e33aee583553de9a48fbffd5a545ddce4af362aeb4b44ace89209ca8e94306a4

General

Target

Urgent Price request. P.O1672891.exe
Size

304KB
MD5

6b8c9f1aa06f8587edd290f3d0188359
SHA1

e893cb5944cb149f77ea53900bae972bd6c9e531
SHA256

91f7c342ce163fe12c018a5068f921b5b78574cf05927bb85876be8484a2c237
SHA512

9c170eeee18c0f41564a77056ec0cb31a87f684fec0b329e0a5586e55df0e29de2167020039689edb5009c1de62461aa49a3d067953e84e744b00e286568d641
SSDEEP

6144:/Ya6MvLBCyy7CpvnutlJJ0UoBeZJtKXWM/UYzBA21:/YyzBby7kvG9cexWWM/USf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1096	ldirurncu.exe
1536	ldirurncu.exe

Loads dropped DLL 2 IoCs

pid	Process
1292	Urgent Price request. P.O1672891.exe
1096	ldirurncu.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ldirurncu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ldirurncu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ldirurncu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 1536	1096	ldirurncu.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1096	ldirurncu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	ldirurncu.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1096	1292	Urgent Price request. P.O1672891.exe	28
PID 1292 wrote to memory of 1096	1292	Urgent Price request. P.O1672891.exe	28
PID 1292 wrote to memory of 1096	1292	Urgent Price request. P.O1672891.exe	28
PID 1292 wrote to memory of 1096	1292	Urgent Price request. P.O1672891.exe	28
PID 1096 wrote to memory of 1536	1096	ldirurncu.exe	29
PID 1096 wrote to memory of 1536	1096	ldirurncu.exe	29
PID 1096 wrote to memory of 1536	1096	ldirurncu.exe	29
PID 1096 wrote to memory of 1536	1096	ldirurncu.exe	29
PID 1096 wrote to memory of 1536	1096	ldirurncu.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ldirurncu.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ldirurncu.exe

C:\Users\Admin\AppData\Local\Temp\Urgent Price request. P.O1672891.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Price request. P.O1672891.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\ldirurncu.exe
  "C:\Users\Admin\AppData\Local\Temp\ldirurncu.exe" C:\Users\Admin\AppData\Local\Temp\ihzftjpnwvd.dis
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\ldirurncu.exe
    "C:\Users\Admin\AppData\Local\Temp\ldirurncu.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ihzftjpnwvd.dis

Filesize
5KB

MD5
64ae16cf194e91d5d7fc38184586419f

SHA1
8c4b17234f068d990e682786e0893bcbda92c48d

SHA256
04b5e84dca611af344540eaf19291808a2b757c406909f187fd780f6cc671a43

SHA512
577147edcb445da5ec87fbdcb09c85f85c32241b7a727039b9b1ff3482af8eaace46b15fab7bb94efdbe60fde7b477a5d010057b638a884d2bd640e2b3609bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldirurncu.exe

Filesize
79KB

MD5
d272d9c6727f1fa89c767c59610617ca

SHA1
03906ace9a41ad444a7d8334a9cb300c7a35504b

SHA256
487fd13c3e80422bb3f03822ffd6865a5e363578f8eda2e10cdbe62a7eb3a638

SHA512
e634052f6865e7f9c488d465b7dc0fb021c81d62dd0ce8cda84744fb2e48999831dc8e8ec891347d830b38c59462275447e19a83365804252c39b3b17e308e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldirurncu.exe

Filesize
79KB

MD5
d272d9c6727f1fa89c767c59610617ca

SHA1
03906ace9a41ad444a7d8334a9cb300c7a35504b

SHA256
487fd13c3e80422bb3f03822ffd6865a5e363578f8eda2e10cdbe62a7eb3a638

SHA512
e634052f6865e7f9c488d465b7dc0fb021c81d62dd0ce8cda84744fb2e48999831dc8e8ec891347d830b38c59462275447e19a83365804252c39b3b17e308e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldirurncu.exe

Filesize
79KB

MD5
d272d9c6727f1fa89c767c59610617ca

SHA1
03906ace9a41ad444a7d8334a9cb300c7a35504b

SHA256
487fd13c3e80422bb3f03822ffd6865a5e363578f8eda2e10cdbe62a7eb3a638

SHA512
e634052f6865e7f9c488d465b7dc0fb021c81d62dd0ce8cda84744fb2e48999831dc8e8ec891347d830b38c59462275447e19a83365804252c39b3b17e308e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyfoowlhnao.h

Filesize
263KB

MD5
3386e78ea0453db57387f707b0b8a5c6

SHA1
95a0c585baee1dea7591b90bba73aebd00f9b8c7

SHA256
87f5fabb41c5b8f8aebe03e50a1d95398e0380d5e7c6b784908a4e0330062792

SHA512
e1c32f05c63eb0fbf9320312ba4ecd433bbfd5935b1522553ddb0cdf645f75985c3aa402fc872a1f27dbb3fedb0dfc69d68146329b253a95c9a98c5eb2e3ebdc

Download Submit
\Users\Admin\AppData\Local\Temp\ldirurncu.exe

Filesize
79KB

MD5
d272d9c6727f1fa89c767c59610617ca

SHA1
03906ace9a41ad444a7d8334a9cb300c7a35504b

SHA256
487fd13c3e80422bb3f03822ffd6865a5e363578f8eda2e10cdbe62a7eb3a638

SHA512
e634052f6865e7f9c488d465b7dc0fb021c81d62dd0ce8cda84744fb2e48999831dc8e8ec891347d830b38c59462275447e19a83365804252c39b3b17e308e70

Download Submit
\Users\Admin\AppData\Local\Temp\ldirurncu.exe

Filesize
79KB

MD5
d272d9c6727f1fa89c767c59610617ca

SHA1
03906ace9a41ad444a7d8334a9cb300c7a35504b

SHA256
487fd13c3e80422bb3f03822ffd6865a5e363578f8eda2e10cdbe62a7eb3a638

SHA512
e634052f6865e7f9c488d465b7dc0fb021c81d62dd0ce8cda84744fb2e48999831dc8e8ec891347d830b38c59462275447e19a83365804252c39b3b17e308e70

Download Submit
memory/1096-56-0x0000000000000000-mapping.dmp

Download
memory/1292-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1536-63-0x0000000000401896-mapping.dmp

Download
memory/1536-66-0x0000000000680000-0x00000000006B0000-memory.dmp

Filesize
192KB

Download
memory/1536-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing