b5d79415952acd805bda802de67f286b8d116ede409cb0450b3a7a0fa3709501

General

Target

b5d79415952acd805bda802de67f286b8d116ede409cb0450b3a7a0fa3709501.exe
Size

765KB
MD5

27a53256e9465a2e6e705abeefd49168
SHA1

7ada2c19fb5bc557f46a2fcdc469f146e20928bb
SHA256

b5d79415952acd805bda802de67f286b8d116ede409cb0450b3a7a0fa3709501
SHA512

76c51a440ba93b527f99fa6b06288904c1cd2f16f7edaedfd2fcd8e5905a5a2d46ebb35e38d3f3934184030d0bc0d85cd57189bcc01248312821fcc1303c62e3
SSDEEP

12288:VMrIy9070p65r+taVOh9IQL8pP0WVQH5h7L5m1IT4oybn+Zv8THkhNMy:FymN5SDh9VQpciQnP5LAbn2vyFy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4880	vzg96.exe
4040	vWo47.exe
4272	dVD40.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vWo47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vWo47.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b5d79415952acd805bda802de67f286b8d116ede409cb0450b3a7a0fa3709501.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b5d79415952acd805bda802de67f286b8d116ede409cb0450b3a7a0fa3709501.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vzg96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vzg96.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4272	dVD40.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4272	dVD40.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 4880	1264	b5d79415952acd805bda802de67f286b8d116ede409cb0450b3a7a0fa3709501.exe	80
PID 1264 wrote to memory of 4880	1264	b5d79415952acd805bda802de67f286b8d116ede409cb0450b3a7a0fa3709501.exe	80
PID 1264 wrote to memory of 4880	1264	b5d79415952acd805bda802de67f286b8d116ede409cb0450b3a7a0fa3709501.exe	80
PID 4880 wrote to memory of 4040	4880	vzg96.exe	81
PID 4880 wrote to memory of 4040	4880	vzg96.exe	81
PID 4880 wrote to memory of 4040	4880	vzg96.exe	81
PID 4040 wrote to memory of 4272	4040	vWo47.exe	82
PID 4040 wrote to memory of 4272	4040	vWo47.exe	82
PID 4040 wrote to memory of 4272	4040	vWo47.exe	82

C:\Users\Admin\AppData\Local\Temp\b5d79415952acd805bda802de67f286b8d116ede409cb0450b3a7a0fa3709501.exe
"C:\Users\Admin\AppData\Local\Temp\b5d79415952acd805bda802de67f286b8d116ede409cb0450b3a7a0fa3709501.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzg96.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzg96.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWo47.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWo47.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVD40.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVD40.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzg96.exe

Filesize
661KB

MD5
44bfe23040aeb3066cc6a8722c0cc25e

SHA1
21ae493c248cbfdbdca5e4ec2f842bc01aca98e6

SHA256
80d30e0d7172cf287dc894adfc925aa5299b1695ce404fbb6fe3f1655409518f

SHA512
3223d8fde73ba54fb84db1ce0c8f1259a0d17ccc86825472ef08802212552cf59b623420df70a111ab84eb786faad9fdd349d9b10b6ca900080709e294c493d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vzg96.exe

Filesize
661KB

MD5
44bfe23040aeb3066cc6a8722c0cc25e

SHA1
21ae493c248cbfdbdca5e4ec2f842bc01aca98e6

SHA256
80d30e0d7172cf287dc894adfc925aa5299b1695ce404fbb6fe3f1655409518f

SHA512
3223d8fde73ba54fb84db1ce0c8f1259a0d17ccc86825472ef08802212552cf59b623420df70a111ab84eb786faad9fdd349d9b10b6ca900080709e294c493d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWo47.exe

Filesize
516KB

MD5
a580eb726d5c5d01bd330076e30df7e5

SHA1
ca5d45e79cdef1a7d4756c34a60a08d4c62bd1b2

SHA256
dbb9c67966df8ac7a05844abdd04e77670ab10807c4cb321eb365631fa848cd2

SHA512
ee0da3449a279ef9bf31a6d49ce9ba6daf51bc468afce051132a82eaadb1b66a8d543c095bd372ca47c7edac212887c6fe52b3966ac66acf40e3039c4594b4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWo47.exe

Filesize
516KB

MD5
a580eb726d5c5d01bd330076e30df7e5

SHA1
ca5d45e79cdef1a7d4756c34a60a08d4c62bd1b2

SHA256
dbb9c67966df8ac7a05844abdd04e77670ab10807c4cb321eb365631fa848cd2

SHA512
ee0da3449a279ef9bf31a6d49ce9ba6daf51bc468afce051132a82eaadb1b66a8d543c095bd372ca47c7edac212887c6fe52b3966ac66acf40e3039c4594b4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVD40.exe

Filesize
297KB

MD5
828bc96964e9263ad218e73b6a1bc9f0

SHA1
80dc270a7d3f3a51a6355610da3de48ef01a4395

SHA256
0e42850ff811159647afdbaf6d2527ce09dfff15059d5fe183bd936a565657ec

SHA512
f05cb6fc745dafb039450ef9affb28ddd278f9b7f08921c6fc1cfdf57b0e4636ed872907fec74d2df7d6307e45ada47112f614dc70d2570158f270cefe8f8e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVD40.exe

Filesize
297KB

MD5
828bc96964e9263ad218e73b6a1bc9f0

SHA1
80dc270a7d3f3a51a6355610da3de48ef01a4395

SHA256
0e42850ff811159647afdbaf6d2527ce09dfff15059d5fe183bd936a565657ec

SHA512
f05cb6fc745dafb039450ef9affb28ddd278f9b7f08921c6fc1cfdf57b0e4636ed872907fec74d2df7d6307e45ada47112f614dc70d2570158f270cefe8f8e74

Download Submit
memory/4272-142-0x0000000002450000-0x000000000249B000-memory.dmp

Filesize
300KB

Download
memory/4272-146-0x00000000055F0000-0x0000000005C08000-memory.dmp

Filesize
6.1MB

Download
memory/4272-141-0x0000000000844000-0x0000000000873000-memory.dmp

Filesize
188KB

Download
memory/4272-153-0x0000000006790000-0x0000000006CBC000-memory.dmp

Filesize
5.2MB

Download
memory/4272-143-0x0000000000400000-0x00000000007A6000-memory.dmp

Filesize
3.6MB

Download
memory/4272-144-0x0000000004F40000-0x00000000054E4000-memory.dmp

Filesize
5.6MB

Download
memory/4272-145-0x0000000000844000-0x0000000000873000-memory.dmp

Filesize
188KB

Download
memory/4272-147-0x0000000005C10000-0x0000000005D1A000-memory.dmp

Filesize
1.0MB

Download
memory/4272-148-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

Filesize
72KB

Download
memory/4272-149-0x0000000004EF0000-0x0000000004F2C000-memory.dmp

Filesize
240KB

Download
memory/4272-150-0x0000000006250000-0x00000000062B6000-memory.dmp

Filesize
408KB

Download
memory/4272-151-0x0000000006690000-0x0000000006722000-memory.dmp

Filesize
584KB

Download
memory/4272-152-0x0000000002250000-0x0000000002412000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing