53e129e6b4bf741766737bbe3c9e12070388943c2649b9a829af75eefae79247

Resubmissions

09/01/2023, 19:35

230109-yascvsah4v 8

09/01/2023, 19:26

230109-x5w4vsah2s 8

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2023, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53e129e6b4bf741766737bbe3c9e12070388943c2649b9a829af75eefae79247.cmd
Size

1.6MB
MD5

b4796224dc192a7747017d2b5aa0673a
SHA1

2a97af4e0de5c4ec202110bd70ed12671286ee2d
SHA256

53e129e6b4bf741766737bbe3c9e12070388943c2649b9a829af75eefae79247
SHA512

3772fe073f32060a489238d0b66d627b6aee679caa7c5f4d218d83caa6f6459166b72f458ce834464cb3e22ee00f64668d3716a19fba5d1a8d3b27ed9d1fdc80
SSDEEP

24576:potxQMlJva9Ya7MLkx42rCpNofi6sznViZqzuW9Tg6yTtTK7ghb59Fz9BdnThKrj:qQCiTW6CwCnLu++gUr75hG

Score

8^/10

collection spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
112	calderon.exe

Loads dropped DLL 2 IoCs

pid	Process
112	calderon.exe
112	calderon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	calderon.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	calderon.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	calderon.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2276	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2	calderon.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4744	powershell.exe
4744	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
112	calderon.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeIncreaseQuotaPrivilege	1096	WMIC.exe
Token: SeSecurityPrivilege	1096	WMIC.exe
Token: SeTakeOwnershipPrivilege	1096	WMIC.exe
Token: SeLoadDriverPrivilege	1096	WMIC.exe
Token: SeSystemProfilePrivilege	1096	WMIC.exe
Token: SeSystemtimePrivilege	1096	WMIC.exe
Token: SeProfSingleProcessPrivilege	1096	WMIC.exe
Token: SeIncBasePriorityPrivilege	1096	WMIC.exe
Token: SeCreatePagefilePrivilege	1096	WMIC.exe
Token: SeBackupPrivilege	1096	WMIC.exe
Token: SeRestorePrivilege	1096	WMIC.exe
Token: SeShutdownPrivilege	1096	WMIC.exe
Token: SeDebugPrivilege	1096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1096	WMIC.exe
Token: SeRemoteShutdownPrivilege	1096	WMIC.exe
Token: SeUndockPrivilege	1096	WMIC.exe
Token: SeManageVolumePrivilege	1096	WMIC.exe
Token: 33	1096	WMIC.exe
Token: 34	1096	WMIC.exe
Token: 35	1096	WMIC.exe
Token: 36	1096	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1096	WMIC.exe
Token: SeSecurityPrivilege	1096	WMIC.exe
Token: SeTakeOwnershipPrivilege	1096	WMIC.exe
Token: SeLoadDriverPrivilege	1096	WMIC.exe
Token: SeSystemProfilePrivilege	1096	WMIC.exe
Token: SeSystemtimePrivilege	1096	WMIC.exe
Token: SeProfSingleProcessPrivilege	1096	WMIC.exe
Token: SeIncBasePriorityPrivilege	1096	WMIC.exe
Token: SeCreatePagefilePrivilege	1096	WMIC.exe
Token: SeBackupPrivilege	1096	WMIC.exe
Token: SeRestorePrivilege	1096	WMIC.exe
Token: SeShutdownPrivilege	1096	WMIC.exe
Token: SeDebugPrivilege	1096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1096	WMIC.exe
Token: SeRemoteShutdownPrivilege	1096	WMIC.exe
Token: SeUndockPrivilege	1096	WMIC.exe
Token: SeManageVolumePrivilege	1096	WMIC.exe
Token: 33	1096	WMIC.exe
Token: 34	1096	WMIC.exe
Token: 35	1096	WMIC.exe
Token: 36	1096	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe
112	calderon.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 4868	1788	cmd.exe	81
PID 1788 wrote to memory of 4868	1788	cmd.exe	81
PID 4868 wrote to memory of 4844	4868	cmd.exe	83
PID 4868 wrote to memory of 4844	4868	cmd.exe	83
PID 4868 wrote to memory of 4744	4868	cmd.exe	84
PID 4868 wrote to memory of 4744	4868	cmd.exe	84
PID 4868 wrote to memory of 2008	4868	cmd.exe	89
PID 4868 wrote to memory of 2008	4868	cmd.exe	89
PID 4868 wrote to memory of 3360	4868	cmd.exe	91
PID 4868 wrote to memory of 3360	4868	cmd.exe	91
PID 4868 wrote to memory of 1096	4868	cmd.exe	92
PID 4868 wrote to memory of 1096	4868	cmd.exe	92
PID 4868 wrote to memory of 2276	4868	cmd.exe	94
PID 4868 wrote to memory of 2276	4868	cmd.exe	94

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	calderon.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	calderon.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\53e129e6b4bf741766737bbe3c9e12070388943c2649b9a829af75eefae79247.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\53e129e6b4bf741766737bbe3c9e12070388943c2649b9a829af75eefae79247.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\system32\more.com
    more +5 C:\Users\Admin\AppData\Local\Temp\53e129e6b4bf741766737bbe3c9e12070388943c2649b9a829af75eefae79247.cmd
    3⤵
    PID:4844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(gc ~~) -replace '#', '' | Out-File -encoding ASCII ~~"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4744
- - C:\Windows\system32\certutil.exe
    certutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\keller\exe\venriquez\calderon.exe"
    3⤵
    PID:2008
- - C:\Windows\system32\certutil.exe
    certutil -decode -f C:\Users\Admin\AppData\Local\Temp\53e129e6b4bf741766737bbe3c9e12070388943c2649b9a829af75eefae79247.cmd "C:\Users\Admin\AppData\Roaming\keller\a3x\marin\53e129e6b4bf741766737bbe3c9e12070388943c2649b9a829af75eefae79247.a3x"
    3⤵
    PID:3360
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process call create '"C:\Users\Admin\AppData\Roaming\keller\exe\venriquez\calderon.exe" "C:\Users\Admin\AppData\Roaming\keller\a3x\marin\53e129e6b4bf741766737bbe3c9e12070388943c2649b9a829af75eefae79247.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- - C:\Windows\system32\timeout.exe
    timeout /T 5
    3⤵
    - Delays execution with timeout.exe
    PID:2276

C:\Users\Admin\AppData\Roaming\keller\exe\venriquez\calderon.exe
"C:\Users\Admin\AppData\Roaming\keller\exe\venriquez\calderon.exe" "C:\Users\Admin\AppData\Roaming\keller\a3x\marin\53e129e6b4bf741766737bbe3c9e12070388943c2649b9a829af75eefae79247.a3x" ""
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- outlook_office_path
- outlook_win_path
PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
858KB

MD5
c7719f774bb859240eb6dfa91a1f10be

SHA1
be1461e770333eb13e0fe66d378e3fac4f1112b5

SHA256
b3ce811fb696b94f9117ee7fe725ae6b907d695636beceeb1672d5d5eeb81df4

SHA512
8a561e927a7a65f5211c76b488bed2a3cc0525ecd9775d25e1863b52ff532349c125b76a51eb63ea2e4479a567e8fac6b8ae38b7fd1970bad2556befe9e3b529

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
858KB

MD5
c7719f774bb859240eb6dfa91a1f10be

SHA1
be1461e770333eb13e0fe66d378e3fac4f1112b5

SHA256
b3ce811fb696b94f9117ee7fe725ae6b907d695636beceeb1672d5d5eeb81df4

SHA512
8a561e927a7a65f5211c76b488bed2a3cc0525ecd9775d25e1863b52ff532349c125b76a51eb63ea2e4479a567e8fac6b8ae38b7fd1970bad2556befe9e3b529

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~

Filesize
1.6MB

MD5
9c364699bc8fff52ba5ad97b38a62136

SHA1
3acfdbf8b6ca70c8306e85a49f7400db1baa00ad

SHA256
0f5b6ba5348f50e696de1db2fe721a19e41ae56dba00187e5855e3f691d7bcfe

SHA512
f8f3e2766ed91b4d2cd24298b8e2aa0e5f6ecfc38085afcafd138a6b02952cf7747dbb19c4dbb560437759329cae8fe6b15144a25bc775b8ac21c5cfbcd5ac1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~

Filesize
1.6MB

MD5
3f1748498ea55abaefe8322fdedb6db2

SHA1
3e1a262a91f53a735c4e4800c48a55d63d26dda8

SHA256
f457898be18c5c9c7c7255fcaf07803e771a99eb71a4be802a60503716d3efef

SHA512
8fdaab3a6ffd66f5e42fa51776bcdcfe6932cc01b0d74ce1b659ceaee190db044d8530788cab1587fe2cfacf5087968f90e90b72fc0ad89514b77e59e2fc6e86

Download Submit
C:\Users\Admin\AppData\Roaming\keller\a3x\marin\53e129e6b4bf741766737bbe3c9e12070388943c2649b9a829af75eefae79247.a3x

Filesize
310KB

MD5
35a298491537b74c3f73ca214ab76d60

SHA1
2223f92283180ce453874c66eb2410ee501eab01

SHA256
6dd1931acdd2d8e6faa5121ec18f28ec904cbd5c12562b7e8352e93c50ab7d97

SHA512
5f21f624205e4b92bf95fa2b18dbe76a20d71952d94737bde00bd51b3f23258b7a2e435e0e13947776b4d8086de4de9b0e9a5796250258def86b10b3ed21880d

Download Submit
C:\Users\Admin\AppData\Roaming\keller\exe\VENRIQ~1\calderon.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\keller\exe\venriquez\calderon.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/4744-135-0x000001FC3F490000-0x000001FC3F4B2000-memory.dmp

Filesize
136KB

Download
memory/4744-138-0x00007FFD37D30000-0x00007FFD387F1000-memory.dmp

Filesize
10.8MB

Download
memory/4744-137-0x00007FFD37D30000-0x00007FFD387F1000-memory.dmp

Filesize
10.8MB

Download