14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf

General

Target

14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
Size

4.4MB
MD5

15ae1218c1c773497a6a5e6db8d11922
SHA1

8596dbd6e5e7dfdfbacd04051d192dd597d72b67
SHA256

14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf
SHA512

57c417052ace7f7e1b4c60da0549e733e6e1bcc35c3c952a0595501248ef25a801e71148d55334aeb38c57a9ecb851476f7c34fab86ee00d319e95ac79f4c45b
SSDEEP

49152:yb9BphIVBmo8cBBThHHCrmYVzZLbdIo0MaN5EyKktGH5R7of01N:ipCmo/CrmyVYEqGZR7n

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1536	wmic.exe
Token: SeSecurityPrivilege	1536	wmic.exe
Token: SeTakeOwnershipPrivilege	1536	wmic.exe
Token: SeLoadDriverPrivilege	1536	wmic.exe
Token: SeSystemProfilePrivilege	1536	wmic.exe
Token: SeSystemtimePrivilege	1536	wmic.exe
Token: SeProfSingleProcessPrivilege	1536	wmic.exe
Token: SeIncBasePriorityPrivilege	1536	wmic.exe
Token: SeCreatePagefilePrivilege	1536	wmic.exe
Token: SeBackupPrivilege	1536	wmic.exe
Token: SeRestorePrivilege	1536	wmic.exe
Token: SeShutdownPrivilege	1536	wmic.exe
Token: SeDebugPrivilege	1536	wmic.exe
Token: SeSystemEnvironmentPrivilege	1536	wmic.exe
Token: SeRemoteShutdownPrivilege	1536	wmic.exe
Token: SeUndockPrivilege	1536	wmic.exe
Token: SeManageVolumePrivilege	1536	wmic.exe
Token: 33	1536	wmic.exe
Token: 34	1536	wmic.exe
Token: 35	1536	wmic.exe
Token: SeIncreaseQuotaPrivilege	1536	wmic.exe
Token: SeSecurityPrivilege	1536	wmic.exe
Token: SeTakeOwnershipPrivilege	1536	wmic.exe
Token: SeLoadDriverPrivilege	1536	wmic.exe
Token: SeSystemProfilePrivilege	1536	wmic.exe
Token: SeSystemtimePrivilege	1536	wmic.exe
Token: SeProfSingleProcessPrivilege	1536	wmic.exe
Token: SeIncBasePriorityPrivilege	1536	wmic.exe
Token: SeCreatePagefilePrivilege	1536	wmic.exe
Token: SeBackupPrivilege	1536	wmic.exe
Token: SeRestorePrivilege	1536	wmic.exe
Token: SeShutdownPrivilege	1536	wmic.exe
Token: SeDebugPrivilege	1536	wmic.exe
Token: SeSystemEnvironmentPrivilege	1536	wmic.exe
Token: SeRemoteShutdownPrivilege	1536	wmic.exe
Token: SeUndockPrivilege	1536	wmic.exe
Token: SeManageVolumePrivilege	1536	wmic.exe
Token: 33	1536	wmic.exe
Token: 34	1536	wmic.exe
Token: 35	1536	wmic.exe
Token: SeIncreaseQuotaPrivilege	868	WMIC.exe
Token: SeSecurityPrivilege	868	WMIC.exe
Token: SeTakeOwnershipPrivilege	868	WMIC.exe
Token: SeLoadDriverPrivilege	868	WMIC.exe
Token: SeSystemProfilePrivilege	868	WMIC.exe
Token: SeSystemtimePrivilege	868	WMIC.exe
Token: SeProfSingleProcessPrivilege	868	WMIC.exe
Token: SeIncBasePriorityPrivilege	868	WMIC.exe
Token: SeCreatePagefilePrivilege	868	WMIC.exe
Token: SeBackupPrivilege	868	WMIC.exe
Token: SeRestorePrivilege	868	WMIC.exe
Token: SeShutdownPrivilege	868	WMIC.exe
Token: SeDebugPrivilege	868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	868	WMIC.exe
Token: SeRemoteShutdownPrivilege	868	WMIC.exe
Token: SeUndockPrivilege	868	WMIC.exe
Token: SeManageVolumePrivilege	868	WMIC.exe
Token: 33	868	WMIC.exe
Token: 34	868	WMIC.exe
Token: 35	868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	868	WMIC.exe
Token: SeSecurityPrivilege	868	WMIC.exe
Token: SeTakeOwnershipPrivilege	868	WMIC.exe
Token: SeLoadDriverPrivilege	868	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.execmd.execmd.exe

description	pid	process	target process
PID 836 wrote to memory of 1536	836	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	wmic.exe
PID 836 wrote to memory of 1536	836	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	wmic.exe
PID 836 wrote to memory of 1536	836	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	wmic.exe
PID 836 wrote to memory of 1164	836	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 836 wrote to memory of 1164	836	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 836 wrote to memory of 1164	836	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 1164 wrote to memory of 868	1164	cmd.exe	WMIC.exe
PID 1164 wrote to memory of 868	1164	cmd.exe	WMIC.exe
PID 1164 wrote to memory of 868	1164	cmd.exe	WMIC.exe
PID 836 wrote to memory of 1792	836	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 836 wrote to memory of 1792	836	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 836 wrote to memory of 1792	836	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 1792 wrote to memory of 856	1792	cmd.exe	WMIC.exe
PID 1792 wrote to memory of 856	1792	cmd.exe	WMIC.exe
PID 1792 wrote to memory of 856	1792	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
"C:\Users\Admin\AppData\Local\Temp\14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab236B.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
6a3c2fe239e67cd5804a699b9aa54b07

SHA1
018091f0c903173dec18cd10e0e00889f0717d67

SHA256
160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168

SHA512
aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads