f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8

Analysis

max time kernel
151s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
Size

108KB
MD5

192c76e94a971c5951b114ddee7c6152
SHA1

4f37224fe8cc8d1fec4037255868fe07718b4909
SHA256

f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8
SHA512

23efaf9051eb1aece14e4430fe145b4f6ed5677613a93ee4f27d350bfaa85c76238eee4136dd5e413d29297ffccf2628985f89fdaec0171705135cc86449d2c3
SSDEEP

1536:qo4Kalkc124vaaVKe1b2YdGSDBEfcCobsVqwRIJjtVInA0qbBlY4Zufpe:qtKa0NiKYdGS1iGcIBInv4BlSfpe

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\mdm.exe = "c:\\windows\\mdm.exe:*:Enabled:Microsoft Firevall Engine"	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe

Executes dropped EXE 2 IoCs

pid	Process
696	mdm.exe
1640	mdm.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1976	netsh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	mdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Firevall Engine = "c:\\windows\\mdm.exe"	mdm.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	mdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Firevall Engine = "c:\\windows\\mdm.exe"	mdm.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1256 set thread context of 1596	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	33
PID 696 set thread context of 1640	696	mdm.exe	41

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\mdm.exe	mdm.exe
File opened for modification	\??\c:\windows\mdm.exe	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
File created	\??\c:\windows\mdm.exe	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://enaricles.com"	mdm.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
1640	mdm.exe
1640	mdm.exe
1640	mdm.exe
1640	mdm.exe
1640	mdm.exe
1640	mdm.exe
1640	mdm.exe
1640	mdm.exe
1640	mdm.exe
1640	mdm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
Token: SeDebugPrivilege	1640	mdm.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1264	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	27
PID 1256 wrote to memory of 1264	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	27
PID 1256 wrote to memory of 1264	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	27
PID 1256 wrote to memory of 1264	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	27
PID 1264 wrote to memory of 1648	1264	net.exe	29
PID 1264 wrote to memory of 1648	1264	net.exe	29
PID 1264 wrote to memory of 1648	1264	net.exe	29
PID 1264 wrote to memory of 1648	1264	net.exe	29
PID 1256 wrote to memory of 1620	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	30
PID 1256 wrote to memory of 1620	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	30
PID 1256 wrote to memory of 1620	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	30
PID 1256 wrote to memory of 1620	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	30
PID 1620 wrote to memory of 1568	1620	net.exe	32
PID 1620 wrote to memory of 1568	1620	net.exe	32
PID 1620 wrote to memory of 1568	1620	net.exe	32
PID 1620 wrote to memory of 1568	1620	net.exe	32
PID 1256 wrote to memory of 1596	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	33
PID 1256 wrote to memory of 1596	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	33
PID 1256 wrote to memory of 1596	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	33
PID 1256 wrote to memory of 1596	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	33
PID 1256 wrote to memory of 1596	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	33
PID 1256 wrote to memory of 1596	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	33
PID 1256 wrote to memory of 1596	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	33
PID 1256 wrote to memory of 1596	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	33
PID 1256 wrote to memory of 1596	1256	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	33
PID 1596 wrote to memory of 696	1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	34
PID 1596 wrote to memory of 696	1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	34
PID 1596 wrote to memory of 696	1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	34
PID 1596 wrote to memory of 696	1596	f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe	34
PID 696 wrote to memory of 572	696	mdm.exe	35
PID 696 wrote to memory of 572	696	mdm.exe	35
PID 696 wrote to memory of 572	696	mdm.exe	35
PID 696 wrote to memory of 572	696	mdm.exe	35
PID 572 wrote to memory of 520	572	net.exe	37
PID 572 wrote to memory of 520	572	net.exe	37
PID 572 wrote to memory of 520	572	net.exe	37
PID 572 wrote to memory of 520	572	net.exe	37
PID 696 wrote to memory of 1804	696	mdm.exe	38
PID 696 wrote to memory of 1804	696	mdm.exe	38
PID 696 wrote to memory of 1804	696	mdm.exe	38
PID 696 wrote to memory of 1804	696	mdm.exe	38
PID 1804 wrote to memory of 428	1804	net.exe	40
PID 1804 wrote to memory of 428	1804	net.exe	40
PID 1804 wrote to memory of 428	1804	net.exe	40
PID 1804 wrote to memory of 428	1804	net.exe	40
PID 696 wrote to memory of 1640	696	mdm.exe	41
PID 696 wrote to memory of 1640	696	mdm.exe	41
PID 696 wrote to memory of 1640	696	mdm.exe	41
PID 696 wrote to memory of 1640	696	mdm.exe	41
PID 696 wrote to memory of 1640	696	mdm.exe	41
PID 696 wrote to memory of 1640	696	mdm.exe	41
PID 696 wrote to memory of 1640	696	mdm.exe	41
PID 696 wrote to memory of 1640	696	mdm.exe	41
PID 696 wrote to memory of 1640	696	mdm.exe	41
PID 1640 wrote to memory of 1976	1640	mdm.exe	42
PID 1640 wrote to memory of 1976	1640	mdm.exe	42
PID 1640 wrote to memory of 1976	1640	mdm.exe	42
PID 1640 wrote to memory of 1976	1640	mdm.exe	42

C:\Users\Admin\AppData\Local\Temp\f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
"C:\Users\Admin\AppData\Local\Temp\f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\net.exe
  net stop
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop
    3⤵
    PID:1648
- C:\Windows\SysWOW64\net.exe
  net stop wuauclt.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wuauclt.exe
    3⤵
    PID:1568
- C:\Users\Admin\AppData\Local\Temp\f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
  C:\Users\Admin\AppData\Local\Temp\f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8.exe
  2⤵
  - Modifies firewall policy service
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1596
- - \??\c:\windows\mdm.exe
    c:\windows\mdm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\net.exe
      net stop
      4⤵
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop
        5⤵
        
        PID:520
  - - C:\Windows\SysWOW64\net.exe
      net stop wuauclt.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wuauclt.exe
        5⤵
        
        PID:428
  - - \??\c:\windows\mdm.exe
      c:\windows\mdm.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Modifies Internet Explorer start page
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "c:\windows\mdm.exe" "MSN Messenger" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mdm.exe

Filesize
108KB

MD5
192c76e94a971c5951b114ddee7c6152

SHA1
4f37224fe8cc8d1fec4037255868fe07718b4909

SHA256
f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8

SHA512
23efaf9051eb1aece14e4430fe145b4f6ed5677613a93ee4f27d350bfaa85c76238eee4136dd5e413d29297ffccf2628985f89fdaec0171705135cc86449d2c3

Download Submit
C:\Windows\mdm.exe

Filesize
108KB

MD5
192c76e94a971c5951b114ddee7c6152

SHA1
4f37224fe8cc8d1fec4037255868fe07718b4909

SHA256
f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8

SHA512
23efaf9051eb1aece14e4430fe145b4f6ed5677613a93ee4f27d350bfaa85c76238eee4136dd5e413d29297ffccf2628985f89fdaec0171705135cc86449d2c3

Download Submit
\??\c:\windows\mdm.exe

Filesize
108KB

MD5
192c76e94a971c5951b114ddee7c6152

SHA1
4f37224fe8cc8d1fec4037255868fe07718b4909

SHA256
f3b8625e35ba798d61208eb9d75e0ca83e0a0c142423a372455476030ef011c8

SHA512
23efaf9051eb1aece14e4430fe145b4f6ed5677613a93ee4f27d350bfaa85c76238eee4136dd5e413d29297ffccf2628985f89fdaec0171705135cc86449d2c3

Download Submit
memory/1596-66-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1596-69-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1596-70-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1596-59-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1596-61-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1596-64-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1596-58-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download