49771182f73d733abe396700d5f30b1f0b29f94044b0c8158a5c3a4564305523

General

Target

SecuriteInfo.com.Trojan.GenericKD.66410738.28815.28750.exe
Size

3.8MB
MD5

59f7602b250387b31bfc481f3efb9517
SHA1

0595cef0fca0e8c941a4d7b09a4ac8a50c7e0080
SHA256

49771182f73d733abe396700d5f30b1f0b29f94044b0c8158a5c3a4564305523
SHA512

70eb26be17e653b60e287334c26118e4ef7c5a5f2c92fd3b5a6b1178ca4c1a9bc8ecd4662958fb335de2e4f12f618efebe8aabe9448989d00747b723879dadee
SSDEEP

49152:deFHZuHw5+sQ/A+g+aOxadb6wq0RxyU24hkpBFwzpJKl4OLHMqEPeYc70Kjvw0:deMa+RsL5VxObM/Kjvw0

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3604	4712	WerFault.exe	84

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4812	powershell.exe
4812	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 4812	4712	SecuriteInfo.com.Trojan.GenericKD.66410738.28815.28750.exe	85
PID 4712 wrote to memory of 4812	4712	SecuriteInfo.com.Trojan.GenericKD.66410738.28815.28750.exe	85
PID 4712 wrote to memory of 3644	4712	SecuriteInfo.com.Trojan.GenericKD.66410738.28815.28750.exe	87
PID 4712 wrote to memory of 3644	4712	SecuriteInfo.com.Trojan.GenericKD.66410738.28815.28750.exe	87
PID 3644 wrote to memory of 4848	3644	cmd.exe	89
PID 3644 wrote to memory of 4848	3644	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.66410738.28815.28750.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.66410738.28815.28750.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c "schtasks /Create /TR C:\Users\Admin\AppData\Local\Temp\\system /SC ONLOGON /TN system /IT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /TR C:\Users\Admin\AppData\Local\Temp\\system /SC ONLOGON /TN system /IT
    3⤵
    - Creates scheduled task(s)
    PID:4848
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4712 -s 1204
  2⤵
  - Program crash
  PID:3604

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 4712 -ip 4712
1⤵
PID:4164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_syuoynk4.0w3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\google_default_login_data

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljQ9HoPZ4k2yCNUPWMQaRfOObx5VBr\sensfiles.zip

Filesize
4.4MB

MD5
9a4345532e90daef82476df6cc3f7ee8

SHA1
5725a76f73e4d4aea8690ba0ae412edbee347afc

SHA256
373def2666d68ede7e704d2243cd01ca51a9812a02fb5dcccf85cf209335532b

SHA512
3d8f140136467499dae79dc26481193f054042f2fe66c20b0365003b257a1ad76cec9bb93f7ef8bb0a29d50489f370ffe35b18fa963baca47b3008ad6c9af91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qip surf_default_login_data

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qip surf_default_webdata

Filesize
92KB

MD5
c9f27e93d4d2fb6dc5d4d1d2f7d529db

SHA1
cc44dd47cabe4d2ebba14361f8b5254064d365d3

SHA256
d724f78d92cc963b4a06a12a310c0f5411b1ce42361dcfc498a5759efe9fdd7c

SHA512
f7cc478278a5725e18ac8c7ff715fd88798b4562412d354925711c25353277ff2044d3c4a314d76f987006941b35cdde43deb9df4397b37689f67cb8fe541472

Download Submit
C:\Users\Admin\AppData\Local\Temp\qip surf_network_cookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
memory/4812-142-0x000001B33D2E0000-0x000001B33D302000-memory.dmp

Filesize
136KB

Download
memory/4812-143-0x000001B33D360000-0x000001B33D370000-memory.dmp

Filesize
64KB

Download
memory/4812-144-0x000001B33D360000-0x000001B33D370000-memory.dmp

Filesize
64KB

Download
memory/4812-145-0x000001B33D360000-0x000001B33D370000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads