dd649575ad8c4888137f3325a6262d7634f97c07c9711fac49e2c73bd395202a

General

Target

11.exe
Size

1.3MB
MD5

2c66dc153c947bdc4dda7118f60e4540
SHA1

a6c6250a54c16cebdd8ded3a3b8f7bd6d7db0464
SHA256

dd649575ad8c4888137f3325a6262d7634f97c07c9711fac49e2c73bd395202a
SHA512

7b1f7a0f8cebb3a2a5f25755238457556e4a41b4ad0aa643284f8ff41b1ba6b1d22675edf980f1ba82da5a611b4d14a5c45e5f57584979f7ea1192153b545211
SSDEEP

24576:ehloDX0XOf4lLZPs0AZCZWE7cRGo8sOgZQz00a3CI98Ye3BmQ/KV1PpAOvqADs6u:ehloJf6FFAZCZWE7cRGo8sOgZy00a3C3

Score

9^/10

collection spyware stealer upx

Malware Config

Signatures

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1796-71-0x0000000000400000-0x0000000000465000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1420-62-0x0000000000400000-0x0000000000483000-memory.dmp	WebBrowserPassView
behavioral1/memory/1420-64-0x0000000000400000-0x0000000000483000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral1/memory/1420-62-0x0000000000400000-0x0000000000483000-memory.dmp	Nirsoft
behavioral1/memory/1420-64-0x0000000000400000-0x0000000000483000-memory.dmp	Nirsoft
behavioral1/memory/1796-71-0x0000000000400000-0x0000000000465000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

pid	Process
1420	A.exe
1796	B.exe

Loads dropped DLL 3 IoCs

pid	Process
1496	cmd.exe
1496	cmd.exe
540	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122da-55.dat	upx
behavioral1/files/0x000b0000000122da-57.dat	upx
behavioral1/files/0x000b0000000122da-56.dat	upx
behavioral1/files/0x000b0000000122da-58.dat	upx
behavioral1/memory/1544-59-0x00000000013D0000-0x00000000016A2000-memory.dmp	upx
behavioral1/memory/1420-62-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/1420-64-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/1544-65-0x00000000013D0000-0x00000000016A2000-memory.dmp	upx
behavioral1/files/0x00080000000122e2-68.dat	upx
behavioral1/files/0x00080000000122e2-69.dat	upx
behavioral1/files/0x00080000000122e2-70.dat	upx
behavioral1/memory/1796-71-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/1544-72-0x00000000013D0000-0x00000000016A2000-memory.dmp	upx
behavioral1/memory/1544-73-0x00000000013D0000-0x00000000016A2000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	B.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1544-59-0x00000000013D0000-0x00000000016A2000-memory.dmp	autoit_exe
behavioral1/memory/1544-65-0x00000000013D0000-0x00000000016A2000-memory.dmp	autoit_exe
behavioral1/memory/1544-72-0x00000000013D0000-0x00000000016A2000-memory.dmp	autoit_exe
behavioral1/memory/1544-73-0x00000000013D0000-0x00000000016A2000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1420	A.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1496	1544	11.exe	28
PID 1544 wrote to memory of 1496	1544	11.exe	28
PID 1544 wrote to memory of 1496	1544	11.exe	28
PID 1544 wrote to memory of 1496	1544	11.exe	28
PID 1496 wrote to memory of 1420	1496	cmd.exe	30
PID 1496 wrote to memory of 1420	1496	cmd.exe	30
PID 1496 wrote to memory of 1420	1496	cmd.exe	30
PID 1496 wrote to memory of 1420	1496	cmd.exe	30
PID 1544 wrote to memory of 540	1544	11.exe	32
PID 1544 wrote to memory of 540	1544	11.exe	32
PID 1544 wrote to memory of 540	1544	11.exe	32
PID 1544 wrote to memory of 540	1544	11.exe	32
PID 540 wrote to memory of 1796	540	cmd.exe	34
PID 540 wrote to memory of 1796	540	cmd.exe	34
PID 540 wrote to memory of 1796	540	cmd.exe	34
PID 540 wrote to memory of 1796	540	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c A.exe /stext A.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\A.exe
    A.exe /stext A.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c B.exe /stext B.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\B.exe
    B.exe /stext B.txt
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A.exe

Filesize
224KB

MD5
440028436e4eb1d94fc14b09f5d6224c

SHA1
eaee95e001b415026db7aeac9804fb03e65d8caa

SHA256
3570596c4b62fee8a80b4cab0ee2ff6c33342d2ceb1b3d9d7d06fa352655d027

SHA512
516e7be456337236d2f6b550a5ec8e41590e647a3cfd6894f7dcfe714dd601ba787f88cde55f3ca5fe70d20f3ff72f9b248a0404df582be60ac08701c42c5c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A.exe

Filesize
224KB

MD5
440028436e4eb1d94fc14b09f5d6224c

SHA1
eaee95e001b415026db7aeac9804fb03e65d8caa

SHA256
3570596c4b62fee8a80b4cab0ee2ff6c33342d2ceb1b3d9d7d06fa352655d027

SHA512
516e7be456337236d2f6b550a5ec8e41590e647a3cfd6894f7dcfe714dd601ba787f88cde55f3ca5fe70d20f3ff72f9b248a0404df582be60ac08701c42c5c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\B.exe

Filesize
202KB

MD5
a394c0ae6cf5530bb91b37b8bd09c468

SHA1
e006c548c39f36630833163fe524887780390dfd

SHA256
fd057d11727f14563a5533dd8453d6e3dcbf71862483a15bf8b769a73243a201

SHA512
17e9c6f6b3c2b6197216fd132ed54c1d2586c359c42e12915bc256472769f00a4f413f6ac83a784945b9e296d63b6b943f72876cf495569a65ff26c6189748a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B.exe

Filesize
202KB

MD5
a394c0ae6cf5530bb91b37b8bd09c468

SHA1
e006c548c39f36630833163fe524887780390dfd

SHA256
fd057d11727f14563a5533dd8453d6e3dcbf71862483a15bf8b769a73243a201

SHA512
17e9c6f6b3c2b6197216fd132ed54c1d2586c359c42e12915bc256472769f00a4f413f6ac83a784945b9e296d63b6b943f72876cf495569a65ff26c6189748a4

Download Submit
\Users\Admin\AppData\Local\Temp\A.exe

Filesize
224KB

MD5
440028436e4eb1d94fc14b09f5d6224c

SHA1
eaee95e001b415026db7aeac9804fb03e65d8caa

SHA256
3570596c4b62fee8a80b4cab0ee2ff6c33342d2ceb1b3d9d7d06fa352655d027

SHA512
516e7be456337236d2f6b550a5ec8e41590e647a3cfd6894f7dcfe714dd601ba787f88cde55f3ca5fe70d20f3ff72f9b248a0404df582be60ac08701c42c5c8d

Download Submit
\Users\Admin\AppData\Local\Temp\A.exe

Filesize
224KB

MD5
440028436e4eb1d94fc14b09f5d6224c

SHA1
eaee95e001b415026db7aeac9804fb03e65d8caa

SHA256
3570596c4b62fee8a80b4cab0ee2ff6c33342d2ceb1b3d9d7d06fa352655d027

SHA512
516e7be456337236d2f6b550a5ec8e41590e647a3cfd6894f7dcfe714dd601ba787f88cde55f3ca5fe70d20f3ff72f9b248a0404df582be60ac08701c42c5c8d

Download Submit
\Users\Admin\AppData\Local\Temp\B.exe

Filesize
202KB

MD5
a394c0ae6cf5530bb91b37b8bd09c468

SHA1
e006c548c39f36630833163fe524887780390dfd

SHA256
fd057d11727f14563a5533dd8453d6e3dcbf71862483a15bf8b769a73243a201

SHA512
17e9c6f6b3c2b6197216fd132ed54c1d2586c359c42e12915bc256472769f00a4f413f6ac83a784945b9e296d63b6b943f72876cf495569a65ff26c6189748a4

Download Submit
memory/1420-64-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1420-62-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1496-61-0x0000000001F00000-0x0000000001F83000-memory.dmp

Filesize
524KB

Download
memory/1496-60-0x0000000001F00000-0x0000000001F83000-memory.dmp

Filesize
524KB

Download
memory/1544-65-0x00000000013D0000-0x00000000016A2000-memory.dmp

Filesize
2.8MB

Download
memory/1544-59-0x00000000013D0000-0x00000000016A2000-memory.dmp

Filesize
2.8MB

Download
memory/1544-72-0x00000000013D0000-0x00000000016A2000-memory.dmp

Filesize
2.8MB

Download
memory/1544-73-0x00000000013D0000-0x00000000016A2000-memory.dmp

Filesize
2.8MB

Download
memory/1796-71-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing