6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251

General

Target

6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251.exe
Size

356KB
MD5

5a4aa2eca3ea94008683edb95a06c18a
SHA1

b134faede0beaf303bec21098a352861a915fa34
SHA256

6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251
SHA512

c2277d81774e90fd89397e5c26a6548d0b4d19b2bbd34bffba7a62a127491961d89919f3e4475bd17d9c00e27d0cb3dc483dcc65f960bef239e3156abf8e298f
SSDEEP

6144:/YEvgjhQMWekPQRacktlIgAm75bOvG/bPUMp3l8gUAqPHurdA:/Y9OMWbQRCLbM6BqWA

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	roeleon.exe

Executes dropped EXE 1 IoCs

pid	Process
1524	roeleon.exe

Loads dropped DLL 2 IoCs

pid	Process
748	6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251.exe
748	6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\roeleon = "C:\\Users\\Admin\\roeleon.exe /o"	6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	roeleon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\roeleon = "C:\\Users\\Admin\\roeleon.exe /w"	roeleon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
748	6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251.exe
1524	roeleon.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
748	6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251.exe
1524	roeleon.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1524	748	6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251.exe	28
PID 748 wrote to memory of 1524	748	6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251.exe	28
PID 748 wrote to memory of 1524	748	6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251.exe	28
PID 748 wrote to memory of 1524	748	6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251.exe	28

C:\Users\Admin\AppData\Local\Temp\6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251.exe
"C:\Users\Admin\AppData\Local\Temp\6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\roeleon.exe
  "C:\Users\Admin\roeleon.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\roeleon.exe

Filesize
356KB

MD5
5a4aa2eca3ea94008683edb95a06c18a

SHA1
b134faede0beaf303bec21098a352861a915fa34

SHA256
6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251

SHA512
c2277d81774e90fd89397e5c26a6548d0b4d19b2bbd34bffba7a62a127491961d89919f3e4475bd17d9c00e27d0cb3dc483dcc65f960bef239e3156abf8e298f

Download Submit
C:\Users\Admin\roeleon.exe

Filesize
356KB

MD5
5a4aa2eca3ea94008683edb95a06c18a

SHA1
b134faede0beaf303bec21098a352861a915fa34

SHA256
6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251

SHA512
c2277d81774e90fd89397e5c26a6548d0b4d19b2bbd34bffba7a62a127491961d89919f3e4475bd17d9c00e27d0cb3dc483dcc65f960bef239e3156abf8e298f

Download Submit
\Users\Admin\roeleon.exe

Filesize
356KB

MD5
5a4aa2eca3ea94008683edb95a06c18a

SHA1
b134faede0beaf303bec21098a352861a915fa34

SHA256
6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251

SHA512
c2277d81774e90fd89397e5c26a6548d0b4d19b2bbd34bffba7a62a127491961d89919f3e4475bd17d9c00e27d0cb3dc483dcc65f960bef239e3156abf8e298f

Download Submit
\Users\Admin\roeleon.exe

Filesize
356KB

MD5
5a4aa2eca3ea94008683edb95a06c18a

SHA1
b134faede0beaf303bec21098a352861a915fa34

SHA256
6fd104f2e836ddc8887b59cbd5f84ed1d58e9d7abfe6e241c9543d44fcd9f251

SHA512
c2277d81774e90fd89397e5c26a6548d0b4d19b2bbd34bffba7a62a127491961d89919f3e4475bd17d9c00e27d0cb3dc483dcc65f960bef239e3156abf8e298f

Download Submit
memory/748-56-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download
memory/748-65-0x0000000074851000-0x0000000074853000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads