8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863

General

Target

8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe
Size

92KB
MD5

f3cfdcf3ec0a7e4723e01e132a07b871
SHA1

e1f7c0652a03675a99c67e9cabe605a0a1fc0e66
SHA256

8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863
SHA512

6f90a1a993ceb46889bade2e6d7a408eead28a9734ca5db01761ab5869b367eb9f54513b7bcbc6f71ca1c68cabbd509b78db4563be28f4727306ff118e8454fb
SSDEEP

1536:fZgJa/0yAqyDOwYv0lfR0LraD0NVeeOSs/5ndJ:xgJac9f0rJbLGxD

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\erty45jgjn4t5ngj4nrg = "C:\\Users\\Admin\\AppData\\Roaming\\Crime\\Crime.exe"	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\erty45jgjn4t5ngj4nrg = "C:\\Users\\Admin\\AppData\\Roaming\\Crime\\Crime.exe"	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4840	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4840	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 2844	4840	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe	83
PID 4840 wrote to memory of 2844	4840	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe	83
PID 4840 wrote to memory of 2844	4840	8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe	83
PID 2844 wrote to memory of 232	2844	csc.exe	85
PID 2844 wrote to memory of 232	2844	csc.exe	85
PID 2844 wrote to memory of 232	2844	csc.exe	85

C:\Users\Admin\AppData\Local\Temp\8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe
"C:\Users\Admin\AppData\Local\Temp\8823f8f6376e84ea93d1744d47f30059d9e31a36ddbcb5ebff6fa6764a45f863.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ezigyq6o.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B18.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9B17.tmp"
    3⤵
    PID:232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9B18.tmp

Filesize
1KB

MD5
3fcd4c766c814601038723b677e47f9a

SHA1
a83c6f41e91e60ad2bda566a9419185ece3f26af

SHA256
64af37dc84be5132edbaa36eab670353004f9367bb402a68cde4404af3e7dd5d

SHA512
f6544bcd1c27a67f254e1a5567ede4f6cf991a50ae1e3f8f72e0436388fda6c441bbc0a55cf6441bf14c9ec30acd3925e2d7414d7052256e7c5b328d2a5b8d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezigyq6o.dll

Filesize
5KB

MD5
0596777ec938995aa6759196b598be5a

SHA1
35226376ea7c5943c9cbbcab23c63d42bbe8cd6b

SHA256
755dd314e1add59834b3a4eca2af500a1da03d727709084ecef7d5318d03ca05

SHA512
29d873fd1a24b8a0c30bac0d2c9d3f0604604e5daeeff046049483d490941195b3456c97cb8d3ff149f56de6828febb3a83c78999d4ae17abb462b6ba7a64de0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9B17.tmp

Filesize
652B

MD5
9c84f655759f0d98afc737d4d0534812

SHA1
ae8daa16e7a3cccc1339677b70ac4471cb0b6888

SHA256
9ac24385138de4e7d4d201833f9dd3904d2987b3ac95d111d3783977182ecea6

SHA512
08ef6271e3a227dc6c9590c4ad78bb27d8ce73402151e0710eb41833ff7366ea219ecde1806e1fbe726d241790e52d9893f1f150c2b8ecac1eeba66aef42b7df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ezigyq6o.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ezigyq6o.cmdline

Filesize
206B

MD5
3c06d9ba6d2f36df577dbf96cfab0b22

SHA1
53bdaa8f891758cefa08cd1c7c3dc77dee2bd9ff

SHA256
e413d6390fd3c02d2d9d8a502f912419204e1cf29cc64e908853b5ee60bb6914

SHA512
903259273b26eef07e6a196914140e3bbc7fbeeb3505e1a0be68689bc7d76d14d3292500d129b21a8d7cb3a04c6e79f2a6ac78c49048617ba035c7b623fd15fe

Download Submit
memory/4840-132-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4840-133-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4840-141-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing