f2f475f0484fbb49bfe470ab660a5de761c8986ffe5b765af3e89b64fa899ca0

General

Target

9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Size

1.4MB
MD5

ea1dffab7eaa37262aa2d5557d8915af
SHA1

930924541704e8283ef0ae3ebc3dcaf3f407cef4
SHA256

9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0
SHA512

499b62c1cb105ed3f183a14d6c5420edfb016e49ed58e79f4098478a5bd631bcc4ba87681608a1c9f9dd8e9ba3b29356b481a0b124d453bc2c67f4e10674f5e9
SSDEEP

24576:/GU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dR/F5htSt:epEUIvU0N9jkpjweXt77d5f8

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe

description	ioc	process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4868 taskkill.exe

pid	process
4868	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeAssignPrimaryTokenPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeLockMemoryPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeIncreaseQuotaPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeMachineAccountPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeTcbPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeSecurityPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeTakeOwnershipPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeLoadDriverPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeSystemProfilePrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeSystemtimePrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeProfSingleProcessPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeIncBasePriorityPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeCreatePagefilePrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeCreatePermanentPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeBackupPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeRestorePrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeShutdownPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeDebugPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeAuditPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeSystemEnvironmentPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeChangeNotifyPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeRemoteShutdownPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeUndockPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeSyncAgentPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeEnableDelegationPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeManageVolumePrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeImpersonatePrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeCreateGlobalPrivilege	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: 31	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: 32	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: 33	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: 34	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: 35	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
Token: SeDebugPrivilege	4868	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.execmd.exe

description	pid	process	target process
PID 3400 wrote to memory of 3324	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe	cmd.exe
PID 3400 wrote to memory of 3324	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe	cmd.exe
PID 3400 wrote to memory of 3324	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe	cmd.exe
PID 3324 wrote to memory of 4868	3324	cmd.exe	taskkill.exe
PID 3324 wrote to memory of 4868	3324	cmd.exe	taskkill.exe
PID 3324 wrote to memory of 4868	3324	cmd.exe	taskkill.exe
PID 3400 wrote to memory of 4876	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe	chrome.exe
PID 3400 wrote to memory of 4876	3400	9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe
"C:\Users\Admin\AppData\Local\Temp\9970aa4cf1c6a8708af3447e17defc23ee7cba951a802507563684aa81865fb0.exe"
1⤵
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3400