3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059

General

Target

3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe
Size

322KB
MD5

a2f8ef5fb42b3df1cf821b0ff65ff49a
SHA1

1e5db5c9ebfffb65385d3d4140aafccd182bb05e
SHA256

3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059
SHA512

ef32373c620992a2668754a94bf8757e2f22cbe38dd25be4fc3d13d01bda12b4a62f087abaca8d5f1702a5576f2a34b32dbee4df360803de03f7cfd28de10b91
SSDEEP

6144:iRSE+VDpJYWmlwnx9u6BMf0Cv3g6dg9wx/Kj64/:2SE+VF9mOx9ukEv3g6dFx/Kj64

Score

9^/10

spyware stealer

Malware Config

Signatures

Nirsoft 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\passwordfox.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\iepv.exe	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

passwordfox.exeiepv.exe

pid process

280 passwordfox.exe
1016 iepv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

iepv.exe

description pid process

Token: SeDebugPrivilege 1016 iepv.exe
Token: SeRestorePrivilege 1016 iepv.exe
Token: SeBackupPrivilege 1016 iepv.exe

pid	process
280	passwordfox.exe
1016	iepv.exe

description	pid	process
Token: SeDebugPrivilege	1016	iepv.exe
Token: SeRestorePrivilege	1016	iepv.exe
Token: SeBackupPrivilege	1016	iepv.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe

description	pid	process	target process
PID 1456 wrote to memory of 280	1456	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	passwordfox.exe
PID 1456 wrote to memory of 280	1456	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	passwordfox.exe
PID 1456 wrote to memory of 280	1456	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	passwordfox.exe
PID 1456 wrote to memory of 280	1456	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	passwordfox.exe
PID 1456 wrote to memory of 1016	1456	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	iepv.exe
PID 1456 wrote to memory of 1016	1456	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	iepv.exe
PID 1456 wrote to memory of 1016	1456	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	iepv.exe
PID 1456 wrote to memory of 1016	1456	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	iepv.exe
PID 1456 wrote to memory of 544	1456	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	dw20.exe
PID 1456 wrote to memory of 544	1456	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	dw20.exe
PID 1456 wrote to memory of 544	1456	3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe
"C:\Users\Admin\AppData\Local\Temp\3c0fa0e5c1a4003e46bdd6533e67526e90637bec89f44b47dd3afd3b5c1e8059.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\passwordfox.exe
C:\Users\Admin\AppData\Local\Temp\passwordfox.exe /stext C:\Users\Admin\AppData\Local\Temp\firefox.txt
2⤵
- Executes dropped EXE
PID:280

C:\Users\Admin\AppData\Local\Temp\iepv.exe
C:\Users\Admin\AppData\Local\Temp\iepv.exe /stext C:\Users\Admin\AppData\Local\Temp\ie.txt
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1064
2⤵
PID:544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\firefox.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\iepv.exe
Filesize
88KB

MD5
96eaf707a7f5e252e0ef640a9f9a41e9

SHA1
1db028b8e2dad98ab25abfa498ffd0e344b8178c

SHA256
9bf3183768ab8133f686e9d59adf9ac7f157a6442026d00fcd49c177deca6de2

SHA512
12f7a815f141c125a50941bace6256de41eb6459f5dae49def6a5d150b816b48b054efa3ef0370d87b546098edb4f6ad2e1d6ebea835eb233bd98f7d225d13c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwordfox.exe
Filesize
88KB

MD5
09b98d668124d3894814f57e84da1b25

SHA1
13e3ede7c513d7e6853f99309b83ca01a1de41fd

SHA256
432a3ec81735e216dc8a1d637b92158f261b841155960c621c9c149875de4512

SHA512
2f028fe6333a2a7604d919b11172960623f11acccc03626fb85888cf5c5b3e6eb69850baa1e8088ef2d29b4cef9334d2f6496290946e3309f9b1c0b9e1075615

Download Submit
memory/280-57-0x0000000000000000-mapping.dmp

Download
memory/280-59-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/544-65-0x0000000000000000-mapping.dmp

Download
memory/544-66-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1016-62-0x0000000000000000-mapping.dmp

Download
memory/1456-54-0x000007FEF4070000-0x000007FEF4A93000-memory.dmp

Filesize
10.1MB

Download
memory/1456-55-0x000007FEF2FD0000-0x000007FEF4066000-memory.dmp

Filesize
16.6MB

Download
memory/1456-56-0x00000000005D0000-0x0000000000650000-memory.dmp

Filesize
512KB

Download
memory/1456-61-0x00000000005D0000-0x0000000000650000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing