6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2

General

Target

6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe
Size

872KB
MD5

e1ab81aeeefdc09b1f2a4bd2128013dc
SHA1

a627f111f71e9bb9798dfe9fa76911f2c7e73edf
SHA256

6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2
SHA512

630f44562790992031b3072a37ee6043194c870a09ea3ed22e1cdfaf2da272f9415fe8e9c84a1aea5d15b3e8acca66e85040b7860aa6a3556de84fbaf86f1081
SSDEEP

12288:PzTTMWshu7uRt3nAaXBOxNd5S6FNziE11p4Pvqw8++1uXfNCSzm5:Pxshe2tXAmBo5RFUE11yByuXfNCSzm

Score

10^/10

collection evasion spyware stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

MSBuild.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MSBuild.exe

NirSoft MailPassView 12 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1452-59-0x0000000000080000-0x00000000000B6000-memory.dmp	MailPassView
behavioral1/memory/1452-60-0x0000000000080000-0x00000000000B6000-memory.dmp	MailPassView
behavioral1/memory/1452-62-0x0000000000430CEE-mapping.dmp	MailPassView
behavioral1/memory/1452-63-0x0000000000080000-0x00000000000B6000-memory.dmp	MailPassView
behavioral1/memory/1452-68-0x0000000000080000-0x00000000000B6000-memory.dmp	MailPassView
behavioral1/memory/1452-64-0x0000000000080000-0x00000000000B6000-memory.dmp	MailPassView
behavioral1/memory/1452-71-0x0000000000080000-0x00000000000B6000-memory.dmp	MailPassView
behavioral1/memory/620-86-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/620-87-0x0000000000411714-mapping.dmp	MailPassView
behavioral1/memory/620-90-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/620-91-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/620-92-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

Nirsoft 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1452-59-0x0000000000080000-0x00000000000B6000-memory.dmp	Nirsoft
behavioral1/memory/1452-60-0x0000000000080000-0x00000000000B6000-memory.dmp	Nirsoft
behavioral1/memory/1452-62-0x0000000000430CEE-mapping.dmp	Nirsoft
behavioral1/memory/1452-63-0x0000000000080000-0x00000000000B6000-memory.dmp	Nirsoft
behavioral1/memory/1452-68-0x0000000000080000-0x00000000000B6000-memory.dmp	Nirsoft
behavioral1/memory/1452-64-0x0000000000080000-0x00000000000B6000-memory.dmp	Nirsoft
behavioral1/memory/1452-71-0x0000000000080000-0x00000000000B6000-memory.dmp	Nirsoft
behavioral1/memory/620-86-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/620-87-0x0000000000411714-mapping.dmp	Nirsoft
behavioral1/memory/620-90-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/620-91-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/620-92-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Drops file in Drivers directory 1 IoCs

Processes:

MSBuild.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts MSBuild.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	MSBuild.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

calc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	calc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exeMSBuild.exe

description	pid	process	target process
PID 1416 set thread context of 1452	1416	6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe	MSBuild.exe
PID 1452 set thread context of 620	1452	MSBuild.exe	calc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MSBuild.exe

pid	process
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe

pid process

1416 6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1452 MSBuild.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

1452 MSBuild.exe

pid	process
1416	6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe

description	pid	process
Token: SeDebugPrivilege	1452	MSBuild.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exeMSBuild.exe

description	pid	process	target process
PID 1416 wrote to memory of 1452	1416	6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe	MSBuild.exe
PID 1416 wrote to memory of 1452	1416	6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe	MSBuild.exe
PID 1416 wrote to memory of 1452	1416	6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe	MSBuild.exe
PID 1416 wrote to memory of 1452	1416	6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe	MSBuild.exe
PID 1416 wrote to memory of 1452	1416	6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe	MSBuild.exe
PID 1416 wrote to memory of 1452	1416	6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe	MSBuild.exe
PID 1416 wrote to memory of 1452	1416	6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe	MSBuild.exe
PID 1416 wrote to memory of 1452	1416	6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe	MSBuild.exe
PID 1416 wrote to memory of 1452	1416	6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe	MSBuild.exe
PID 1452 wrote to memory of 620	1452	MSBuild.exe	calc.exe
PID 1452 wrote to memory of 620	1452	MSBuild.exe	calc.exe
PID 1452 wrote to memory of 620	1452	MSBuild.exe	calc.exe
PID 1452 wrote to memory of 620	1452	MSBuild.exe	calc.exe
PID 1452 wrote to memory of 620	1452	MSBuild.exe	calc.exe
PID 1452 wrote to memory of 620	1452	MSBuild.exe	calc.exe
PID 1452 wrote to memory of 620	1452	MSBuild.exe	calc.exe
PID 1452 wrote to memory of 620	1452	MSBuild.exe	calc.exe
PID 1452 wrote to memory of 620	1452	MSBuild.exe	calc.exe
PID 1452 wrote to memory of 620	1452	MSBuild.exe	calc.exe

C:\Users\Admin\AppData\Local\Temp\6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe
"C:\Users\Admin\AppData\Local\Temp\6edb0807b9e158ada139c75f4cdd8d1f3ffc4dd5be63855eb31e9f4f02d96cc2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
2⤵
- UAC bypass
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe" /stext C:\Users\Admin\AppData\Roaming\Mails.txt
3⤵
- Accesses Microsoft Outlook accounts
PID:620

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\strpath.tmp
Filesize
102B

MD5
c7a83dde8ad75184b8b07c951be59b6c

SHA1
6286896b47753c864102c97e43d90ff7f1510a3a

SHA256
857c223c0f01e6a167308014e95dd04dfab66ba7b4f908f20676ec07c0a3f543

SHA512
919544fa6a59485dd6dab19feb6042d2b5c44f4b9aab2ac783fbbed2548e6df7840b510c9c6e7e362159038d803317bd27dc166d6f15321e8e2e00246e70a43f

Download Submit
memory/620-92-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/620-91-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/620-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/620-87-0x0000000000411714-mapping.dmp

Download
memory/620-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/620-84-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/620-83-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/620-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/620-79-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/620-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1416-74-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/1416-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/1416-55-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/1452-68-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1452-77-0x0000000000CC6000-0x0000000000CD7000-memory.dmp

Filesize
68KB

Download
memory/1452-71-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1452-64-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1452-76-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/1452-63-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1452-62-0x0000000000430CEE-mapping.dmp

Download
memory/1452-60-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1452-59-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1452-57-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1452-56-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1452-73-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/1452-93-0x0000000000CC6000-0x0000000000CD7000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads