14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf

General

Target

14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
Size

4.4MB
MD5

15ae1218c1c773497a6a5e6db8d11922
SHA1

8596dbd6e5e7dfdfbacd04051d192dd597d72b67
SHA256

14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf
SHA512

57c417052ace7f7e1b4c60da0549e733e6e1bcc35c3c952a0595501248ef25a801e71148d55334aeb38c57a9ecb851476f7c34fab86ee00d319e95ac79f4c45b
SSDEEP

49152:yb9BphIVBmo8cBBThHHCrmYVzZLbdIo0MaN5EyKktGH5R7of01N:ipCmo/CrmyVYEqGZR7n

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1612	wmic.exe
Token: SeSecurityPrivilege	1612	wmic.exe
Token: SeTakeOwnershipPrivilege	1612	wmic.exe
Token: SeLoadDriverPrivilege	1612	wmic.exe
Token: SeSystemProfilePrivilege	1612	wmic.exe
Token: SeSystemtimePrivilege	1612	wmic.exe
Token: SeProfSingleProcessPrivilege	1612	wmic.exe
Token: SeIncBasePriorityPrivilege	1612	wmic.exe
Token: SeCreatePagefilePrivilege	1612	wmic.exe
Token: SeBackupPrivilege	1612	wmic.exe
Token: SeRestorePrivilege	1612	wmic.exe
Token: SeShutdownPrivilege	1612	wmic.exe
Token: SeDebugPrivilege	1612	wmic.exe
Token: SeSystemEnvironmentPrivilege	1612	wmic.exe
Token: SeRemoteShutdownPrivilege	1612	wmic.exe
Token: SeUndockPrivilege	1612	wmic.exe
Token: SeManageVolumePrivilege	1612	wmic.exe
Token: 33	1612	wmic.exe
Token: 34	1612	wmic.exe
Token: 35	1612	wmic.exe
Token: SeIncreaseQuotaPrivilege	1612	wmic.exe
Token: SeSecurityPrivilege	1612	wmic.exe
Token: SeTakeOwnershipPrivilege	1612	wmic.exe
Token: SeLoadDriverPrivilege	1612	wmic.exe
Token: SeSystemProfilePrivilege	1612	wmic.exe
Token: SeSystemtimePrivilege	1612	wmic.exe
Token: SeProfSingleProcessPrivilege	1612	wmic.exe
Token: SeIncBasePriorityPrivilege	1612	wmic.exe
Token: SeCreatePagefilePrivilege	1612	wmic.exe
Token: SeBackupPrivilege	1612	wmic.exe
Token: SeRestorePrivilege	1612	wmic.exe
Token: SeShutdownPrivilege	1612	wmic.exe
Token: SeDebugPrivilege	1612	wmic.exe
Token: SeSystemEnvironmentPrivilege	1612	wmic.exe
Token: SeRemoteShutdownPrivilege	1612	wmic.exe
Token: SeUndockPrivilege	1612	wmic.exe
Token: SeManageVolumePrivilege	1612	wmic.exe
Token: 33	1612	wmic.exe
Token: 34	1612	wmic.exe
Token: 35	1612	wmic.exe
Token: SeIncreaseQuotaPrivilege	1964	WMIC.exe
Token: SeSecurityPrivilege	1964	WMIC.exe
Token: SeTakeOwnershipPrivilege	1964	WMIC.exe
Token: SeLoadDriverPrivilege	1964	WMIC.exe
Token: SeSystemProfilePrivilege	1964	WMIC.exe
Token: SeSystemtimePrivilege	1964	WMIC.exe
Token: SeProfSingleProcessPrivilege	1964	WMIC.exe
Token: SeIncBasePriorityPrivilege	1964	WMIC.exe
Token: SeCreatePagefilePrivilege	1964	WMIC.exe
Token: SeBackupPrivilege	1964	WMIC.exe
Token: SeRestorePrivilege	1964	WMIC.exe
Token: SeShutdownPrivilege	1964	WMIC.exe
Token: SeDebugPrivilege	1964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1964	WMIC.exe
Token: SeRemoteShutdownPrivilege	1964	WMIC.exe
Token: SeUndockPrivilege	1964	WMIC.exe
Token: SeManageVolumePrivilege	1964	WMIC.exe
Token: 33	1964	WMIC.exe
Token: 34	1964	WMIC.exe
Token: 35	1964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1964	WMIC.exe
Token: SeSecurityPrivilege	1964	WMIC.exe
Token: SeTakeOwnershipPrivilege	1964	WMIC.exe
Token: SeLoadDriverPrivilege	1964	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.execmd.execmd.exe

description	pid	process	target process
PID 1992 wrote to memory of 1612	1992	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	wmic.exe
PID 1992 wrote to memory of 1612	1992	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	wmic.exe
PID 1992 wrote to memory of 1612	1992	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	wmic.exe
PID 1992 wrote to memory of 1460	1992	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 1992 wrote to memory of 1460	1992	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 1992 wrote to memory of 1460	1992	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 1460 wrote to memory of 1964	1460	cmd.exe	WMIC.exe
PID 1460 wrote to memory of 1964	1460	cmd.exe	WMIC.exe
PID 1460 wrote to memory of 1964	1460	cmd.exe	WMIC.exe
PID 1992 wrote to memory of 1088	1992	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 1992 wrote to memory of 1088	1992	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 1992 wrote to memory of 1088	1992	14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe	cmd.exe
PID 1088 wrote to memory of 1720	1088	cmd.exe	WMIC.exe
PID 1088 wrote to memory of 1720	1088	cmd.exe	WMIC.exe
PID 1088 wrote to memory of 1720	1088	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe
"C:\Users\Admin\AppData\Local\Temp\14711577406a5d442440b680200c3e2837cdbefe8416f0b50a98849d602b04cf.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
e5e23f78017d1e6eddfc8480e1679ee4

SHA1
0667bd1b7129b105bd2c66ef6ad54c9648aec072

SHA256
4fed2f4c33a3876390d8520f184062927aca8e0ce3538127de3a2f66ea856d91

SHA512
b1260e7ba7ad6d5dd0daeabc5f7cc1fc7a2e9259092f8d70d3d9eed923ed8aa60adcce4c27e9cb20966d500ed59edaaba9570f01d6a84180f1fb83e7b5c20049

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads