893f1df3f71f13731482f53655a5f6470ee00eae87f84e31da4af2950df80cef

General

Target

e4d9015e2bed3af0480b51231b68bb23.exe
Size

194KB
MD5

e4d9015e2bed3af0480b51231b68bb23
SHA1

c148f8cc0d8930602a00155cc0f370d2e22a811a
SHA256

893f1df3f71f13731482f53655a5f6470ee00eae87f84e31da4af2950df80cef
SHA512

5bc66c3aac2497c2e3df851dc75011cf529a0fd76ab18280a626c4a2975b07e740ed74cbb6afe9b4ea518d4a2772f5783120c3881ff551ef2be14abb0842c665
SSDEEP

6144:+rdOfeBDRzseSmV7v2PCc4gorppZiG73TAW:+rdOfeia79

Score

7^/10

collection spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	e4d9015e2bed3af0480b51231b68bb23.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ipinfo.io
16	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1036 set thread context of 4868	1036	e4d9015e2bed3af0480b51231b68bb23.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	e4d9015e2bed3af0480b51231b68bb23.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	e4d9015e2bed3af0480b51231b68bb23.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1792	powershell.exe
1792	powershell.exe
1036	e4d9015e2bed3af0480b51231b68bb23.exe
1036	e4d9015e2bed3af0480b51231b68bb23.exe
1036	e4d9015e2bed3af0480b51231b68bb23.exe
1036	e4d9015e2bed3af0480b51231b68bb23.exe
1036	e4d9015e2bed3af0480b51231b68bb23.exe
1036	e4d9015e2bed3af0480b51231b68bb23.exe
1036	e4d9015e2bed3af0480b51231b68bb23.exe
1036	e4d9015e2bed3af0480b51231b68bb23.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	e4d9015e2bed3af0480b51231b68bb23.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	4868	e4d9015e2bed3af0480b51231b68bb23.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 1792	1036	e4d9015e2bed3af0480b51231b68bb23.exe	79
PID 1036 wrote to memory of 1792	1036	e4d9015e2bed3af0480b51231b68bb23.exe	79
PID 1036 wrote to memory of 1792	1036	e4d9015e2bed3af0480b51231b68bb23.exe	79
PID 1036 wrote to memory of 2900	1036	e4d9015e2bed3af0480b51231b68bb23.exe	81
PID 1036 wrote to memory of 2900	1036	e4d9015e2bed3af0480b51231b68bb23.exe	81
PID 1036 wrote to memory of 2900	1036	e4d9015e2bed3af0480b51231b68bb23.exe	81
PID 1036 wrote to memory of 4408	1036	e4d9015e2bed3af0480b51231b68bb23.exe	82
PID 1036 wrote to memory of 4408	1036	e4d9015e2bed3af0480b51231b68bb23.exe	82
PID 1036 wrote to memory of 4408	1036	e4d9015e2bed3af0480b51231b68bb23.exe	82
PID 1036 wrote to memory of 2104	1036	e4d9015e2bed3af0480b51231b68bb23.exe	83
PID 1036 wrote to memory of 2104	1036	e4d9015e2bed3af0480b51231b68bb23.exe	83
PID 1036 wrote to memory of 2104	1036	e4d9015e2bed3af0480b51231b68bb23.exe	83
PID 1036 wrote to memory of 2124	1036	e4d9015e2bed3af0480b51231b68bb23.exe	84
PID 1036 wrote to memory of 2124	1036	e4d9015e2bed3af0480b51231b68bb23.exe	84
PID 1036 wrote to memory of 2124	1036	e4d9015e2bed3af0480b51231b68bb23.exe	84
PID 1036 wrote to memory of 4868	1036	e4d9015e2bed3af0480b51231b68bb23.exe	85
PID 1036 wrote to memory of 4868	1036	e4d9015e2bed3af0480b51231b68bb23.exe	85
PID 1036 wrote to memory of 4868	1036	e4d9015e2bed3af0480b51231b68bb23.exe	85
PID 1036 wrote to memory of 4868	1036	e4d9015e2bed3af0480b51231b68bb23.exe	85
PID 1036 wrote to memory of 4868	1036	e4d9015e2bed3af0480b51231b68bb23.exe	85
PID 1036 wrote to memory of 4868	1036	e4d9015e2bed3af0480b51231b68bb23.exe	85
PID 1036 wrote to memory of 4868	1036	e4d9015e2bed3af0480b51231b68bb23.exe	85
PID 1036 wrote to memory of 4868	1036	e4d9015e2bed3af0480b51231b68bb23.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe

C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
"C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
  C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
  2⤵
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
  C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
  2⤵
  PID:4408
- C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
  C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
  2⤵
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
  C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
  2⤵
  PID:2124
- C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
  C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e4d9015e2bed3af0480b51231b68bb23.exe.log

Filesize
1KB

MD5
13b08803e0bb671919478d178f19d6e2

SHA1
9f8c1d2a16446f9ee1e3244f48d372aecccf4dd9

SHA256
bab001392f6a9fc257a302cf557c9f571c7b352f41aedda14b049976ee5fd1c9

SHA512
2fe208b9958329734a5c6ce6aa526ee20d2c02d351927e75f85f27c2ffdc3c9e3413c17dc6e0dd9eefc3fb379e936b6bef2984a6e44ffafdc7600f590398016f

Download Submit
memory/1036-132-0x0000000000390000-0x00000000003C6000-memory.dmp

Filesize
216KB

Download
memory/1036-133-0x0000000007660000-0x0000000007682000-memory.dmp

Filesize
136KB

Download
memory/1036-143-0x000000002A620000-0x000000002ABC4000-memory.dmp

Filesize
5.6MB

Download
memory/1036-142-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/1792-137-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/1792-139-0x0000000006820000-0x000000000683E000-memory.dmp

Filesize
120KB

Download
memory/1792-140-0x0000000008090000-0x000000000870A000-memory.dmp

Filesize
6.5MB

Download
memory/1792-141-0x0000000006D20000-0x0000000006D3A000-memory.dmp

Filesize
104KB

Download
memory/1792-136-0x00000000058C0000-0x0000000005EE8000-memory.dmp

Filesize
6.2MB

Download
memory/1792-135-0x0000000005250000-0x0000000005286000-memory.dmp

Filesize
216KB

Download
memory/1792-138-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/4868-149-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4868-151-0x0000000008370000-0x000000000837A000-memory.dmp

Filesize
40KB

Download
memory/4868-152-0x00000000087F0000-0x0000000008802000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads