07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165

General

Target

07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe
Size

3.0MB
MD5

af4268c094f2a9c6e6a85f8626b9a5c7
SHA1

7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256

07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512

2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
SSDEEP

49152:y2sQ8R/u6S/gPV4PW/vlLr8EdiITRf+EGg7dH1zaSo5hTk6k1qFG:yfQM/fSoPFNLQg1WT5Q

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4584	wmic.exe
Token: SeSecurityPrivilege	4584	wmic.exe
Token: SeTakeOwnershipPrivilege	4584	wmic.exe
Token: SeLoadDriverPrivilege	4584	wmic.exe
Token: SeSystemProfilePrivilege	4584	wmic.exe
Token: SeSystemtimePrivilege	4584	wmic.exe
Token: SeProfSingleProcessPrivilege	4584	wmic.exe
Token: SeIncBasePriorityPrivilege	4584	wmic.exe
Token: SeCreatePagefilePrivilege	4584	wmic.exe
Token: SeBackupPrivilege	4584	wmic.exe
Token: SeRestorePrivilege	4584	wmic.exe
Token: SeShutdownPrivilege	4584	wmic.exe
Token: SeDebugPrivilege	4584	wmic.exe
Token: SeSystemEnvironmentPrivilege	4584	wmic.exe
Token: SeRemoteShutdownPrivilege	4584	wmic.exe
Token: SeUndockPrivilege	4584	wmic.exe
Token: SeManageVolumePrivilege	4584	wmic.exe
Token: 33	4584	wmic.exe
Token: 34	4584	wmic.exe
Token: 35	4584	wmic.exe
Token: 36	4584	wmic.exe
Token: SeIncreaseQuotaPrivilege	4584	wmic.exe
Token: SeSecurityPrivilege	4584	wmic.exe
Token: SeTakeOwnershipPrivilege	4584	wmic.exe
Token: SeLoadDriverPrivilege	4584	wmic.exe
Token: SeSystemProfilePrivilege	4584	wmic.exe
Token: SeSystemtimePrivilege	4584	wmic.exe
Token: SeProfSingleProcessPrivilege	4584	wmic.exe
Token: SeIncBasePriorityPrivilege	4584	wmic.exe
Token: SeCreatePagefilePrivilege	4584	wmic.exe
Token: SeBackupPrivilege	4584	wmic.exe
Token: SeRestorePrivilege	4584	wmic.exe
Token: SeShutdownPrivilege	4584	wmic.exe
Token: SeDebugPrivilege	4584	wmic.exe
Token: SeSystemEnvironmentPrivilege	4584	wmic.exe
Token: SeRemoteShutdownPrivilege	4584	wmic.exe
Token: SeUndockPrivilege	4584	wmic.exe
Token: SeManageVolumePrivilege	4584	wmic.exe
Token: 33	4584	wmic.exe
Token: 34	4584	wmic.exe
Token: 35	4584	wmic.exe
Token: 36	4584	wmic.exe
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe
Token: 36	1760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.execmd.execmd.exe

description	pid	process	target process
PID 4568 wrote to memory of 4584	4568	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	wmic.exe
PID 4568 wrote to memory of 4584	4568	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	wmic.exe
PID 4568 wrote to memory of 4584	4568	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	wmic.exe
PID 4568 wrote to memory of 100	4568	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 4568 wrote to memory of 100	4568	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 4568 wrote to memory of 100	4568	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 100 wrote to memory of 1760	100	cmd.exe	WMIC.exe
PID 100 wrote to memory of 1760	100	cmd.exe	WMIC.exe
PID 100 wrote to memory of 1760	100	cmd.exe	WMIC.exe
PID 4568 wrote to memory of 976	4568	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 4568 wrote to memory of 976	4568	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 4568 wrote to memory of 976	4568	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 976 wrote to memory of 3856	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3856	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3856	976	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe
"C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:3856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
8c7576873886d730d55e52070f35fea0

SHA1
cf8b732cb49dad4e69c8948a6f0b7b87b9b0ccf1

SHA256
06b631bf6ea97d79ea2215efa0323aab64bd1b53283ef8640c2a8fd37cac9caa

SHA512
374dff92bb31dfb74ec66084dcc8764e166f4adc7c57113d813b430e420b8bcc9e1300aae5f4b2ff09ad3d5b152a8240901ed3acfc76c4788d9ad3442cd2db28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
72KB

MD5
5aeeafe26d1e0441647e0b0d7b880c81

SHA1
45a00f65a99d1cec35bd6a21891ac469a86f451c

SHA256
c94d79620e27865ba796be4cbfd98087da8a47f78e07e7220084de05354381dd

SHA512
3e70b065b194f14f1ec2735b6003943b492c29a78e12029ae42574cda7fdc785c24eae0c98fbd9a1167ac938387d78aead68688299e3aaf1971794938ab903c5

Download Submit

Analysis

Sharing