84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a

General

Target

84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe
Size

3.0MB
MD5

a8a106555b9e1f92569d623c66ee8c12
SHA1

a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256

84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512

9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
SSDEEP

49152:3WjN903V68U3f1uXAlL/EUSiITRf+EGg7dyvUCUDaB5+Tc6k1HFm:3IrIVbUYiLs4vUCU5T0w

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3600	wmic.exe
Token: SeSecurityPrivilege	3600	wmic.exe
Token: SeTakeOwnershipPrivilege	3600	wmic.exe
Token: SeLoadDriverPrivilege	3600	wmic.exe
Token: SeSystemProfilePrivilege	3600	wmic.exe
Token: SeSystemtimePrivilege	3600	wmic.exe
Token: SeProfSingleProcessPrivilege	3600	wmic.exe
Token: SeIncBasePriorityPrivilege	3600	wmic.exe
Token: SeCreatePagefilePrivilege	3600	wmic.exe
Token: SeBackupPrivilege	3600	wmic.exe
Token: SeRestorePrivilege	3600	wmic.exe
Token: SeShutdownPrivilege	3600	wmic.exe
Token: SeDebugPrivilege	3600	wmic.exe
Token: SeSystemEnvironmentPrivilege	3600	wmic.exe
Token: SeRemoteShutdownPrivilege	3600	wmic.exe
Token: SeUndockPrivilege	3600	wmic.exe
Token: SeManageVolumePrivilege	3600	wmic.exe
Token: 33	3600	wmic.exe
Token: 34	3600	wmic.exe
Token: 35	3600	wmic.exe
Token: 36	3600	wmic.exe
Token: SeIncreaseQuotaPrivilege	3600	wmic.exe
Token: SeSecurityPrivilege	3600	wmic.exe
Token: SeTakeOwnershipPrivilege	3600	wmic.exe
Token: SeLoadDriverPrivilege	3600	wmic.exe
Token: SeSystemProfilePrivilege	3600	wmic.exe
Token: SeSystemtimePrivilege	3600	wmic.exe
Token: SeProfSingleProcessPrivilege	3600	wmic.exe
Token: SeIncBasePriorityPrivilege	3600	wmic.exe
Token: SeCreatePagefilePrivilege	3600	wmic.exe
Token: SeBackupPrivilege	3600	wmic.exe
Token: SeRestorePrivilege	3600	wmic.exe
Token: SeShutdownPrivilege	3600	wmic.exe
Token: SeDebugPrivilege	3600	wmic.exe
Token: SeSystemEnvironmentPrivilege	3600	wmic.exe
Token: SeRemoteShutdownPrivilege	3600	wmic.exe
Token: SeUndockPrivilege	3600	wmic.exe
Token: SeManageVolumePrivilege	3600	wmic.exe
Token: 33	3600	wmic.exe
Token: 34	3600	wmic.exe
Token: 35	3600	wmic.exe
Token: 36	3600	wmic.exe
Token: SeIncreaseQuotaPrivilege	1516	WMIC.exe
Token: SeSecurityPrivilege	1516	WMIC.exe
Token: SeTakeOwnershipPrivilege	1516	WMIC.exe
Token: SeLoadDriverPrivilege	1516	WMIC.exe
Token: SeSystemProfilePrivilege	1516	WMIC.exe
Token: SeSystemtimePrivilege	1516	WMIC.exe
Token: SeProfSingleProcessPrivilege	1516	WMIC.exe
Token: SeIncBasePriorityPrivilege	1516	WMIC.exe
Token: SeCreatePagefilePrivilege	1516	WMIC.exe
Token: SeBackupPrivilege	1516	WMIC.exe
Token: SeRestorePrivilege	1516	WMIC.exe
Token: SeShutdownPrivilege	1516	WMIC.exe
Token: SeDebugPrivilege	1516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1516	WMIC.exe
Token: SeRemoteShutdownPrivilege	1516	WMIC.exe
Token: SeUndockPrivilege	1516	WMIC.exe
Token: SeManageVolumePrivilege	1516	WMIC.exe
Token: 33	1516	WMIC.exe
Token: 34	1516	WMIC.exe
Token: 35	1516	WMIC.exe
Token: 36	1516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1516	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.execmd.execmd.exe

description	pid	process	target process
PID 4124 wrote to memory of 3600	4124	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	wmic.exe
PID 4124 wrote to memory of 3600	4124	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	wmic.exe
PID 4124 wrote to memory of 3600	4124	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	wmic.exe
PID 4124 wrote to memory of 4920	4124	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	cmd.exe
PID 4124 wrote to memory of 4920	4124	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	cmd.exe
PID 4124 wrote to memory of 4920	4124	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	cmd.exe
PID 4920 wrote to memory of 1516	4920	cmd.exe	WMIC.exe
PID 4920 wrote to memory of 1516	4920	cmd.exe	WMIC.exe
PID 4920 wrote to memory of 1516	4920	cmd.exe	WMIC.exe
PID 4124 wrote to memory of 4292	4124	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	cmd.exe
PID 4124 wrote to memory of 4292	4124	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	cmd.exe
PID 4124 wrote to memory of 4292	4124	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	cmd.exe
PID 4292 wrote to memory of 4196	4292	cmd.exe	WMIC.exe
PID 4292 wrote to memory of 4196	4292	cmd.exe	WMIC.exe
PID 4292 wrote to memory of 4196	4292	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe
"C:\Users\Admin\AppData\Local\Temp\84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:4196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

Filesize
71KB

MD5
a3eb5f22bc8e7f4060e3ff18c4ac70b9

SHA1
8480869a34c9723063dba9cc8279cf4e7c2bc4cd

SHA256
0582ca04b28149ce2fd9732dff5e9894a60454eeb03166ddde677c9224c1f9f6

SHA512
3e88f72ace3e80a18f2986b43d90b9bf33e131ec77ce34c1462605784332e4676af5e8414ee75146bd14ef8a2e60a13ecf097c189206cd010f748e171903c5f0

Download Submit

Analysis

Sharing