4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

General

Target

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Size

1.1MB
MD5

7560516355efa446658667a180977c11
SHA1

19cf36775b246599d9ae7fcd9b92f137a0d1c2bf
SHA256

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc
SHA512

61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395
SSDEEP

24576:S2TqSc+qNUwI7VV3iQPhFt4EKqZGy8uux/vJQrg1neCEsitbBQv:SiqSc+afwn3iQ7Cl6uZJQk1neMinq

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe = "c:\\windows\\sms.exe:*:Enabled:Windows Messages Controler"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe:*:Enabled:Windows Messages Controler"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe

Executes dropped EXE 3 IoCs

Processes:

sms.exesms.exesms.exe

pid process

4556 sms.exe
3008 sms.exe
3116 sms.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

3260 netsh.exe
3796 netsh.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4556	sms.exe
3008	sms.exe
3116	sms.exe

pid	process
3260	netsh.exe
3796	netsh.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messages Controler = "c:\\windows\\sms.exe"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Messages Controler = "c:\\windows\\sms.exe"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exesms.exesms.exe

description	pid	process	target process
PID 1436 set thread context of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 624 set thread context of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 4556 set thread context of 3008	4556	sms.exe	sms.exe
PID 3008 set thread context of 3116	3008	sms.exe	sms.exe

Drops file in Windows directory 3 IoCs

Processes:

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exesms.exe

description	ioc	process
File opened for modification	\??\c:\windows\sms.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
File created	\??\c:\windows\sms.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
File opened for modification	\??\c:\windows\sms.exe	sms.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

sms.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "fbdirecto.net/1/"	sms.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

sms.exe

pid process

3116 sms.exe
3116 sms.exe

pid	process
3116	sms.exe
3116	sms.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exesms.exesms.exesms.exe

description	pid	process	target process
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
PID 1148 wrote to memory of 3260	1148	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	netsh.exe
PID 1148 wrote to memory of 3260	1148	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	netsh.exe
PID 1148 wrote to memory of 3260	1148	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	netsh.exe
PID 1148 wrote to memory of 4556	1148	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	sms.exe
PID 1148 wrote to memory of 4556	1148	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	sms.exe
PID 1148 wrote to memory of 4556	1148	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	sms.exe
PID 4556 wrote to memory of 3008	4556	sms.exe	sms.exe
PID 4556 wrote to memory of 3008	4556	sms.exe	sms.exe
PID 4556 wrote to memory of 3008	4556	sms.exe	sms.exe
PID 4556 wrote to memory of 3008	4556	sms.exe	sms.exe
PID 4556 wrote to memory of 3008	4556	sms.exe	sms.exe
PID 4556 wrote to memory of 3008	4556	sms.exe	sms.exe
PID 4556 wrote to memory of 3008	4556	sms.exe	sms.exe
PID 4556 wrote to memory of 3008	4556	sms.exe	sms.exe
PID 4556 wrote to memory of 3008	4556	sms.exe	sms.exe
PID 4556 wrote to memory of 3008	4556	sms.exe	sms.exe
PID 4556 wrote to memory of 3008	4556	sms.exe	sms.exe
PID 3008 wrote to memory of 3116	3008	sms.exe	sms.exe
PID 3008 wrote to memory of 3116	3008	sms.exe	sms.exe
PID 3008 wrote to memory of 3116	3008	sms.exe	sms.exe
PID 3008 wrote to memory of 3116	3008	sms.exe	sms.exe
PID 3008 wrote to memory of 3116	3008	sms.exe	sms.exe
PID 3008 wrote to memory of 3116	3008	sms.exe	sms.exe
PID 3008 wrote to memory of 3116	3008	sms.exe	sms.exe
PID 3008 wrote to memory of 3116	3008	sms.exe	sms.exe
PID 3116 wrote to memory of 3796	3116	sms.exe	netsh.exe
PID 3116 wrote to memory of 3796	3116	sms.exe	netsh.exe
PID 3116 wrote to memory of 3796	3116	sms.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
"C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
"C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
"C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe"
3⤵
- Modifies firewall policy service
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram 1.exe 1 ENABLE
4⤵
- Modifies Windows Firewall
PID:3260

\??\c:\windows\sms.exe
"c:\windows\sms.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4556

\??\c:\windows\sms.exe
"c:\windows\sms.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3008

\??\c:\windows\sms.exe
"c:\windows\sms.exe"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram 1.exe 1 ENABLE
7⤵
- Modifies Windows Firewall
PID:3796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\sms.exe
Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
C:\Windows\sms.exe
Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
C:\Windows\sms.exe
Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
\??\c:\windows\sms.exe
Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
memory/624-139-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/624-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/624-132-0x0000000000000000-mapping.dmp

Download
memory/624-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1148-146-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1148-141-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1148-140-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1148-137-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1148-136-0x0000000000000000-mapping.dmp

Download
memory/1148-138-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3008-147-0x0000000000000000-mapping.dmp

Download
memory/3008-155-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3116-152-0x0000000000000000-mapping.dmp

Download
memory/3116-156-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3116-157-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3116-159-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3116-160-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3260-142-0x0000000000000000-mapping.dmp

Download
memory/3796-158-0x0000000000000000-mapping.dmp

Download
memory/4556-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads