85913d4430d1da9a29e295d98d21997c90edf6d3dea08c709c81e5c8302c3e0f

General

Target

SOA(12323).exe
Size

770KB
MD5

70cbe946ce455bc38c630348cf08fcac
SHA1

289dd1babdd5efe719a7336eb7a14c8eb2669008
SHA256

85913d4430d1da9a29e295d98d21997c90edf6d3dea08c709c81e5c8302c3e0f
SHA512

b7cf4f88f0e9456a2d76463b63ea2931715d67357958e488fae9b5152ae7b9f7e6b4d06fda18cb7e4502d5808bbbc81e06414cc2aecff31bb9b422a3e56d3818
SSDEEP

24576:axEO7Z61GF5nqVGlxiYhSuy1IB74GrORG:YZ6wF5qMI1uBB74GiRG

Score

10^/10

spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.smpp.com.my
Port:
587
Username:
ahsapari@smpp.com.my
Password:
abah740102

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SOA(12323).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	SOA(12323).exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 api.ipify.org
35 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

SOA(12323).exe

description pid process target process

PID 4332 set thread context of 2428 4332 SOA(12323).exe SOA(12323).exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4060 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SOA(12323).exepowershell.exe

pid process

4332 SOA(12323).exe
4332 SOA(12323).exe
3628 powershell.exe
3628 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SOA(12323).exepowershell.exeSOA(12323).exe

description pid process

Token: SeDebugPrivilege 4332 SOA(12323).exe
Token: SeDebugPrivilege 3628 powershell.exe
Token: SeDebugPrivilege 2428 SOA(12323).exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SOA(12323).exe

pid process

2428 SOA(12323).exe

flow	ioc
36	api.ipify.org
35	api.ipify.org

description	pid	process	target process
PID 4332 set thread context of 2428	4332	SOA(12323).exe	SOA(12323).exe

pid	process
4060	schtasks.exe

pid	process
4332	SOA(12323).exe
4332	SOA(12323).exe
3628	powershell.exe
3628	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4332	SOA(12323).exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	2428	SOA(12323).exe

pid	process
2428	SOA(12323).exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SOA(12323).exe

description	pid	process	target process
PID 4332 wrote to memory of 3628	4332	SOA(12323).exe	powershell.exe
PID 4332 wrote to memory of 3628	4332	SOA(12323).exe	powershell.exe
PID 4332 wrote to memory of 3628	4332	SOA(12323).exe	powershell.exe
PID 4332 wrote to memory of 4060	4332	SOA(12323).exe	schtasks.exe
PID 4332 wrote to memory of 4060	4332	SOA(12323).exe	schtasks.exe
PID 4332 wrote to memory of 4060	4332	SOA(12323).exe	schtasks.exe
PID 4332 wrote to memory of 2428	4332	SOA(12323).exe	SOA(12323).exe
PID 4332 wrote to memory of 2428	4332	SOA(12323).exe	SOA(12323).exe
PID 4332 wrote to memory of 2428	4332	SOA(12323).exe	SOA(12323).exe
PID 4332 wrote to memory of 2428	4332	SOA(12323).exe	SOA(12323).exe
PID 4332 wrote to memory of 2428	4332	SOA(12323).exe	SOA(12323).exe
PID 4332 wrote to memory of 2428	4332	SOA(12323).exe	SOA(12323).exe
PID 4332 wrote to memory of 2428	4332	SOA(12323).exe	SOA(12323).exe
PID 4332 wrote to memory of 2428	4332	SOA(12323).exe	SOA(12323).exe

C:\Users\Admin\AppData\Local\Temp\SOA(12323).exe
"C:\Users\Admin\AppData\Local\Temp\SOA(12323).exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wDKDgpGdE.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wDKDgpGdE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB2D.tmp"
2⤵
- Creates scheduled task(s)
PID:4060

C:\Users\Admin\AppData\Local\Temp\SOA(12323).exe
"C:\Users\Admin\AppData\Local\Temp\SOA(12323).exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFB2D.tmp
Filesize
1KB

MD5
b266146e8e68510d68d7f957fef76beb

SHA1
cbfaeb2b454bacbb307e51f23463187d999929bd

SHA256
296ed8779fd752b811dea271c129b73de631fe5eb8dffa02726424ca0262b8be

SHA512
ce6c16d20d46236de38237481ac2d8e08751f8dc9bff39ae71399bc20e85310a98686cfe369674c4d135fce15604569b616741cfbcc40332c01fccf1d5132fee

Download Submit
memory/2428-145-0x0000000004ED0000-0x0000000004F36000-memory.dmp

Filesize
408KB

Download
memory/2428-143-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2428-141-0x0000000000000000-mapping.dmp

Download
memory/3628-150-0x00000000063E0000-0x00000000063FE000-memory.dmp

Filesize
120KB

Download
memory/3628-147-0x0000000005E30000-0x0000000005E4E000-memory.dmp

Filesize
120KB

Download
memory/3628-157-0x0000000007460000-0x0000000007468000-memory.dmp

Filesize
32KB

Download
memory/3628-139-0x0000000002510000-0x0000000002546000-memory.dmp

Filesize
216KB

Download
memory/3628-156-0x0000000007480000-0x000000000749A000-memory.dmp

Filesize
104KB

Download
memory/3628-155-0x0000000007370000-0x000000000737E000-memory.dmp

Filesize
56KB

Download
memory/3628-142-0x0000000005000000-0x0000000005628000-memory.dmp

Filesize
6.2MB

Download
memory/3628-154-0x00000000073C0000-0x0000000007456000-memory.dmp

Filesize
600KB

Download
memory/3628-144-0x0000000004F70000-0x0000000004F92000-memory.dmp

Filesize
136KB

Download
memory/3628-146-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/3628-153-0x00000000071B0000-0x00000000071BA000-memory.dmp

Filesize
40KB

Download
memory/3628-137-0x0000000000000000-mapping.dmp

Download
memory/3628-148-0x0000000006DE0000-0x0000000006E12000-memory.dmp

Filesize
200KB

Download
memory/3628-149-0x0000000070AB0000-0x0000000070AFC000-memory.dmp

Filesize
304KB

Download
memory/3628-152-0x0000000007140000-0x000000000715A000-memory.dmp

Filesize
104KB

Download
memory/3628-151-0x0000000007780000-0x0000000007DFA000-memory.dmp

Filesize
6.5MB

Download
memory/4060-138-0x0000000000000000-mapping.dmp

Download
memory/4332-132-0x0000000000B00000-0x0000000000BC8000-memory.dmp

Filesize
800KB

Download
memory/4332-133-0x0000000005B50000-0x00000000060F4000-memory.dmp

Filesize
5.6MB

Download
memory/4332-134-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/4332-135-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/4332-136-0x0000000009070000-0x000000000910C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads