70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655

General

Target

SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe
Size

3.1MB
MD5

cd12cb026f70700b6d7d3122360c52e8
SHA1

b944514f2b56e27a9b5e26316f72fd9fec8aa94c
SHA256

70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655
SHA512

6e9c3d683dbf9e16ae868ceb3078dffe330b7b81f50de204aab5d10d3b3baede98853b7f4f9fd2e871d6aa439716c9b6c0cef416478845954a7a08d8efe71f19
SSDEEP

49152:T5wh59b5nEKS6JKokJL06d4vD9GJjq/5qS3mynxdD4/7AQxDy:TUnuxBzd1IgYmoIfD

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

280 1076 WerFault.exe SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2008 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2008 powershell.exe

pid	pid_target	process	target process
280	1076	WerFault.exe	SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe

pid	process
2008	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2008	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe

description	pid	process	target process
PID 1076 wrote to memory of 2008	1076	SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe	powershell.exe
PID 1076 wrote to memory of 2008	1076	SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe	powershell.exe
PID 1076 wrote to memory of 2008	1076	SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe	powershell.exe
PID 1076 wrote to memory of 280	1076	SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe	WerFault.exe
PID 1076 wrote to memory of 280	1076	SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe	WerFault.exe
PID 1076 wrote to memory of 280	1076	SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1076 -s 1076
  2⤵
  - Program crash
  PID:280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar377D.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\qip surf_default_login_data

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qip surf_default_webdata

Filesize
92KB

MD5
9b43e176b30bab68f88ae294f9f6bc56

SHA1
f2a0297791668a2d5f41c5aeb6ebfeb0b835a15b

SHA256
afed81e2f90c02e3e723d744fe43ca3f02021b18c4adaccb9f5f340b71a2fea8

SHA512
9c8ab7bacbc3a133e602b396c85b9beab8c6ff45b10b762e07ce993b692a8f28dcb429219a40e5457bddfa01b4820d1b4cfc43ccd614d54f2cfbf796f3b9168a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qip surf_network_cookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwtJnydcizUadtJMPKEVhdhoIWPLnm\sensfiles.zip

Filesize
3.6MB

MD5
c8eca096b1b9b9edbf1baf2a0353faec

SHA1
93e9117a7002f81b786c75fabe5a7c9fb86ac9a9

SHA256
c4dd5dfc22cd3f2bf9c360878ec35716a83966e62ca22e852e10659822952b0d

SHA512
f099c1438ec26c0a17ab1315c45add238ab9bf8bec62ccaa4bc75cef0848a8e8c7b51687c7064071e54b033c91ec72a42d3fc88b6af4d40d87f645e350988381

Download Submit
memory/2008-97-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/2008-96-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2008-98-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2008-95-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2008-99-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/2008-100-0x000000000296B000-0x00000000029A2000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing