25e4a522edaed7b5a38ef23b6c893caa0ad4343ddf61f69f720325522f5a69e4

General

Target

bf39239f0b1526c68de99294e9c8ef5f.exe
Size

601KB
MD5

bf39239f0b1526c68de99294e9c8ef5f
SHA1

e56a2e35f28f6b599cad84160693ea9e8a77ee47
SHA256

25e4a522edaed7b5a38ef23b6c893caa0ad4343ddf61f69f720325522f5a69e4
SHA512

a5027d34656d2c222179427418f14c18ada016c1e4734317bc93482e576f3d3bce2f310f087eb9792f1769eaa449c8523cb7a18cd59a3bf315b744c85000d44e
SSDEEP

12288:DHREStiZc6sOPep0zh5Z6SkX/tvH8DWeWS4pp9zFdP2+MlC/m+ADgfcTQt/N6zRH:DHRESwZc6s70

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Updater.lnk	bf39239f0b1526c68de99294e9c8ef5f.exe

Loads dropped DLL 5 IoCs

pid	Process
5104	bf39239f0b1526c68de99294e9c8ef5f.exe
5104	bf39239f0b1526c68de99294e9c8ef5f.exe
5104	bf39239f0b1526c68de99294e9c8ef5f.exe
5104	bf39239f0b1526c68de99294e9c8ef5f.exe
5104	bf39239f0b1526c68de99294e9c8ef5f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	bf39239f0b1526c68de99294e9c8ef5f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	bf39239f0b1526c68de99294e9c8ef5f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5104	bf39239f0b1526c68de99294e9c8ef5f.exe

C:\Users\Admin\AppData\Local\Temp\bf39239f0b1526c68de99294e9c8ef5f.exe
"C:\Users\Admin\AppData\Local\Temp\bf39239f0b1526c68de99294e9c8ef5f.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll

Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll

Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll

Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
384KB

MD5
55c797383dbbbfe93c0fe3215b99b8ec

SHA1
1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

SHA256
5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

SHA512
648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
384KB

MD5
55c797383dbbbfe93c0fe3215b99b8ec

SHA1
1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

SHA256
5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

SHA512
648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dll

Filesize
1.3MB

MD5
8be215abf1f36aa3d23555a671e7e3be

SHA1
547d59580b7843f90aaca238012a8a0c886330e6

SHA256
83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae

SHA512
38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b

Download Submit
memory/5104-152-0x000000000C3D0000-0x000000000C592000-memory.dmp

Filesize
1.8MB

Download
memory/5104-156-0x000000000C5A0000-0x000000000C602000-memory.dmp

Filesize
392KB

Download
memory/5104-133-0x00000000003B0000-0x000000000044E000-memory.dmp

Filesize
632KB

Download
memory/5104-162-0x000000000CBB0000-0x000000000CBEC000-memory.dmp

Filesize
240KB

Download
memory/5104-173-0x000000000D9F0000-0x000000000DA66000-memory.dmp

Filesize
472KB

Download
memory/5104-174-0x000000000D970000-0x000000000D9D6000-memory.dmp

Filesize
408KB

Download
memory/5104-150-0x000000000B370000-0x000000000B914000-memory.dmp

Filesize
5.6MB

Download
memory/5104-149-0x000000000AD20000-0x000000000ADB2000-memory.dmp

Filesize
584KB

Download
memory/5104-179-0x000000000DAF0000-0x000000000DB68000-memory.dmp

Filesize
480KB

Download
memory/5104-134-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/5104-194-0x000000000DCA0000-0x000000000DCBE000-memory.dmp

Filesize
120KB

Download
memory/5104-198-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing