52ab9f2e3878dd9fa61c7bbbdfff113485fb4c12f8af0fa28b938696d68e54bb

General

Target

0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe
Size

951KB
MD5

a3df44994428bfe9b70f9774e76347bb
SHA1

0eac1f1303e55f7c0239af4b1eca3e992ed05693
SHA256

52ab9f2e3878dd9fa61c7bbbdfff113485fb4c12f8af0fa28b938696d68e54bb
SHA512

75bf4289be57495b878b06d6bc540911b31508753e8fb4ec1bbeec29dad124de9cdc75e378c657728e0d77278b8973ec5144f886b2305b8688e21572a0c20530
SSDEEP

24576:yli277DjOWEIycmmy7UmCJrYTSKIKTn6ALDx:UiWvhnyc7ytc

Score

7^/10

collection persistence spyware stealer

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowUpdate\\WindowUpdate.exe"	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 1568	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1032	powershell.exe
936	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	1568	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1568	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 936	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	26
PID 1976 wrote to memory of 936	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	26
PID 1976 wrote to memory of 936	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	26
PID 1976 wrote to memory of 936	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	26
PID 1976 wrote to memory of 1032	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	28
PID 1976 wrote to memory of 1032	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	28
PID 1976 wrote to memory of 1032	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	28
PID 1976 wrote to memory of 1032	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	28
PID 1976 wrote to memory of 1708	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	30
PID 1976 wrote to memory of 1708	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	30
PID 1976 wrote to memory of 1708	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	30
PID 1976 wrote to memory of 1708	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	30
PID 1976 wrote to memory of 1568	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	32
PID 1976 wrote to memory of 1568	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	32
PID 1976 wrote to memory of 1568	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	32
PID 1976 wrote to memory of 1568	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	32
PID 1976 wrote to memory of 1568	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	32
PID 1976 wrote to memory of 1568	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	32
PID 1976 wrote to memory of 1568	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	32
PID 1976 wrote to memory of 1568	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	32
PID 1976 wrote to memory of 1568	1976	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe	32

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe

C:\Users\Admin\AppData\Local\Temp\0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe
"C:\Users\Admin\AppData\Local\Temp\0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xStBrvuHffFYx.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xStBrvuHffFYx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD89.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe
  "C:\Users\Admin\AppData\Local\Temp\0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD89.tmp

Filesize
1KB

MD5
9c0443a23b22ece891ad0b7775616fd1

SHA1
65eb7cbe0b0c5374e2d14129fd86fb4f8b1dd963

SHA256
afc5617f90b1b479c61461eea2bceea828e84b78c8acfd48b75869769c3dc579

SHA512
b2687e3fd8502a7f804cd2a41b05a16f9d5abe512e61938c881b1b693555eb685f68bbd0cbe917d4103f79f57beb90534b3ff9068ff455a4013a1e047fcbf535

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
185176ccb90ea3a278f42d0bb17e8d69

SHA1
d8a20ac5edd7cbac94b97871458533707e051147

SHA256
79d57707115f8a5db90f0be7a597b8bab34e30f693f00f44a90b9b38b533182c

SHA512
c253f61be9a5110af7747984b7900cc9a3cda4ad478581a44a1c3450822f0451a59b65afb9a41f4c22b29ad0ded3774c6e7ab3a72d405a0d9135ace9158940f0

Download Submit
memory/936-82-0x000000006F030000-0x000000006F5DB000-memory.dmp

Filesize
5.7MB

Download
memory/936-79-0x000000006F030000-0x000000006F5DB000-memory.dmp

Filesize
5.7MB

Download
memory/936-59-0x0000000000000000-mapping.dmp

Download
memory/1032-81-0x000000006F030000-0x000000006F5DB000-memory.dmp

Filesize
5.7MB

Download
memory/1032-80-0x000000006F030000-0x000000006F5DB000-memory.dmp

Filesize
5.7MB

Download
memory/1032-61-0x0000000000000000-mapping.dmp

Download
memory/1568-73-0x000000000042A97E-mapping.dmp

Download
memory/1568-77-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1568-75-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1568-67-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1568-68-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1568-70-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1568-71-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1568-72-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1708-62-0x0000000000000000-mapping.dmp

Download
memory/1976-54-0x0000000001360000-0x0000000001454000-memory.dmp

Filesize
976KB

Download
memory/1976-66-0x0000000005000000-0x0000000005046000-memory.dmp

Filesize
280KB

Download
memory/1976-58-0x0000000005DB0000-0x0000000005E30000-memory.dmp

Filesize
512KB

Download
memory/1976-57-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/1976-56-0x00000000005E0000-0x00000000005F6000-memory.dmp

Filesize
88KB

Download
memory/1976-55-0x00000000754E1000-0x00000000754E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads