b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2

General

Target

b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe
Size

2.4MB
MD5

528b642e1ce1b2689d469b59fe2e8e41
SHA1

69f410bdc9764f7cf925687c7daaf01ce6d47b33
SHA256

b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2
SHA512

8b1bc1a86a2ad8dae6f7e8e95085b4f873b571c921af471dadafc397da67b192487beb0fb03232063ea8fd0627abc21c30152579dcf4dad4c5690703e4746502
SSDEEP

49152:JCR7FGaQDrygJFV7L20Qw1TdVXQKVJEIyDkMzIjWiCNRdqMMgVeu:J07FBQDWg7VP2Xw9dhJCkMGURdq+eu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
892	AllInOneUpload.exe

Loads dropped DLL 2 IoCs

pid	Process
520	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe
520	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 432 set thread context of 520	432	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	AllInOneUpload.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
892	AllInOneUpload.exe
892	AllInOneUpload.exe
892	AllInOneUpload.exe
892	AllInOneUpload.exe
892	AllInOneUpload.exe
892	AllInOneUpload.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
892	AllInOneUpload.exe
892	AllInOneUpload.exe
892	AllInOneUpload.exe
892	AllInOneUpload.exe
892	AllInOneUpload.exe
892	AllInOneUpload.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
432	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe
892	AllInOneUpload.exe
892	AllInOneUpload.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 520	432	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	28
PID 432 wrote to memory of 520	432	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	28
PID 432 wrote to memory of 520	432	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	28
PID 432 wrote to memory of 520	432	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	28
PID 432 wrote to memory of 520	432	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	28
PID 432 wrote to memory of 520	432	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	28
PID 432 wrote to memory of 520	432	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	28
PID 432 wrote to memory of 520	432	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	28
PID 432 wrote to memory of 520	432	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	28
PID 432 wrote to memory of 520	432	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	28
PID 520 wrote to memory of 892	520	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	29
PID 520 wrote to memory of 892	520	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	29
PID 520 wrote to memory of 892	520	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	29
PID 520 wrote to memory of 892	520	b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe	29

C:\Users\Admin\AppData\Local\Temp\b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe
"C:\Users\Admin\AppData\Local\Temp\b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\b348e896ed776977e96116f65477bbbbf61509f77e60fe8d4ea793f13dd39fe2.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Users\Admin\AppData\Roaming\AllInOneUpload.exe
    "C:\Users\Admin\AppData\Roaming\AllInOneUpload.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AllInOneUpload.exe

Filesize
2.0MB

MD5
1fdbd0431c04412fa960a5e57f1f849d

SHA1
eb9b054e9c7670550dae23d3b9d0dfe12de3c14f

SHA256
dee5ae253938762466751f54ed52d1cd47992c93d503c4938af7f8f2bd45ccd2

SHA512
4b21a120449f3193c3d31ac68574ebdb0b957e855e5a9e56dcf3f79c762ff05fbb9cfef85a4298e26bd0e80b048530a74ffff0447e36264698dc5edfce14b042

Download Submit
C:\Users\Admin\AppData\Roaming\AllInOneUpload.exe

Filesize
2.0MB

MD5
1fdbd0431c04412fa960a5e57f1f849d

SHA1
eb9b054e9c7670550dae23d3b9d0dfe12de3c14f

SHA256
dee5ae253938762466751f54ed52d1cd47992c93d503c4938af7f8f2bd45ccd2

SHA512
4b21a120449f3193c3d31ac68574ebdb0b957e855e5a9e56dcf3f79c762ff05fbb9cfef85a4298e26bd0e80b048530a74ffff0447e36264698dc5edfce14b042

Download Submit
\Users\Admin\AppData\Roaming\AllInOneUpload.exe

Filesize
2.0MB

MD5
1fdbd0431c04412fa960a5e57f1f849d

SHA1
eb9b054e9c7670550dae23d3b9d0dfe12de3c14f

SHA256
dee5ae253938762466751f54ed52d1cd47992c93d503c4938af7f8f2bd45ccd2

SHA512
4b21a120449f3193c3d31ac68574ebdb0b957e855e5a9e56dcf3f79c762ff05fbb9cfef85a4298e26bd0e80b048530a74ffff0447e36264698dc5edfce14b042

Download Submit
\Users\Admin\AppData\Roaming\AllInOneUpload.exe

Filesize
2.0MB

MD5
1fdbd0431c04412fa960a5e57f1f849d

SHA1
eb9b054e9c7670550dae23d3b9d0dfe12de3c14f

SHA256
dee5ae253938762466751f54ed52d1cd47992c93d503c4938af7f8f2bd45ccd2

SHA512
4b21a120449f3193c3d31ac68574ebdb0b957e855e5a9e56dcf3f79c762ff05fbb9cfef85a4298e26bd0e80b048530a74ffff0447e36264698dc5edfce14b042

Download Submit
memory/520-69-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/520-65-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/520-66-0x000000000044736F-mapping.dmp

Download
memory/520-68-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/520-56-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/520-70-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/520-63-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/520-61-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/520-59-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/520-76-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/520-57-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/892-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing