07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165

General

Target

07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe
Size

3.0MB
MD5

af4268c094f2a9c6e6a85f8626b9a5c7
SHA1

7d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA256

07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA512

2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
SSDEEP

49152:y2sQ8R/u6S/gPV4PW/vlLr8EdiITRf+EGg7dH1zaSo5hTk6k1qFG:yfQM/fSoPFNLQg1WT5Q

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	684	wmic.exe
Token: SeSecurityPrivilege	684	wmic.exe
Token: SeTakeOwnershipPrivilege	684	wmic.exe
Token: SeLoadDriverPrivilege	684	wmic.exe
Token: SeSystemProfilePrivilege	684	wmic.exe
Token: SeSystemtimePrivilege	684	wmic.exe
Token: SeProfSingleProcessPrivilege	684	wmic.exe
Token: SeIncBasePriorityPrivilege	684	wmic.exe
Token: SeCreatePagefilePrivilege	684	wmic.exe
Token: SeBackupPrivilege	684	wmic.exe
Token: SeRestorePrivilege	684	wmic.exe
Token: SeShutdownPrivilege	684	wmic.exe
Token: SeDebugPrivilege	684	wmic.exe
Token: SeSystemEnvironmentPrivilege	684	wmic.exe
Token: SeRemoteShutdownPrivilege	684	wmic.exe
Token: SeUndockPrivilege	684	wmic.exe
Token: SeManageVolumePrivilege	684	wmic.exe
Token: 33	684	wmic.exe
Token: 34	684	wmic.exe
Token: 35	684	wmic.exe
Token: SeIncreaseQuotaPrivilege	684	wmic.exe
Token: SeSecurityPrivilege	684	wmic.exe
Token: SeTakeOwnershipPrivilege	684	wmic.exe
Token: SeLoadDriverPrivilege	684	wmic.exe
Token: SeSystemProfilePrivilege	684	wmic.exe
Token: SeSystemtimePrivilege	684	wmic.exe
Token: SeProfSingleProcessPrivilege	684	wmic.exe
Token: SeIncBasePriorityPrivilege	684	wmic.exe
Token: SeCreatePagefilePrivilege	684	wmic.exe
Token: SeBackupPrivilege	684	wmic.exe
Token: SeRestorePrivilege	684	wmic.exe
Token: SeShutdownPrivilege	684	wmic.exe
Token: SeDebugPrivilege	684	wmic.exe
Token: SeSystemEnvironmentPrivilege	684	wmic.exe
Token: SeRemoteShutdownPrivilege	684	wmic.exe
Token: SeUndockPrivilege	684	wmic.exe
Token: SeManageVolumePrivilege	684	wmic.exe
Token: 33	684	wmic.exe
Token: 34	684	wmic.exe
Token: 35	684	wmic.exe
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.execmd.execmd.exe

description	pid	process	target process
PID 1260 wrote to memory of 684	1260	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	wmic.exe
PID 1260 wrote to memory of 684	1260	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	wmic.exe
PID 1260 wrote to memory of 684	1260	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	wmic.exe
PID 1260 wrote to memory of 684	1260	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	wmic.exe
PID 1260 wrote to memory of 1680	1260	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 1260 wrote to memory of 1680	1260	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 1260 wrote to memory of 1680	1260	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 1260 wrote to memory of 1680	1260	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 1680 wrote to memory of 1760	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 1760	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 1760	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 1760	1680	cmd.exe	WMIC.exe
PID 1260 wrote to memory of 1408	1260	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 1260 wrote to memory of 1408	1260	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 1260 wrote to memory of 1408	1260	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 1260 wrote to memory of 1408	1260	07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe	cmd.exe
PID 1408 wrote to memory of 1212	1408	cmd.exe	WMIC.exe
PID 1408 wrote to memory of 1212	1408	cmd.exe	WMIC.exe
PID 1408 wrote to memory of 1212	1408	cmd.exe	WMIC.exe
PID 1408 wrote to memory of 1212	1408	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe
"C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
e5e81f0ae5ba9a2ac3db0a17d3c9f810

SHA1
c2d6bdf002325094ff399b1e4c36df575b48ee4f

SHA256
a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3

SHA512
cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce

Download Submit

Analysis

Sharing