cmd.exe
PID 624 wrote to memory of 432	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	cmd.exe
PID 624 wrote to memory of 432	624	9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe	cmd.exe
PID 432 wrote to memory of 1272	432	cmd.exe	Explorer.EXE
PID 432 wrote to memory of 1272	432	cmd.exe	Explorer.EXE
PID 432 wrote to memory of 1272	432	cmd.exe	Explorer.EXE
PID 776 wrote to memory of 1272	776	explorer.exe	Explorer.EXE
PID 776 wrote to memory of 1272	776	explorer.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe
  "C:\Users\Admin\AppData\Local\Temp\9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\OutDisable.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\OutDisable.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5433c680.bat"
    3⤵
    - Deletes itself
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:432

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5433c680.bat

Filesize
307B

MD5
d871564f840a5998cdc3da05ad01f17f

SHA1
5069a6bb1c1ee0e7844137eb7ea3f8c4c949ed82

SHA256
dc8a519d6b910158318b4b120282b0329c56b152210b5f7c88a734050172507b

SHA512
fa35b277e3a7da5cc28296923011e0795d4bbd9c962448720288db900364a22f11c28da7cdb7fc767b8d62a84e109e91bf6588ee71153f7f5609827fe31804ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\OutDisable.exe

Filesize
251KB

MD5
07674572cf79953c21898b8014967e52

SHA1
fd6c764b9b4fbd2c1dec2f26a5386bc48e769346

SHA256
9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90

SHA512
7c947f210c575d6b38a7fb5e5dd4ecee409c2df389fb285644175be1e713ca29d0a9dc321bcb37fa85ed26a7a08e9a12c3e9d9be45de7f42e1fae3c8015a8f0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\OutDisable.exe

Filesize
251KB

MD5
07674572cf79953c21898b8014967e52

SHA1
fd6c764b9b4fbd2c1dec2f26a5386bc48e769346

SHA256
9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90

SHA512
7c947f210c575d6b38a7fb5e5dd4ecee409c2df389fb285644175be1e713ca29d0a9dc321bcb37fa85ed26a7a08e9a12c3e9d9be45de7f42e1fae3c8015a8f0b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\OutDisable.exe

Filesize
251KB

MD5
07674572cf79953c21898b8014967e52

SHA1
fd6c764b9b4fbd2c1dec2f26a5386bc48e769346

SHA256
9fc38c978d4a87b5a9c9c1d5cdbfaf79243f1c9afcd304d1b04a36fb830ccd90

SHA512
7c947f210c575d6b38a7fb5e5dd4ecee409c2df389fb285644175be1e713ca29d0a9dc321bcb37fa85ed26a7a08e9a12c3e9d9be45de7f42e1fae3c8015a8f0b

Download Submit
memory/280-84-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/280-85-0x000007FEF6F01000-0x000007FEF6F03000-memory.dmp

Filesize
8KB

Download
memory/280-86-0x0000000002020000-0x0000000002030000-memory.dmp

Filesize
64KB

Download
memory/280-92-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/432-108-0x0000000000053A47-mapping.dmp

Download
memory/432-107-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/432-106-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/432-104-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/432-105-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/432-102-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/432-112-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/432-113-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/432-115-0x0000000000050000-0x000000000007C000-memory.dmp

Filesize
176KB

Download
memory/624-81-0x0000000000250000-0x000000000027C000-memory.dmp

Filesize
176KB

Download
memory/624-79-0x0000000000250000-0x000000000027C000-memory.dmp

Filesize
176KB

Download
memory/624-82-0x0000000000250000-0x000000000027C000-memory.dmp

Filesize
176KB

Download
memory/624-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/624-83-0x0000000000250000-0x000000000027C000-memory.dmp

Filesize
176KB

Download
memory/624-55-0x0000000002310000-0x0000000002346000-memory.dmp

Filesize
216KB

Download
memory/624-56-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/624-110-0x0000000000250000-0x000000000027C000-memory.dmp

Filesize
176KB

Download
memory/624-109-0x0000000002310000-0x0000000002346000-memory.dmp

Filesize
216KB

Download
memory/624-98-0x0000000000250000-0x000000000027C000-memory.dmp

Filesize
176KB

Download
memory/776-70-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/776-71-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/776-69-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/776-68-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/776-66-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/776-72-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/776-73-0x0000000000000000-mapping.dmp

Download
memory/776-75-0x00000000750B1000-0x00000000750B3000-memory.dmp

Filesize
8KB

Download
memory/776-76-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/872-99-0x00000000024E0000-0x0000000002516000-memory.dmp

Filesize
216KB

Download
memory/872-65-0x00000000024E0000-0x0000000002516000-memory.dmp

Filesize
216KB

Download
memory/872-62-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/872-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads