1bb3d1cfe99f7dcc5898431a3329c39eb6ca9d2e39072c83d469b3898c1a124f

General

Target

2daf6321a7fb96cd0834ebd018e67dc2.exe
Size

3.0MB
MD5

2daf6321a7fb96cd0834ebd018e67dc2
SHA1

a5a919af73f94ac824ee77df9c140a3a616518e8
SHA256

1bb3d1cfe99f7dcc5898431a3329c39eb6ca9d2e39072c83d469b3898c1a124f
SHA512

210a04c1d2397acc1d199b48076c7b7d434b4cfe02e25d090b95bd4ffe9cf29a17e4d849762657f033e1bd5cf40f319122e799d30ce80ad8176715b2ac7d6450
SSDEEP

49152:5Lx3cqFBYdH3EQK1EsBgcPaVsLFA8p9u1Xk1:02YEB1LO8p

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1032	wmic.exe
Token: SeSecurityPrivilege	1032	wmic.exe
Token: SeTakeOwnershipPrivilege	1032	wmic.exe
Token: SeLoadDriverPrivilege	1032	wmic.exe
Token: SeSystemProfilePrivilege	1032	wmic.exe
Token: SeSystemtimePrivilege	1032	wmic.exe
Token: SeProfSingleProcessPrivilege	1032	wmic.exe
Token: SeIncBasePriorityPrivilege	1032	wmic.exe
Token: SeCreatePagefilePrivilege	1032	wmic.exe
Token: SeBackupPrivilege	1032	wmic.exe
Token: SeRestorePrivilege	1032	wmic.exe
Token: SeShutdownPrivilege	1032	wmic.exe
Token: SeDebugPrivilege	1032	wmic.exe
Token: SeSystemEnvironmentPrivilege	1032	wmic.exe
Token: SeRemoteShutdownPrivilege	1032	wmic.exe
Token: SeUndockPrivilege	1032	wmic.exe
Token: SeManageVolumePrivilege	1032	wmic.exe
Token: 33	1032	wmic.exe
Token: 34	1032	wmic.exe
Token: 35	1032	wmic.exe
Token: 36	1032	wmic.exe
Token: SeIncreaseQuotaPrivilege	1032	wmic.exe
Token: SeSecurityPrivilege	1032	wmic.exe
Token: SeTakeOwnershipPrivilege	1032	wmic.exe
Token: SeLoadDriverPrivilege	1032	wmic.exe
Token: SeSystemProfilePrivilege	1032	wmic.exe
Token: SeSystemtimePrivilege	1032	wmic.exe
Token: SeProfSingleProcessPrivilege	1032	wmic.exe
Token: SeIncBasePriorityPrivilege	1032	wmic.exe
Token: SeCreatePagefilePrivilege	1032	wmic.exe
Token: SeBackupPrivilege	1032	wmic.exe
Token: SeRestorePrivilege	1032	wmic.exe
Token: SeShutdownPrivilege	1032	wmic.exe
Token: SeDebugPrivilege	1032	wmic.exe
Token: SeSystemEnvironmentPrivilege	1032	wmic.exe
Token: SeRemoteShutdownPrivilege	1032	wmic.exe
Token: SeUndockPrivilege	1032	wmic.exe
Token: SeManageVolumePrivilege	1032	wmic.exe
Token: 33	1032	wmic.exe
Token: 34	1032	wmic.exe
Token: 35	1032	wmic.exe
Token: 36	1032	wmic.exe
Token: SeIncreaseQuotaPrivilege	4580	WMIC.exe
Token: SeSecurityPrivilege	4580	WMIC.exe
Token: SeTakeOwnershipPrivilege	4580	WMIC.exe
Token: SeLoadDriverPrivilege	4580	WMIC.exe
Token: SeSystemProfilePrivilege	4580	WMIC.exe
Token: SeSystemtimePrivilege	4580	WMIC.exe
Token: SeProfSingleProcessPrivilege	4580	WMIC.exe
Token: SeIncBasePriorityPrivilege	4580	WMIC.exe
Token: SeCreatePagefilePrivilege	4580	WMIC.exe
Token: SeBackupPrivilege	4580	WMIC.exe
Token: SeRestorePrivilege	4580	WMIC.exe
Token: SeShutdownPrivilege	4580	WMIC.exe
Token: SeDebugPrivilege	4580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4580	WMIC.exe
Token: SeRemoteShutdownPrivilege	4580	WMIC.exe
Token: SeUndockPrivilege	4580	WMIC.exe
Token: SeManageVolumePrivilege	4580	WMIC.exe
Token: 33	4580	WMIC.exe
Token: 34	4580	WMIC.exe
Token: 35	4580	WMIC.exe
Token: 36	4580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4580	WMIC.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

2daf6321a7fb96cd0834ebd018e67dc2.execmd.execmd.exe

description	pid	process	target process
PID 4228 wrote to memory of 1032	4228	2daf6321a7fb96cd0834ebd018e67dc2.exe	wmic.exe
PID 4228 wrote to memory of 1032	4228	2daf6321a7fb96cd0834ebd018e67dc2.exe	wmic.exe
PID 4228 wrote to memory of 1800	4228	2daf6321a7fb96cd0834ebd018e67dc2.exe	cmd.exe
PID 4228 wrote to memory of 1800	4228	2daf6321a7fb96cd0834ebd018e67dc2.exe	cmd.exe
PID 1800 wrote to memory of 4580	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 4580	1800	cmd.exe	WMIC.exe
PID 4228 wrote to memory of 4588	4228	2daf6321a7fb96cd0834ebd018e67dc2.exe	cmd.exe
PID 4228 wrote to memory of 4588	4228	2daf6321a7fb96cd0834ebd018e67dc2.exe	cmd.exe
PID 4588 wrote to memory of 224	4588	cmd.exe	WMIC.exe
PID 4588 wrote to memory of 224	4588	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\2daf6321a7fb96cd0834ebd018e67dc2.exe
"C:\Users\Admin\AppData\Local\Temp\2daf6321a7fb96cd0834ebd018e67dc2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
18da5c19d469f921ff9d44f1f17de97b

SHA1
bef606053494e1f516431d40f2aca29cf1deeb20

SHA256
662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0

SHA512
9eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
46988a922937a39036d6b71e62d0f966

SHA1
4a997f2a0360274ec7990aac156870a5a7030665

SHA256
5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6

SHA512
dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d

Download Submit

Analysis

Sharing