dd649575ad8c4888137f3325a6262d7634f97c07c9711fac49e2c73bd395202a

General

Target

11.exe
Size

1.3MB
MD5

2c66dc153c947bdc4dda7118f60e4540
SHA1

a6c6250a54c16cebdd8ded3a3b8f7bd6d7db0464
SHA256

dd649575ad8c4888137f3325a6262d7634f97c07c9711fac49e2c73bd395202a
SHA512

7b1f7a0f8cebb3a2a5f25755238457556e4a41b4ad0aa643284f8ff41b1ba6b1d22675edf980f1ba82da5a611b4d14a5c45e5f57584979f7ea1192153b545211
SSDEEP

24576:ehloDX0XOf4lLZPs0AZCZWE7cRGo8sOgZQz00a3CI98Ye3BmQ/KV1PpAOvqADs6u:ehloJf6FFAZCZWE7cRGo8sOgZy00a3C3

Score

9^/10

collection spyware stealer upx

Malware Config

Signatures

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4864-153-0x0000000000400000-0x0000000000465000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/5072-141-0x0000000000400000-0x0000000000483000-memory.dmp	WebBrowserPassView
behavioral2/memory/5072-143-0x0000000000400000-0x0000000000483000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/5072-141-0x0000000000400000-0x0000000000483000-memory.dmp	Nirsoft
behavioral2/memory/5072-143-0x0000000000400000-0x0000000000483000-memory.dmp	Nirsoft
behavioral2/memory/4864-153-0x0000000000400000-0x0000000000465000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

pid	Process
5072	A.exe
4864	B.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2772-133-0x0000000000020000-0x00000000002F2000-memory.dmp	upx
behavioral2/files/0x000300000000072d-136.dat	upx
behavioral2/files/0x000300000000072d-137.dat	upx
behavioral2/memory/5072-141-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/5072-143-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/2772-145-0x0000000000020000-0x00000000002F2000-memory.dmp	upx
behavioral2/memory/2772-146-0x0000000000020000-0x00000000002F2000-memory.dmp	upx
behavioral2/memory/2772-147-0x0000000000020000-0x00000000002F2000-memory.dmp	upx
behavioral2/memory/2772-148-0x0000000000020000-0x00000000002F2000-memory.dmp	upx
behavioral2/files/0x000a00000001db2b-151.dat	upx
behavioral2/files/0x000a00000001db2b-152.dat	upx
behavioral2/memory/4864-153-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral2/memory/2772-154-0x0000000000020000-0x00000000002F2000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	B.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2772-145-0x0000000000020000-0x00000000002F2000-memory.dmp	autoit_exe
behavioral2/memory/2772-146-0x0000000000020000-0x00000000002F2000-memory.dmp	autoit_exe
behavioral2/memory/2772-147-0x0000000000020000-0x00000000002F2000-memory.dmp	autoit_exe
behavioral2/memory/2772-148-0x0000000000020000-0x00000000002F2000-memory.dmp	autoit_exe
behavioral2/memory/2772-154-0x0000000000020000-0x00000000002F2000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5072	A.exe
5072	A.exe
5072	A.exe
5072	A.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 216	2772	11.exe	87
PID 2772 wrote to memory of 216	2772	11.exe	87
PID 2772 wrote to memory of 216	2772	11.exe	87
PID 216 wrote to memory of 5072	216	cmd.exe	89
PID 216 wrote to memory of 5072	216	cmd.exe	89
PID 216 wrote to memory of 5072	216	cmd.exe	89
PID 2772 wrote to memory of 5016	2772	11.exe	97
PID 2772 wrote to memory of 5016	2772	11.exe	97
PID 2772 wrote to memory of 5016	2772	11.exe	97
PID 5016 wrote to memory of 4864	5016	cmd.exe	99
PID 5016 wrote to memory of 4864	5016	cmd.exe	99
PID 5016 wrote to memory of 4864	5016	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c A.exe /stext A.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\A.exe
    A.exe /stext A.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c B.exe /stext B.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Users\Admin\AppData\Local\Temp\B.exe
    B.exe /stext B.txt
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    PID:4864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A.exe

Filesize
224KB

MD5
440028436e4eb1d94fc14b09f5d6224c

SHA1
eaee95e001b415026db7aeac9804fb03e65d8caa

SHA256
3570596c4b62fee8a80b4cab0ee2ff6c33342d2ceb1b3d9d7d06fa352655d027

SHA512
516e7be456337236d2f6b550a5ec8e41590e647a3cfd6894f7dcfe714dd601ba787f88cde55f3ca5fe70d20f3ff72f9b248a0404df582be60ac08701c42c5c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A.exe

Filesize
224KB

MD5
440028436e4eb1d94fc14b09f5d6224c

SHA1
eaee95e001b415026db7aeac9804fb03e65d8caa

SHA256
3570596c4b62fee8a80b4cab0ee2ff6c33342d2ceb1b3d9d7d06fa352655d027

SHA512
516e7be456337236d2f6b550a5ec8e41590e647a3cfd6894f7dcfe714dd601ba787f88cde55f3ca5fe70d20f3ff72f9b248a0404df582be60ac08701c42c5c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A.txt

Filesize
4KB

MD5
da9a4a4b3869b633570f0328857ab308

SHA1
a28b700676caac92151465ee98f8db04d050a7cd

SHA256
54ab428ebf079d77ff4c770dbf0d7278b317b53b2d3efcf117f1b439c3b85677

SHA512
43ceb519348803f2b501d99f13f208605411fb0cc1dff85144890087669f9d3ef060757ba13a45d4049fc3218ca0e975686e703f914f51e04b6d859e7d060c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\B.exe

Filesize
202KB

MD5
a394c0ae6cf5530bb91b37b8bd09c468

SHA1
e006c548c39f36630833163fe524887780390dfd

SHA256
fd057d11727f14563a5533dd8453d6e3dcbf71862483a15bf8b769a73243a201

SHA512
17e9c6f6b3c2b6197216fd132ed54c1d2586c359c42e12915bc256472769f00a4f413f6ac83a784945b9e296d63b6b943f72876cf495569a65ff26c6189748a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B.exe

Filesize
202KB

MD5
a394c0ae6cf5530bb91b37b8bd09c468

SHA1
e006c548c39f36630833163fe524887780390dfd

SHA256
fd057d11727f14563a5533dd8453d6e3dcbf71862483a15bf8b769a73243a201

SHA512
17e9c6f6b3c2b6197216fd132ed54c1d2586c359c42e12915bc256472769f00a4f413f6ac83a784945b9e296d63b6b943f72876cf495569a65ff26c6189748a4

Download Submit
memory/2772-148-0x0000000000020000-0x00000000002F2000-memory.dmp

Filesize
2.8MB

Download
memory/2772-145-0x0000000000020000-0x00000000002F2000-memory.dmp

Filesize
2.8MB

Download
memory/2772-146-0x0000000000020000-0x00000000002F2000-memory.dmp

Filesize
2.8MB

Download
memory/2772-147-0x0000000000020000-0x00000000002F2000-memory.dmp

Filesize
2.8MB

Download
memory/2772-133-0x0000000000020000-0x00000000002F2000-memory.dmp

Filesize
2.8MB

Download
memory/2772-154-0x0000000000020000-0x00000000002F2000-memory.dmp

Filesize
2.8MB

Download
memory/4864-153-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5072-143-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5072-141-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing