4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090

General

Target

4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe
Size

220KB
MD5

fe3f51f278e133a000f4ddafab5b8792
SHA1

7bea10889608837138ab4c4ec75762ec9b4e1d9b
SHA256

4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090
SHA512

b0746cdc74ace21f14520cbcb7dc0e9f72861ecbd5803f0437218b4b9ee7c6af441eaacdd896c071fc445d9aa9572a1cb15774a65843c6419cc5dfa3d97e3bcc
SSDEEP

3072:/kDeEQNzxUbDf4tmSqtarA9K6pQ32afgWDoqt531Tg:8DtQBxAbSdrt6S32Mxt5l

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1480	winNetSc.exe

Loads dropped DLL 2 IoCs

pid	Process
1708	4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe
1708	4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winNetSc.exe	4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1708	4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1480	1708	4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe	28
PID 1708 wrote to memory of 1480	1708	4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe	28
PID 1708 wrote to memory of 1480	1708	4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe	28
PID 1708 wrote to memory of 1480	1708	4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe	28
PID 1708 wrote to memory of 636	1708	4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe	32
PID 1708 wrote to memory of 636	1708	4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe	32
PID 1708 wrote to memory of 636	1708	4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe	32
PID 1708 wrote to memory of 636	1708	4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe	32

C:\Users\Admin\AppData\Local\Temp\4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe
"C:\Users\Admin\AppData\Local\Temp\4809959113a70d4152d48d1d7343d6e15d7bc59159ebc04a011ad717d91ee090.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\winNetSc.exe
  "C:\Windows\system32\winNetSc.exe"
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\kill32.bat" "
  2⤵
  PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winNetSc.exe

Filesize
24KB

MD5
b50a0d854eb7fbc12458ca2e0dbefd01

SHA1
3b965ad53d31e30657890dc1d0c738c5473e419d

SHA256
20b7a0a2b759086e5d2ab3c0f10773fdcf6c134e0437868a29c2e9d84cf4c9b2

SHA512
c527ecef50c0e67284265a279d52f9d3dd3044e398774e9c7b60db3e75b14db7f3bff1d3e5967d24964b27a571f116bdf9fa28a7525fb63ff1762b41348cfa55

Download Submit
C:\kill32.bat

Filesize
101B

MD5
97191ce34ba085d0ec535a183e9a640b

SHA1
f0246544231a1817a83bb2b48d908f6bf4830d33

SHA256
485360a4807183ccfe9da881f46164ee591c7a521c6615057e7164f92fdccc92

SHA512
8d8cf94700cf77141d66a0cb138544f212609b0613c6015f695e2dc438eda43c44aaff9620d8e75d77fb89a0a8a66f45c67dcac922f5a902296151f67376d050

Download Submit
\Windows\SysWOW64\winNetSc.exe

Filesize
24KB

MD5
b50a0d854eb7fbc12458ca2e0dbefd01

SHA1
3b965ad53d31e30657890dc1d0c738c5473e419d

SHA256
20b7a0a2b759086e5d2ab3c0f10773fdcf6c134e0437868a29c2e9d84cf4c9b2

SHA512
c527ecef50c0e67284265a279d52f9d3dd3044e398774e9c7b60db3e75b14db7f3bff1d3e5967d24964b27a571f116bdf9fa28a7525fb63ff1762b41348cfa55

Download Submit
\Windows\SysWOW64\winNetSc.exe

Filesize
24KB

MD5
b50a0d854eb7fbc12458ca2e0dbefd01

SHA1
3b965ad53d31e30657890dc1d0c738c5473e419d

SHA256
20b7a0a2b759086e5d2ab3c0f10773fdcf6c134e0437868a29c2e9d84cf4c9b2

SHA512
c527ecef50c0e67284265a279d52f9d3dd3044e398774e9c7b60db3e75b14db7f3bff1d3e5967d24964b27a571f116bdf9fa28a7525fb63ff1762b41348cfa55

Download Submit
memory/1708-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing