07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165

General

Target

07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe
Size

3.0MB
MD5

af4268c094f2a9c6e6a85f8626b9a5c7
SHA1

7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256

07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512

2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
SSDEEP

49152:y2sQ8R/u6S/gPV4PW/vlLr8EdiITRf+EGg7dH1zaSo5hTk6k1qFG:yfQM/fSoPFNLQg1WT5Q

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1948	wmic.exe
Token: SeSecurityPrivilege	1948	wmic.exe
Token: SeTakeOwnershipPrivilege	1948	wmic.exe
Token: SeLoadDriverPrivilege	1948	wmic.exe
Token: SeSystemProfilePrivilege	1948	wmic.exe
Token: SeSystemtimePrivilege	1948	wmic.exe
Token: SeProfSingleProcessPrivilege	1948	wmic.exe
Token: SeIncBasePriorityPrivilege	1948	wmic.exe
Token: SeCreatePagefilePrivilege	1948	wmic.exe
Token: SeBackupPrivilege	1948	wmic.exe
Token: SeRestorePrivilege	1948	wmic.exe
Token: SeShutdownPrivilege	1948	wmic.exe
Token: SeDebugPrivilege	1948	wmic.exe
Token: SeSystemEnvironmentPrivilege	1948	wmic.exe
Token: SeRemoteShutdownPrivilege	1948	wmic.exe
Token: SeUndockPrivilege	1948	wmic.exe
Token: SeManageVolumePrivilege	1948	wmic.exe
Token: 33	1948	wmic.exe
Token: 34	1948	wmic.exe
Token: 35	1948	wmic.exe
Token: 36	1948	wmic.exe
Token: SeIncreaseQuotaPrivilege	1948	wmic.exe
Token: SeSecurityPrivilege	1948	wmic.exe
Token: SeTakeOwnershipPrivilege	1948	wmic.exe
Token: SeLoadDriverPrivilege	1948	wmic.exe
Token: SeSystemProfilePrivilege	1948	wmic.exe
Token: SeSystemtimePrivilege	1948	wmic.exe
Token: SeProfSingleProcessPrivilege	1948	wmic.exe
Token: SeIncBasePriorityPrivilege	1948	wmic.exe
Token: SeCreatePagefilePrivilege	1948	wmic.exe
Token: SeBackupPrivilege	1948	wmic.exe
Token: SeRestorePrivilege	1948	wmic.exe
Token: SeShutdownPrivilege	1948	wmic.exe
Token: SeDebugPrivilege	1948	wmic.exe
Token: SeSystemEnvironmentPrivilege	1948	wmic.exe
Token: SeRemoteShutdownPrivilege	1948	wmic.exe
Token: SeUndockPrivilege	1948	wmic.exe
Token: SeManageVolumePrivilege	1948	wmic.exe
Token: 33	1948	wmic.exe
Token: 34	1948	wmic.exe
Token: 35	1948	wmic.exe
Token: 36	1948	wmic.exe
Token: SeIncreaseQuotaPrivilege	3772	WMIC.exe
Token: SeSecurityPrivilege	3772	WMIC.exe
Token: SeTakeOwnershipPrivilege	3772	WMIC.exe
Token: SeLoadDriverPrivilege	3772	WMIC.exe
Token: SeSystemProfilePrivilege	3772	WMIC.exe
Token: SeSystemtimePrivilege	3772	WMIC.exe
Token: SeProfSingleProcessPrivilege	3772	WMIC.exe
Token: SeIncBasePriorityPrivilege	3772	WMIC.exe
Token: SeCreatePagefilePrivilege	3772	WMIC.exe
Token: SeBackupPrivilege	3772	WMIC.exe
Token: SeRestorePrivilege	3772	WMIC.exe
Token: SeShutdownPrivilege	3772	WMIC.exe
Token: SeDebugPrivilege	3772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3772	WMIC.exe
Token: SeRemoteShutdownPrivilege	3772	WMIC.exe
Token: SeUndockPrivilege	3772	WMIC.exe
Token: SeManageVolumePrivilege	3772	WMIC.exe
Token: 33	3772	WMIC.exe
Token: 34	3772	WMIC.exe
Token: 35	3772	WMIC.exe
Token: 36	3772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3772	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.execmd.execmd.exe

description	pid	process	target process
PID 3160 wrote to memory of 1948	3160	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	wmic.exe
PID 3160 wrote to memory of 1948	3160	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	wmic.exe
PID 3160 wrote to memory of 1948	3160	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	wmic.exe
PID 3160 wrote to memory of 2132	3160	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 3160 wrote to memory of 2132	3160	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 3160 wrote to memory of 2132	3160	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 2132 wrote to memory of 3772	2132	cmd.exe	WMIC.exe
PID 2132 wrote to memory of 3772	2132	cmd.exe	WMIC.exe
PID 2132 wrote to memory of 3772	2132	cmd.exe	WMIC.exe
PID 3160 wrote to memory of 1720	3160	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 3160 wrote to memory of 1720	3160	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 3160 wrote to memory of 1720	3160	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 1720 wrote to memory of 4656	1720	cmd.exe	WMIC.exe
PID 1720 wrote to memory of 4656	1720	cmd.exe	WMIC.exe
PID 1720 wrote to memory of 4656	1720	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe
"C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:4656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
a3eb5f22bc8e7f4060e3ff18c4ac70b9

SHA1
8480869a34c9723063dba9cc8279cf4e7c2bc4cd

SHA256
0582ca04b28149ce2fd9732dff5e9894a60454eeb03166ddde677c9224c1f9f6

SHA512
3e88f72ace3e80a18f2986b43d90b9bf33e131ec77ce34c1462605784332e4676af5e8414ee75146bd14ef8a2e60a13ecf097c189206cd010f748e171903c5f0

Download Submit

Analysis

Sharing