b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73

General

Target

b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe
Size

1.1MB
MD5

b76353f4f915d958df5617ac8c40ea67
SHA1

f565bad20741158afa83d4019ca9527afa1dbc64
SHA256

b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73
SHA512

02c2a7e1d2ea6545ab608af8eed4b63c898339008a6b2e1fc6182eef27b1459de938d0edb5642b6187ace92b8ab399a333974e186dddf8357ff850f4b6cfc3b6
SSDEEP

24576:Etz8aJoW5Q4FA1If3x1bDPTnA52qmJwlpvj1ifNhLWp:iAA3XbPsIfNhLM

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2020	Update.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2020-70-0x0000000010000000-0x000000001005A000-memory.dmp	upx
behavioral1/memory/2020-71-0x0000000010000000-0x000000001005A000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1020	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1824	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe
2020	Update.exe
2020	Update.exe
2020	Update.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Secure-Soft Stealer\\Update.exe\""	WScript.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\bearshare\shared\	Update.exe
File created	C:\Program Files (x86)\edonkey2000\incoming\	Update.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\	Update.exe
File created	C:\Program Files (x86)\limewire\shared\	Update.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\	Update.exe
File created	C:\Program Files (x86)\winmx\shared\	Update.exe
File created	C:\Program Files (x86)\grokster\my grokster\	Update.exe
File created	C:\Program Files (x86)\icq\shared folder\	Update.exe
File created	C:\Program Files (x86)\tesla\files\	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1824	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe
1824	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe
2020	Update.exe
2020	Update.exe
2020	Update.exe
2020	Update.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1020	1824	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	27
PID 1824 wrote to memory of 1020	1824	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	27
PID 1824 wrote to memory of 1020	1824	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	27
PID 1824 wrote to memory of 1020	1824	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	27
PID 1824 wrote to memory of 2020	1824	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	29
PID 1824 wrote to memory of 2020	1824	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	29
PID 1824 wrote to memory of 2020	1824	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	29
PID 1824 wrote to memory of 2020	1824	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	29
PID 1824 wrote to memory of 2020	1824	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	29
PID 1824 wrote to memory of 2020	1824	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	29
PID 1824 wrote to memory of 2020	1824	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	29
PID 2020 wrote to memory of 1932	2020	Update.exe	30
PID 2020 wrote to memory of 1932	2020	Update.exe	30
PID 2020 wrote to memory of 1932	2020	Update.exe	30
PID 2020 wrote to memory of 1932	2020	Update.exe	30
PID 2020 wrote to memory of 1932	2020	Update.exe	30
PID 2020 wrote to memory of 1932	2020	Update.exe	30
PID 2020 wrote to memory of 1932	2020	Update.exe	30
PID 2020 wrote to memory of 964	2020	Update.exe	31
PID 2020 wrote to memory of 964	2020	Update.exe	31
PID 2020 wrote to memory of 964	2020	Update.exe	31
PID 2020 wrote to memory of 964	2020	Update.exe	31
PID 2020 wrote to memory of 964	2020	Update.exe	31
PID 2020 wrote to memory of 964	2020	Update.exe	31
PID 2020 wrote to memory of 964	2020	Update.exe	31

C:\Users\Admin\AppData\Local\Temp\b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe
"C:\Users\Admin\AppData\Local\Temp\b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Melt.bat" "
  2⤵
  - Deletes itself
  PID:1020
- C:\Users\Admin\AppData\Roaming\Secure-Soft Stealer\Update.exe
  "C:\Users\Admin\AppData\Roaming\Secure-Soft Stealer\Update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Autorun.vbs"
    3⤵
    - Adds Run key to start application
    PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Taskmanager.bat" "
    3⤵
    PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Autorun.vbs

Filesize
257B

MD5
d1c35608e1592ddfc7ec8334c688ae45

SHA1
84effb46537586059c31b67ced3d5f81f81a2d0b

SHA256
cec2156a84c71ef1d9f1a024b68b29e5d38d2f8725396bd19723e75c7cb6317b

SHA512
57542401a27a825b48f387519f23a2b95d90ecd55552605475ee44f41c04e4fc335d20b0cc13fc9888d621457ef609c71b4f5c11bb1d062f2c8c9a4089803759

Download Submit
C:\Users\Admin\AppData\Roaming\Melt.bat

Filesize
254B

MD5
878754cdcb4cd200d150e64f8e3fc5a7

SHA1
bdd7554625c6f951d734062d1ceb387425f8f6da

SHA256
c28feedbcf615c2f915b1944538203027bffa6c84ffab3d571c1392456c37675

SHA512
045a84e22adb94fc4b22d34ecec6a010d7b4e9ec501e42a37abdb6098bd1c933f91b66ac1b7ea11f380f025a10c72e9d59c505e1b9e4af1d4a8f87e241e7e108

Download Submit
C:\Users\Admin\AppData\Roaming\Secure-Soft Stealer\Update.exe

Filesize
1.1MB

MD5
b76353f4f915d958df5617ac8c40ea67

SHA1
f565bad20741158afa83d4019ca9527afa1dbc64

SHA256
b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73

SHA512
02c2a7e1d2ea6545ab608af8eed4b63c898339008a6b2e1fc6182eef27b1459de938d0edb5642b6187ace92b8ab399a333974e186dddf8357ff850f4b6cfc3b6

Download Submit
C:\Users\Admin\AppData\Roaming\Secure-Soft Stealer\Update.exe

Filesize
1.1MB

MD5
b76353f4f915d958df5617ac8c40ea67

SHA1
f565bad20741158afa83d4019ca9527afa1dbc64

SHA256
b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73

SHA512
02c2a7e1d2ea6545ab608af8eed4b63c898339008a6b2e1fc6182eef27b1459de938d0edb5642b6187ace92b8ab399a333974e186dddf8357ff850f4b6cfc3b6

Download Submit
\Users\Admin\AppData\Roaming\Secure-Soft Stealer\Update.exe

Filesize
1.1MB

MD5
b76353f4f915d958df5617ac8c40ea67

SHA1
f565bad20741158afa83d4019ca9527afa1dbc64

SHA256
b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73

SHA512
02c2a7e1d2ea6545ab608af8eed4b63c898339008a6b2e1fc6182eef27b1459de938d0edb5642b6187ace92b8ab399a333974e186dddf8357ff850f4b6cfc3b6

Download Submit
\Users\Admin\AppData\Roaming\Secure-Soft Stealer\Update.exe

Filesize
1.1MB

MD5
b76353f4f915d958df5617ac8c40ea67

SHA1
f565bad20741158afa83d4019ca9527afa1dbc64

SHA256
b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73

SHA512
02c2a7e1d2ea6545ab608af8eed4b63c898339008a6b2e1fc6182eef27b1459de938d0edb5642b6187ace92b8ab399a333974e186dddf8357ff850f4b6cfc3b6

Download Submit
\Users\Admin\AppData\Roaming\Secure-Soft Stealer\Update.exe

Filesize
1.1MB

MD5
b76353f4f915d958df5617ac8c40ea67

SHA1
f565bad20741158afa83d4019ca9527afa1dbc64

SHA256
b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73

SHA512
02c2a7e1d2ea6545ab608af8eed4b63c898339008a6b2e1fc6182eef27b1459de938d0edb5642b6187ace92b8ab399a333974e186dddf8357ff850f4b6cfc3b6

Download Submit
\Users\Admin\AppData\Roaming\Secure-Soft Stealer\Update.exe

Filesize
1.1MB

MD5
b76353f4f915d958df5617ac8c40ea67

SHA1
f565bad20741158afa83d4019ca9527afa1dbc64

SHA256
b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73

SHA512
02c2a7e1d2ea6545ab608af8eed4b63c898339008a6b2e1fc6182eef27b1459de938d0edb5642b6187ace92b8ab399a333974e186dddf8357ff850f4b6cfc3b6

Download Submit
memory/1824-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/2020-70-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2020-71-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing