43cc6ed0dcd1fa220283f7bbfa79aaf6342fdb5e73cdabdde67debb7e2ffc945

General

Target

140000000.filehistory.exe
Size

435KB
MD5

fba73c5a9abd2782af4bcfbce153e299
SHA1

bee739c3bcc4f415ef1f363229efbedf359cab6d
SHA256

43cc6ed0dcd1fa220283f7bbfa79aaf6342fdb5e73cdabdde67debb7e2ffc945
SHA512

f73396c01cbea32fc751f392c1de1f1aed47ee1f687752136894b9091a93ddbe6d5ced8a9b48fe2df63c1d21661da3479d196cd0f31ab3dd10c2f4339ea67c0f
SSDEEP

12288:f8n3bVLUBUOw4ra554+zy+RG+EBH8ATUUC8up:mlG+G5p

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
55	3900	powershell.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3576	netsh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	140000000.filehistory.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	140000000.filehistory.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	140000000.filehistory.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	checkip.dyndns.org
37	ipinfo.io

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	140000000.filehistory.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	140000000.filehistory.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\BD9D781B00BFCE0F0C9A916F7C5D62C9BAEA2756\Blob = 030000000100000014000000bd9d781b00bfce0f0c9a916f7c5d62c9baea27560200000001000000a40000001c00000044000000010000000000000000000000000000000100000043004e003d004f005600200056006500720069005300690067006e002000430041000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000001e0000004f005600200056006500720069005300690067006e0020004300410000002000000001000000e0020000308202dc308201c4a00302010202086dc55f15c886f8b7300d06092a864886f70d01010b050030193117301506035504030c0e4f5620566572695369676e204341301e170d3232303431393030333834385a170d3235303732333030333834385a30193117301506035504030c0e4f5620566572695369676e20434130820122300d06092a864886f70d01010105000382010f003082010a02820101009d15d3a7e0b4f742c983f359bac2144f43877201ed770b0677c2f122fa7644bcc738b9fac231dd813ae32293be4d8379cce42a2d4c4d31260942e06072d14cde3fd79db76604e888965966d0bffcf5a6922fd654646c503b06d7ed0670eb021b5feef201bb5afae5304563147927b6fe1b0b8056d4a351d8c2746cedf6d73e1f164fa4341794bce332fb24a3e93cf9b834bac234ab529ec513211bf2d189c0d1a6298c4008a544b67c153006e5c42356987600529bcdf6ff8b996fe50c1ff150419688ffcbaeaeb5c43c5bfb101b4fd72280416106db850f68957001a5b4a90c64e35e75c60ec6d18a2bd9bd493964b23d1db6813e97fdfab074b8f29663f3170203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010055b2d8afc7634b1a62c88db965772b61b0b837ead2ac9cd7c18a0af4c0e1603cf37c344d62ffe913eab660b5b2f71d509cf50907f93039b629df44fed0329163c7f74e10be27217d5b98a5fb664b3c0501bb3b2b50994d3a9dea70898ea6c376720e3a5c258e79816a59ef806c4a2de8af6d741a351ae1e84772e9206a6f4fb186a32caabf33b8306c3074dc4a6a1494f017eac7a64eedfa53a9960255338234554b714da4cf0781553999eaf2cc1d85f1809eeb7b3ddb85bb14c64b082b9990c6df52eaddd8cca4c74836453aec619e28edd29c6f11734990c9bebc52d029eafa6bfbee81f59e278d432e6f83da619933ab5492a75a3958db090bcd7313ffce	140000000.filehistory.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\BD9D781B00BFCE0F0C9A916F7C5D62C9BAEA2756\Blob = 140000000100000014000000e39b4cfaee73a6ad7993c9847646b4fe51241c650b000000010000001e0000004f005600200056006500720069005300690067006e0020004300410000000200000001000000a40000001c00000044000000010000000000000000000000000000000100000043004e003d004f005600200056006500720069005300690067006e002000430041000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000bd9d781b00bfce0f0c9a916f7c5d62c9baea27562000000001000000e0020000308202dc308201c4a00302010202086dc55f15c886f8b7300d06092a864886f70d01010b050030193117301506035504030c0e4f5620566572695369676e204341301e170d3232303431393030333834385a170d3235303732333030333834385a30193117301506035504030c0e4f5620566572695369676e20434130820122300d06092a864886f70d01010105000382010f003082010a02820101009d15d3a7e0b4f742c983f359bac2144f43877201ed770b0677c2f122fa7644bcc738b9fac231dd813ae32293be4d8379cce42a2d4c4d31260942e06072d14cde3fd79db76604e888965966d0bffcf5a6922fd654646c503b06d7ed0670eb021b5feef201bb5afae5304563147927b6fe1b0b8056d4a351d8c2746cedf6d73e1f164fa4341794bce332fb24a3e93cf9b834bac234ab529ec513211bf2d189c0d1a6298c4008a544b67c153006e5c42356987600529bcdf6ff8b996fe50c1ff150419688ffcbaeaeb5c43c5bfb101b4fd72280416106db850f68957001a5b4a90c64e35e75c60ec6d18a2bd9bd493964b23d1db6813e97fdfab074b8f29663f3170203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010055b2d8afc7634b1a62c88db965772b61b0b837ead2ac9cd7c18a0af4c0e1603cf37c344d62ffe913eab660b5b2f71d509cf50907f93039b629df44fed0329163c7f74e10be27217d5b98a5fb664b3c0501bb3b2b50994d3a9dea70898ea6c376720e3a5c258e79816a59ef806c4a2de8af6d741a351ae1e84772e9206a6f4fb186a32caabf33b8306c3074dc4a6a1494f017eac7a64eedfa53a9960255338234554b714da4cf0781553999eaf2cc1d85f1809eeb7b3ddb85bb14c64b082b9990c6df52eaddd8cca4c74836453aec619e28edd29c6f11734990c9bebc52d029eafa6bfbee81f59e278d432e6f83da619933ab5492a75a3958db090bcd7313ffce	140000000.filehistory.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BD9D781B00BFCE0F0C9A916F7C5D62C9BAEA2756	140000000.filehistory.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BD9D781B00BFCE0F0C9A916F7C5D62C9BAEA2756\Blob = 030000000100000014000000bd9d781b00bfce0f0c9a916f7c5d62c9baea27560200000001000000a40000001c00000044000000010000000000000000000000000000000100000043004e003d004f005600200056006500720069005300690067006e002000430041000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000001e0000004f005600200056006500720069005300690067006e0020004300410000002000000001000000e0020000308202dc308201c4a00302010202086dc55f15c886f8b7300d06092a864886f70d01010b050030193117301506035504030c0e4f5620566572695369676e204341301e170d3232303431393030333834385a170d3235303732333030333834385a30193117301506035504030c0e4f5620566572695369676e20434130820122300d06092a864886f70d01010105000382010f003082010a02820101009d15d3a7e0b4f742c983f359bac2144f43877201ed770b0677c2f122fa7644bcc738b9fac231dd813ae32293be4d8379cce42a2d4c4d31260942e06072d14cde3fd79db76604e888965966d0bffcf5a6922fd654646c503b06d7ed0670eb021b5feef201bb5afae5304563147927b6fe1b0b8056d4a351d8c2746cedf6d73e1f164fa4341794bce332fb24a3e93cf9b834bac234ab529ec513211bf2d189c0d1a6298c4008a544b67c153006e5c42356987600529bcdf6ff8b996fe50c1ff150419688ffcbaeaeb5c43c5bfb101b4fd72280416106db850f68957001a5b4a90c64e35e75c60ec6d18a2bd9bd493964b23d1db6813e97fdfab074b8f29663f3170203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010055b2d8afc7634b1a62c88db965772b61b0b837ead2ac9cd7c18a0af4c0e1603cf37c344d62ffe913eab660b5b2f71d509cf50907f93039b629df44fed0329163c7f74e10be27217d5b98a5fb664b3c0501bb3b2b50994d3a9dea70898ea6c376720e3a5c258e79816a59ef806c4a2de8af6d741a351ae1e84772e9206a6f4fb186a32caabf33b8306c3074dc4a6a1494f017eac7a64eedfa53a9960255338234554b714da4cf0781553999eaf2cc1d85f1809eeb7b3ddb85bb14c64b082b9990c6df52eaddd8cca4c74836453aec619e28edd29c6f11734990c9bebc52d029eafa6bfbee81f59e278d432e6f83da619933ab5492a75a3958db090bcd7313ffce	140000000.filehistory.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\BD9D781B00BFCE0F0C9A916F7C5D62C9BAEA2756	140000000.filehistory.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2548	140000000.filehistory.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2548	140000000.filehistory.exe
3900	powershell.exe
3900	powershell.exe
2548	140000000.filehistory.exe
2548	140000000.filehistory.exe
2548	140000000.filehistory.exe
2548	140000000.filehistory.exe
2548	140000000.filehistory.exe
2548	140000000.filehistory.exe
2548	140000000.filehistory.exe
2548	140000000.filehistory.exe
2548	140000000.filehistory.exe
2548	140000000.filehistory.exe
2548	140000000.filehistory.exe
2548	140000000.filehistory.exe
2548	140000000.filehistory.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	140000000.filehistory.exe
Token: SeDebugPrivilege	3900	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3576	2548	140000000.filehistory.exe	92
PID 2548 wrote to memory of 3576	2548	140000000.filehistory.exe	92
PID 2548 wrote to memory of 3900	2548	140000000.filehistory.exe	93
PID 2548 wrote to memory of 3900	2548	140000000.filehistory.exe	93

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	140000000.filehistory.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	140000000.filehistory.exe

C:\Users\Admin\AppData\Local\Temp\140000000.filehistory.exe
"C:\Users\Admin\AppData\Local\Temp\140000000.filehistory.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2548
- C:\Windows\SYSTEM32\netsh.exe
  "netsh.exe" firewall add allowedprogram C:\Users\Admin\AppData\Local\Temp\140000000.filehistory.exe SystemUpdate ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:3576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -enc dwBoAGkAbABlACgAJAB0AHIAdQBlACkAewAKAHQAcgB5AHsAaQB3AHIAIAAnAGgAdAB0AHAAcwA6AC8ALwBlAHgAYQBtAHAAbABlAC4AYwBvAG0AJwAgAC0AdQBzAGUAYgBhAHMAaQBjAHAAYQByAHMAaQBuAGcAfQBjAGEAdABjAGgAewAKACQAcgBlAGcASwBlAHkAPQAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEkAbgB0AGUAcgBuAGUAdAAgAFMAZQB0AHQAaQBuAGcAcwAiADsAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAcgBlAGcASwBlAHkAIABQAHIAbwB4AHkARQBuAGEAYgBsAGUAIAAtAHYAYQBsAHUAZQAgADAAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAA7AFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAHIAZQBnAEsAZQB5ACAAUAByAG8AeAB5AFMAZQByAHYAZQByACAALQB2AGEAbAB1AGUAIAAiACIAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAOwAgAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAHIAZQBnAEsAZQB5ACAAQQB1AHQAbwBDAG8AbgBmAGkAZwBVAFIATAAgAC0AVgBhAGwAdQBlACAAIgAiACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwADsAZQB4AGkAdAAKAH0ACgBzAGwAZQBlAHAAIAAyAH0A
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TmpAAB7.tmp

Filesize
2KB

MD5
53c1f238fd9c66e75822ef7f0cf9e023

SHA1
8e0022770ab0861f5d5d53e4d95f25b0a73493e5

SHA256
c4a06e5c794c9012412edd964adfa4a29a5500ff9caa30f13b59918ee3b4230a

SHA512
bca73e30f4d05e0c61464269951a14c0d5ad89527f750f3682ebee37d9a11bba7b559849b57bfbce624732743381fc530f2d453cd49f6a7ac219d5e3edc3f281

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpBB82.tmp

Filesize
2KB

MD5
3d6b12a352f4bfa0ef25038ef4f7ba4f

SHA1
4f1eb3fd80afee9b50513a2fdfeb93520b5f24d6

SHA256
b0aa49637179704272bcd196874c4e776aa4dad2f71eb55e1a9e1c7d98785fb1

SHA512
295875ffdf2ee0deafc36d6d4dc11b54f49cdd94f9ae68d8c0bc602848583fa51951ec75144f6383172e504c9783794d5f4c6e1b7dce6de4a1a647e07fe41ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xypuhoqf.onv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\BD9D781B00BFCE0F0C9A916F7C5D62C9BAEA2756

Filesize
1KB

MD5
9c1b5723ecbb34aaf656189633a49330

SHA1
ab86927d6463406fb4dd5ccc151b466f9bbcf916

SHA256
daed2e976a6e9bb0eafa710bae9b0286c0247660b00389646638c73d92981fc1

SHA512
1cafa770f07d8f53a9826b88d1e7825a713b278c2e1a60f87f69141a743356a2366cc66466f09664505743b7f3d95d7b60b8ee461c9b5d769f5ae63283c5bc0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\E39B4CFAEE73A6AD7993C9847646B4FE51241C65

Filesize
208B

MD5
7f257530d7daf13044f667da73b77105

SHA1
ce1d815e4a9153fb77c5724e5bcd2b21c7eea772

SHA256
71f7e28d1e5a38cda9b0b2bbd4777dd08e84daa923f14e9d9858d70f711653c4

SHA512
625d7ba0231ba3f5a9291677ece36186c39a495f1979bbf16eb92ef3d78d4a03b3b002afc79a45092a354b9365171ef67d34dc85494733b06ed97a4daa5ae259

Download Submit
memory/2548-170-0x0000013391380000-0x00000133914CE000-memory.dmp

Filesize
1.3MB

Download
memory/2548-146-0x000001338FD40000-0x000001338FD50000-memory.dmp

Filesize
64KB

Download
memory/2548-148-0x00000133A9590000-0x00000133A95B1000-memory.dmp

Filesize
132KB

Download
memory/2548-149-0x00000133914D0000-0x00000133914E5000-memory.dmp

Filesize
84KB

Download
memory/2548-150-0x00000133A9840000-0x00000133A988A000-memory.dmp

Filesize
296KB

Download
memory/2548-151-0x0000013391380000-0x00000133914CE000-memory.dmp

Filesize
1.3MB

Download
memory/2548-152-0x00000133AB5F0000-0x00000133AB666000-memory.dmp

Filesize
472KB

Download
memory/2548-153-0x00000133A98C0000-0x00000133A98DE000-memory.dmp

Filesize
120KB

Download
memory/2548-154-0x0000013391380000-0x00000133914CE000-memory.dmp

Filesize
1.3MB

Download
memory/2548-155-0x0000013391380000-0x00000133914CE000-memory.dmp

Filesize
1.3MB

Download
memory/2548-156-0x0000013391380000-0x00000133914CE000-memory.dmp

Filesize
1.3MB

Download
memory/2548-133-0x000001338F620000-0x000001338F692000-memory.dmp

Filesize
456KB

Download
memory/2548-246-0x0000013391380000-0x00000133914CE000-memory.dmp

Filesize
1.3MB

Download
memory/2548-241-0x0000013391380000-0x00000133914CE000-memory.dmp

Filesize
1.3MB

Download
memory/2548-238-0x0000013391380000-0x00000133914CE000-memory.dmp

Filesize
1.3MB

Download
memory/2548-147-0x00000133A9590000-0x00000133A95B1000-memory.dmp

Filesize
132KB

Download
memory/2548-145-0x0000013391380000-0x00000133914CE000-memory.dmp

Filesize
1.3MB

Download
memory/2548-144-0x000001338FD40000-0x000001338FD50000-memory.dmp

Filesize
64KB

Download
memory/2548-237-0x0000013391380000-0x00000133914CE000-memory.dmp

Filesize
1.3MB

Download
memory/2548-217-0x0000013391380000-0x00000133914CE000-memory.dmp

Filesize
1.3MB

Download
memory/2548-143-0x0000013391500000-0x0000013391522000-memory.dmp

Filesize
136KB

Download
memory/3900-218-0x0000022E38EE0000-0x0000022E38EF0000-memory.dmp

Filesize
64KB

Download
memory/3900-219-0x0000022E38EE0000-0x0000022E38EF0000-memory.dmp

Filesize
64KB

Download
memory/3900-215-0x0000022E3B300000-0x0000022E3B44E000-memory.dmp

Filesize
1.3MB

Download
memory/3900-173-0x0000022E38EE0000-0x0000022E38EF0000-memory.dmp

Filesize
64KB

Download
memory/3900-240-0x0000022E3B300000-0x0000022E3B44E000-memory.dmp

Filesize
1.3MB

Download
memory/3900-172-0x0000022E38EE0000-0x0000022E38EF0000-memory.dmp

Filesize
64KB

Download
memory/3900-171-0x0000022E38EE0000-0x0000022E38EF0000-memory.dmp

Filesize
64KB

Download
memory/3900-249-0x0000022E3B300000-0x0000022E3B44E000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing