8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74

General

Target

8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe
Size

1.4MB
MD5

88ff858fbf8ce54b768251482847d93f
SHA1

f8584a80e775b2405012d2b1e11a0329b62ae726
SHA256

8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74
SHA512

fef48aa401736f57d681500413b8d7ae2905504e43cdf55d98213ef0cdf870660e5e54e1b4a2fca2472ba75a812b017896301c1678ef7f4c49fb06a6bd0dfc6d
SSDEEP

24576:bdzclqN0oM7izRiDK8JKCT4EgDVVwIaoYyGSaci34gZ3:J5NcizRitK64EgDVVwIXYvSri3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1992	vbc.exe
592	lampada.exe

Loads dropped DLL 3 IoCs

pid	Process
2016	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe
1992	vbc.exe
1992	vbc.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 1992	2016	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1992	2016	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	27
PID 2016 wrote to memory of 1992	2016	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	27
PID 2016 wrote to memory of 1992	2016	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	27
PID 2016 wrote to memory of 1992	2016	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	27
PID 2016 wrote to memory of 1992	2016	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	27
PID 2016 wrote to memory of 1992	2016	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	27
PID 2016 wrote to memory of 1992	2016	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	27
PID 2016 wrote to memory of 1992	2016	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	27
PID 2016 wrote to memory of 1992	2016	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	27
PID 2016 wrote to memory of 1992	2016	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	27
PID 2016 wrote to memory of 1992	2016	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	27
PID 2016 wrote to memory of 1992	2016	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	27
PID 1992 wrote to memory of 592	1992	vbc.exe	28
PID 1992 wrote to memory of 592	1992	vbc.exe	28
PID 1992 wrote to memory of 592	1992	vbc.exe	28
PID 1992 wrote to memory of 592	1992	vbc.exe	28

C:\Users\Admin\AppData\Local\Temp\8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe
"C:\Users\Admin\AppData\Local\Temp\8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\lampada.exe
    "C:\Users\Admin\AppData\Local\Temp\lampada.exe"
    3⤵
    - Executes dropped EXE
    PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lampada.exe

Filesize
842KB

MD5
2e74069ae0496d2ce69e6564a8e517f6

SHA1
b1e42e7d30b73c82d643d4c855a4efe443e6533c

SHA256
9243b704cf770e28fff1bb93f86df4bea94ca21faedaa8a5185469ee5d16920b

SHA512
e03efa86db8344fee02804d6d9ff3192869b5b53288d65299aede8e5715dd4b40c4618586638ed954a70f51d9b9535a81766e32df6f8125f80acd73dc55837c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lampada.exe

Filesize
842KB

MD5
2e74069ae0496d2ce69e6564a8e517f6

SHA1
b1e42e7d30b73c82d643d4c855a4efe443e6533c

SHA256
9243b704cf770e28fff1bb93f86df4bea94ca21faedaa8a5185469ee5d16920b

SHA512
e03efa86db8344fee02804d6d9ff3192869b5b53288d65299aede8e5715dd4b40c4618586638ed954a70f51d9b9535a81766e32df6f8125f80acd73dc55837c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\lampada.exe

Filesize
842KB

MD5
2e74069ae0496d2ce69e6564a8e517f6

SHA1
b1e42e7d30b73c82d643d4c855a4efe443e6533c

SHA256
9243b704cf770e28fff1bb93f86df4bea94ca21faedaa8a5185469ee5d16920b

SHA512
e03efa86db8344fee02804d6d9ff3192869b5b53288d65299aede8e5715dd4b40c4618586638ed954a70f51d9b9535a81766e32df6f8125f80acd73dc55837c6

Download Submit
\Users\Admin\AppData\Local\Temp\lampada.exe

Filesize
842KB

MD5
2e74069ae0496d2ce69e6564a8e517f6

SHA1
b1e42e7d30b73c82d643d4c855a4efe443e6533c

SHA256
9243b704cf770e28fff1bb93f86df4bea94ca21faedaa8a5185469ee5d16920b

SHA512
e03efa86db8344fee02804d6d9ff3192869b5b53288d65299aede8e5715dd4b40c4618586638ed954a70f51d9b9535a81766e32df6f8125f80acd73dc55837c6

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1992-60-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1992-63-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1992-68-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1992-61-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1992-73-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1992-59-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1992-57-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1992-56-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1992-77-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2016-72-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/2016-78-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing