f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584

General

Target

f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe
Size

138KB
MD5

75d8c1b6149815ece29ed1a92e3f23da
SHA1

2699a26497ce4f8d311957c051ef13cee53f5c92
SHA256

f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584
SHA512

c539aa92c93cb5bbf57107945b7171985ea31f9e182ca80f71077ee5760cf01cfd54f4702c28f85331c893914b9ec897b33a0e0ad8954ad450e4055689d3327a
SSDEEP

3072:MKDcf/S7wUCJYov3MhPVWnNWZpC2bmfCZMcdR3TUjd0R:MKDcykfJYZnkNEpr5XdRj66R

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	svcnost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svcnost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	svcnost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\x2nlw21zgslnsxboexedxruvevvwcjnw2\svcnost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\x2nlw21zgslnsxboexedxruvevvwcjnw2\\svcnost.exe:*:Enabled:ldrsoft"	svcnost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssend = "\"C:\\Users\\Admin\\AppData\\Roaming\\x2nlw21zgslnsxboexedxruvevvwcjnw2\\svcnost.exe\""	f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 456 set thread context of 3844	456	f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe	80
PID 4832 set thread context of 5076	4832	svcnost.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3844	f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe
3844	f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3844	f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 3844	456	f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe	80
PID 456 wrote to memory of 3844	456	f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe	80
PID 456 wrote to memory of 3844	456	f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe	80
PID 456 wrote to memory of 3844	456	f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe	80
PID 456 wrote to memory of 3844	456	f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe	80
PID 3844 wrote to memory of 4832	3844	f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe	81
PID 3844 wrote to memory of 4832	3844	f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe	81
PID 3844 wrote to memory of 4832	3844	f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe	81
PID 4832 wrote to memory of 5076	4832	svcnost.exe	82
PID 4832 wrote to memory of 5076	4832	svcnost.exe	82
PID 4832 wrote to memory of 5076	4832	svcnost.exe	82
PID 4832 wrote to memory of 5076	4832	svcnost.exe	82
PID 4832 wrote to memory of 5076	4832	svcnost.exe	82

C:\Users\Admin\AppData\Local\Temp\f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe
"C:\Users\Admin\AppData\Local\Temp\f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\AppData\Local\Temp\f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe
  "C:\Users\Admin\AppData\Local\Temp\f93178fd1ad0a449b9011f93ef1793fb7b6cc4fbb85a67b0a57689ca16ae9584.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Users\Admin\AppData\Roaming\x2nlw21zgslnsxboexedxruvevvwcjnw2\svcnost.exe
    "C:\Users\Admin\AppData\Roaming\x2nlw21zgslnsxboexedxruvevvwcjnw2\svcnost.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Users\Admin\AppData\Roaming\x2nlw21zgslnsxboexedxruvevvwcjnw2\svcnost.exe
      "C:\Users\Admin\AppData\Roaming\x2nlw21zgslnsxboexedxruvevvwcjnw2\svcnost.exe"
      4⤵
      Modifies firewall policy service
      PID:5076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3844-133-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3844-134-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3844-135-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3844-136-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3844-138-0x00000000005E0000-0x00000000005EB000-memory.dmp

Filesize
44KB

Download
memory/3844-145-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5076-144-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5076-147-0x00000000005E0000-0x0000000000601000-memory.dmp

Filesize
132KB

Download
memory/5076-148-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads