e3d7b1ecf8045bd378cfa746283cf76b9f49725625f239d8a321d58792651d77

General

Target

e3d7b1ecf8045bd378cfa746283cf76b9f49725625f239d8a321d58792651d77.exe
Size

1.1MB
MD5

d89d1d4f78cf5f7917f3da70a8cf7def
SHA1

e4157c781581d762a3167d9248a38139569ae838
SHA256

e3d7b1ecf8045bd378cfa746283cf76b9f49725625f239d8a321d58792651d77
SHA512

d020a8120532dbadc9b30ac714153606672166e289215f193e86b62ec5696b8a0fce8fe664cc994bd5fb1bbe895778110d511409c5de3bae648d7cdb6dc6ccee
SSDEEP

24576:hyYEuyexhit+pjYcGMMkjPFWMblpuvwdYTFB/yThfpo:UYEuDgfcAAvbf+9FB/yR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4124	y8583124.exe
4148	y1922743.exe
4932	k3669180.exe
1956	l0726204.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8583124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8583124.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1922743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1922743.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e3d7b1ecf8045bd378cfa746283cf76b9f49725625f239d8a321d58792651d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e3d7b1ecf8045bd378cfa746283cf76b9f49725625f239d8a321d58792651d77.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2080	1956	WerFault.exe	70
1316	1956	WerFault.exe	70
4496	1956	WerFault.exe	70
3540	1956	WerFault.exe	70
3748	1956	WerFault.exe	70
4352	1956	WerFault.exe	70
2180	1956	WerFault.exe	70
1872	1956	WerFault.exe	70
4804	1956	WerFault.exe	70

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4932	k3669180.exe
4932	k3669180.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	k3669180.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 4124	3432	e3d7b1ecf8045bd378cfa746283cf76b9f49725625f239d8a321d58792651d77.exe	66
PID 3432 wrote to memory of 4124	3432	e3d7b1ecf8045bd378cfa746283cf76b9f49725625f239d8a321d58792651d77.exe	66
PID 3432 wrote to memory of 4124	3432	e3d7b1ecf8045bd378cfa746283cf76b9f49725625f239d8a321d58792651d77.exe	66
PID 4124 wrote to memory of 4148	4124	y8583124.exe	67
PID 4124 wrote to memory of 4148	4124	y8583124.exe	67
PID 4124 wrote to memory of 4148	4124	y8583124.exe	67
PID 4148 wrote to memory of 4932	4148	y1922743.exe	68
PID 4148 wrote to memory of 4932	4148	y1922743.exe	68
PID 4148 wrote to memory of 4932	4148	y1922743.exe	68
PID 4148 wrote to memory of 1956	4148	y1922743.exe	70
PID 4148 wrote to memory of 1956	4148	y1922743.exe	70
PID 4148 wrote to memory of 1956	4148	y1922743.exe	70

C:\Users\Admin\AppData\Local\Temp\e3d7b1ecf8045bd378cfa746283cf76b9f49725625f239d8a321d58792651d77.exe
"C:\Users\Admin\AppData\Local\Temp\e3d7b1ecf8045bd378cfa746283cf76b9f49725625f239d8a321d58792651d77.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8583124.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8583124.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1922743.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1922743.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3669180.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3669180.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0726204.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0726204.exe
      4⤵
      Executes dropped EXE
      PID:1956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 620
        5⤵
        Program crash
        
        PID:2080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 700
        5⤵
        Program crash
        
        PID:1316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 772
        5⤵
        Program crash
        
        PID:4496
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 848
        5⤵
        Program crash
        
        PID:3540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 896
        5⤵
        Program crash
        
        PID:3748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 868
        5⤵
        Program crash
        
        PID:4352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1120
        5⤵
        Program crash
        
        PID:2180
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1172
        5⤵
        Program crash
        
        PID:1872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1084
        5⤵
        Program crash
        
        PID:4804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8583124.exe

Filesize
599KB

MD5
3ee464d7ec7faa26ee2d087b4db5755f

SHA1
92d13c897cfad9ab3a4bb6b4181bafd98d1ac5c7

SHA256
0e7324f6f34d2ebd7e05827d9fa7f3e4e027540c102ab92b5199d6b1d5eb8b8e

SHA512
7b6b68fb4fae68bf2d1696ff20117784bf268eda1fbb5eac72a5b0c3a562d49ca7f1ff6b4f3bd522ce5a13e3e35400c06979c9b42b3d84533b47054c7b607992

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8583124.exe

Filesize
599KB

MD5
3ee464d7ec7faa26ee2d087b4db5755f

SHA1
92d13c897cfad9ab3a4bb6b4181bafd98d1ac5c7

SHA256
0e7324f6f34d2ebd7e05827d9fa7f3e4e027540c102ab92b5199d6b1d5eb8b8e

SHA512
7b6b68fb4fae68bf2d1696ff20117784bf268eda1fbb5eac72a5b0c3a562d49ca7f1ff6b4f3bd522ce5a13e3e35400c06979c9b42b3d84533b47054c7b607992

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1922743.exe

Filesize
395KB

MD5
b6fa65626e97e066894ad56f41226f74

SHA1
1d572b9d132c562c19e1b862be6535362f2a8546

SHA256
59d7a025f7a9562b53dbd601e3cebd323f47105b39d26a95ab2a5b82ce044c11

SHA512
3a03829136299a7715c6279aa1756329406caf09d227b481b78672ba031c277e815d9829aa7767b6870200ba62b407b61c172e3f18049df81b1e9c24874e3ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1922743.exe

Filesize
395KB

MD5
b6fa65626e97e066894ad56f41226f74

SHA1
1d572b9d132c562c19e1b862be6535362f2a8546

SHA256
59d7a025f7a9562b53dbd601e3cebd323f47105b39d26a95ab2a5b82ce044c11

SHA512
3a03829136299a7715c6279aa1756329406caf09d227b481b78672ba031c277e815d9829aa7767b6870200ba62b407b61c172e3f18049df81b1e9c24874e3ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3669180.exe

Filesize
137KB

MD5
71f6b1fcd7a9921af360cb3b5802919c

SHA1
be32e90602721053d2c6c4c2a121b73da50c512d

SHA256
f7b9cc192fb754e5f50e62922e8fe58b6e0eb4a92a49424fcfa1ab809e5aae08

SHA512
50806cffcff9c3885a56fc399d2cf6b4b79c550690555afa77a6513d782e3c395ab690da2b5a639656326ad2a0ac641503e068536c0e1cc8c980cfc91ab9e28e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3669180.exe

Filesize
137KB

MD5
71f6b1fcd7a9921af360cb3b5802919c

SHA1
be32e90602721053d2c6c4c2a121b73da50c512d

SHA256
f7b9cc192fb754e5f50e62922e8fe58b6e0eb4a92a49424fcfa1ab809e5aae08

SHA512
50806cffcff9c3885a56fc399d2cf6b4b79c550690555afa77a6513d782e3c395ab690da2b5a639656326ad2a0ac641503e068536c0e1cc8c980cfc91ab9e28e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0726204.exe

Filesize
339KB

MD5
f6b1b24d87d8d4b8052d1551c5be99f9

SHA1
cfac1923e6e9436bbed8f29c9a3f936bb3275806

SHA256
d199a27d659d6aaaab4743b20dc8b7efca2ebf1ac1042bed05bf51433fbc34c3

SHA512
1d5b28cf371118cde9ed645f979e3bbbed5b8562dc32b0df379f9c8dce440d90a1dd4299c589adfd79f851096d4ac6e3e933878abdf04c18c013b314cbc0b249

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0726204.exe

Filesize
339KB

MD5
f6b1b24d87d8d4b8052d1551c5be99f9

SHA1
cfac1923e6e9436bbed8f29c9a3f936bb3275806

SHA256
d199a27d659d6aaaab4743b20dc8b7efca2ebf1ac1042bed05bf51433fbc34c3

SHA512
1d5b28cf371118cde9ed645f979e3bbbed5b8562dc32b0df379f9c8dce440d90a1dd4299c589adfd79f851096d4ac6e3e933878abdf04c18c013b314cbc0b249

Download Submit
memory/1956-163-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/1956-162-0x0000000000920000-0x0000000000955000-memory.dmp

Filesize
212KB

Download
memory/4932-148-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4932-153-0x0000000007FF0000-0x0000000008066000-memory.dmp

Filesize
472KB

Download
memory/4932-146-0x0000000006FB0000-0x0000000006FEE000-memory.dmp

Filesize
248KB

Download
memory/4932-149-0x0000000007360000-0x00000000073C6000-memory.dmp

Filesize
408KB

Download
memory/4932-150-0x0000000007ED0000-0x0000000007F62000-memory.dmp

Filesize
584KB

Download
memory/4932-151-0x0000000008470000-0x000000000896E000-memory.dmp

Filesize
5.0MB

Download
memory/4932-152-0x0000000007470000-0x00000000074C0000-memory.dmp

Filesize
320KB

Download
memory/4932-147-0x0000000006FF0000-0x000000000703B000-memory.dmp

Filesize
300KB

Download
memory/4932-154-0x0000000007F90000-0x0000000007FAE000-memory.dmp

Filesize
120KB

Download
memory/4932-155-0x0000000008970000-0x0000000008B32000-memory.dmp

Filesize
1.8MB

Download
memory/4932-156-0x0000000009070000-0x000000000959C000-memory.dmp

Filesize
5.2MB

Download
memory/4932-145-0x0000000007080000-0x000000000718A000-memory.dmp

Filesize
1.0MB

Download
memory/4932-144-0x0000000006F50000-0x0000000006F62000-memory.dmp

Filesize
72KB

Download
memory/4932-143-0x00000000074C0000-0x0000000007AC6000-memory.dmp

Filesize
6.0MB

Download
memory/4932-142-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing