8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863

General

Target

8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe
Size

92KB
MD5

f3cfdcf3ec0a7e4723e01e132a07b871
SHA1

e1f7c0652a03675a99c67e9cabe605a0a1fc0e66
SHA256

8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863
SHA512

6f90a1a993ceb46889bade2e6d7a408eead28a9734ca5db01761ab5869b367eb9f54513b7bcbc6f71ca1c68cabbd509b78db4563be28f4727306ff118e8454fb
SSDEEP

1536:fZgJa/0yAqyDOwYv0lfR0LraD0NVeeOSs/5ndJ:xgJac9f0rJbLGxD

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\erty45jgjn4t5ngj4nrg = "C:\\Users\\Admin\\AppData\\Roaming\\Crime\\Crime.exe"	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erty45jgjn4t5ngj4nrg = "C:\\Users\\Admin\\AppData\\Roaming\\Crime\\Crime.exe"	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
992	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	992	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 1508	992	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe	28
PID 992 wrote to memory of 1508	992	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe	28
PID 992 wrote to memory of 1508	992	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe	28
PID 992 wrote to memory of 1508	992	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe	28
PID 1508 wrote to memory of 1424	1508	csc.exe	30
PID 1508 wrote to memory of 1424	1508	csc.exe	30
PID 1508 wrote to memory of 1424	1508	csc.exe	30
PID 1508 wrote to memory of 1424	1508	csc.exe	30

C:\Users\Admin\AppData\Local\Temp\8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe
"C:\Users\Admin\AppData\Local\Temp\8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fh02tif7.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES278F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC278E.tmp"
    3⤵
    PID:1424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES278F.tmp

Filesize
1KB

MD5
de2145100188cbc9a747a84b6c05b82b

SHA1
c93f91ed6a87d18f5e6ba25dc460c5fc8e8678c7

SHA256
41c451925681f7e620ab67f840ef2cbafbcba5f77272adf1c3cc07c28bacf7ad

SHA512
7eed5b3a5dec64505c2efa78e5f3e5dccaf2d6c5975cf1fa945d85c033ff9e0e2ac9c9c7924df144ee9c9743f97c70701db71978c0110e4de632b5817d9dc590

Download Submit
C:\Users\Admin\AppData\Local\Temp\fh02tif7.dll

Filesize
5KB

MD5
aa95c2b4933fb47f4ca5af4b15b67edf

SHA1
623ed21cc8da1fa8df3c0c39d1969d94264729f7

SHA256
ca8e6343792d616a3419cf1073df96aabe8ff691e08c4a10e022280575491aea

SHA512
75a2f149dafb40aefd99944fcc3723b21f6df62f1fd97939b13cb6fbd049ab22aef3ed8c64ad2df273ee0747c22cbeabf8b32c1288f08fe2af3756ed58617e85

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC278E.tmp

Filesize
652B

MD5
affc15160f64a7640c616f2929d73169

SHA1
44dd4e863f9f9659ddee9e66979941101879847f

SHA256
e1ea24ba0a8685719a3f8e7767ee3553b9d462be18c2b09831d7c3dee9fb9b67

SHA512
7224f74321f355d91137dd23356a3ddc171326154b5e7dd03912978d75c92fa95686fc4e272f9d0231254f216596aed298b2f51bcdeedd993227dea750ddf744

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fh02tif7.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fh02tif7.cmdline

Filesize
206B

MD5
48d96bca82ec1325166d6f59152ba4b8

SHA1
74ff9ce155b5b1ef6b86cc8133bfebc3c84905af

SHA256
cb578290cda70b7068ce80c4f4fee5c5d9bbf9fa8a304dd13d03d4cd5f1eeb00

SHA512
7885c66e53fbfb0c81da9d7b2d7864eded3d3399a775152fe5267fb303402cd49e0847be60a53c7e99dd296833277f94e00fabbdca5f86690fa796ff5834124c

Download Submit
memory/992-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/992-55-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/992-63-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/992-64-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing