4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834

General

Target

4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834.exe
Size

793KB
MD5

8f8a9fa78aa61839e20a968ff65eb0db
SHA1

c132428636b92b7829cd70ecd004fb1d77f9646d
SHA256

4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834
SHA512

4642db8d8f5b5b299dcd3db3b6741e65804602bf6ef9982a660e14c43dc666103586d2855b549c4e6c39706750a6579a7b6628812872f5a09ad80960d6e0fb8d
SSDEEP

24576:hLAt3ieGOGoNOcfLtAz2QFPlePWBoyhIj:te/VNLFIAPxCY

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
1364	4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834.exe
1364	4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834.exe
1364	4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834.exe
1364	4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1512	1364	WerFault.exe	17

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1512	1364	4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834.exe	30
PID 1364 wrote to memory of 1512	1364	4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834.exe	30
PID 1364 wrote to memory of 1512	1364	4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834.exe	30
PID 1364 wrote to memory of 1512	1364	4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834.exe	30

C:\Users\Admin\AppData\Local\Temp\4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834.exe
"C:\Users\Admin\AppData\Local\Temp\4646eb037b498918f7e4558680557879cbf91f28d9668083ee2f25180c4ae834.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 304
  2⤵
  - Program crash
  PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\freebl3.dll

Filesize
669KB

MD5
ed6249f72ba742802b2fa3ef20900d18

SHA1
6e50eec3f0b13ff71f86ffc46cf7a1d079381bf3

SHA256
a5396eba9d0564f4bcbafd5a8c4a4019b4b50a5c70a42aef5491a230d21f2922

SHA512
6da4cd5642becef120dbde2d070332d08bf5779bc0ffe66bf3cc51ca13db5619ee0b4f8fe3bc897c1876614a2512b2598f5d1c372764dd18b474081004d87c98

Download Submit
\Users\Admin\AppData\Local\Temp\mozglue.dll

Filesize
627KB

MD5
5d59e053d45049ffb8c6c08d8944e30c

SHA1
292f748d5e326143c3233e9d290087337700d606

SHA256
bcbf8c8ba4386b7716d5481ef9d089b9448990736d3eebdcfa611a09045c3ec3

SHA512
0f8b1c9c30d7b71fb7560377e5895c7bd15d71928c34465b1dde31ae770b6d38d5bac4d34ef4add9e08b72f2b9ea53958f167b0690fa0731af205528512a987b

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll

Filesize
2.0MB

MD5
05ed4ffbf6b785750d2cdacca9287f10

SHA1
579c656536ce9cd076fc790cf443caf3a8db5b8f

SHA256
0bce97e8f6cc435250fb6aea0441e4146c7c8f8d90a9b1e76dfabd8701bfd882

SHA512
dddabf3ab629ec5b15e879f90d5f9bb69d6a8b47222989d3e683cbc8a6d4072740a5c5db05952d236529dfdde645990d21a4a9b32c4419ace9e2fe409fce4f01

Download Submit
\Users\Admin\AppData\Local\Temp\softokn3.dll

Filesize
251KB

MD5
3a59b504f6c41324b0d6cb6edbe3ad61

SHA1
2b3aff110badd913d221605d2f01638473dc5756

SHA256
c10801dba6c50237dba700fe2be920f091792e45c32e00db7c63c2c19a35f3a5

SHA512
56c9b7d4afcf8666aedaf55f819b799f2d84bc0736e0c431973114ae760da57209041785b7894f8b6d8d3e70bf040db68f7a95fcbb419fb6c44b70266eecc02d

Download Submit
memory/1364-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1364-55-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1364-69-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1364-71-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download

Analysis

Sharing