1cd60650fa3e560d8f7c80d4d059e669e64486bd3ca6daed52d8fdce14d0455b

Analysis

max time kernel
47s
max time network
51s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2.exe
Size

4.6MB
MD5

2afcac7aaede32980c96fda99c8c8677
SHA1

436e83ce6882e798e5bb6d89a31913285886d3a2
SHA256

1cd60650fa3e560d8f7c80d4d059e669e64486bd3ca6daed52d8fdce14d0455b
SHA512

5ccba16f2b31f1271487729c6d502529fa329d56dc126f080481d567c37c7ed68760c808e7fb6559293c65cf9ea8deca67ba2670a42a806d7e158ce79a513907
SSDEEP

98304:DbcuGWyADhhIab1bvece79p6T215vhx8ovhqg4zi4RWouv60FFS7W:0dyhhIaZNeZy2Lb8Uf4G4EoE6t

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1264-54-0x000000013F260000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/1264-100-0x000000013F260000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/1264-138-0x000000013F260000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/1264-148-0x000000013F260000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/1264-186-0x000000013F260000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/1264-189-0x000000013F260000-0x00000001400B4000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io
2	ipinfo.io

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1060	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
944	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	b2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	b2.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe
1264	b2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1076	wmic.exe
Token: SeSecurityPrivilege	1076	wmic.exe
Token: SeTakeOwnershipPrivilege	1076	wmic.exe
Token: SeLoadDriverPrivilege	1076	wmic.exe
Token: SeSystemProfilePrivilege	1076	wmic.exe
Token: SeSystemtimePrivilege	1076	wmic.exe
Token: SeProfSingleProcessPrivilege	1076	wmic.exe
Token: SeIncBasePriorityPrivilege	1076	wmic.exe
Token: SeCreatePagefilePrivilege	1076	wmic.exe
Token: SeBackupPrivilege	1076	wmic.exe
Token: SeRestorePrivilege	1076	wmic.exe
Token: SeShutdownPrivilege	1076	wmic.exe
Token: SeDebugPrivilege	1076	wmic.exe
Token: SeSystemEnvironmentPrivilege	1076	wmic.exe
Token: SeRemoteShutdownPrivilege	1076	wmic.exe
Token: SeUndockPrivilege	1076	wmic.exe
Token: SeManageVolumePrivilege	1076	wmic.exe
Token: 33	1076	wmic.exe
Token: 34	1076	wmic.exe
Token: 35	1076	wmic.exe
Token: SeIncreaseQuotaPrivilege	1076	wmic.exe
Token: SeSecurityPrivilege	1076	wmic.exe
Token: SeTakeOwnershipPrivilege	1076	wmic.exe
Token: SeLoadDriverPrivilege	1076	wmic.exe
Token: SeSystemProfilePrivilege	1076	wmic.exe
Token: SeSystemtimePrivilege	1076	wmic.exe
Token: SeProfSingleProcessPrivilege	1076	wmic.exe
Token: SeIncBasePriorityPrivilege	1076	wmic.exe
Token: SeCreatePagefilePrivilege	1076	wmic.exe
Token: SeBackupPrivilege	1076	wmic.exe
Token: SeRestorePrivilege	1076	wmic.exe
Token: SeShutdownPrivilege	1076	wmic.exe
Token: SeDebugPrivilege	1076	wmic.exe
Token: SeSystemEnvironmentPrivilege	1076	wmic.exe
Token: SeRemoteShutdownPrivilege	1076	wmic.exe
Token: SeUndockPrivilege	1076	wmic.exe
Token: SeManageVolumePrivilege	1076	wmic.exe
Token: 33	1076	wmic.exe
Token: 34	1076	wmic.exe
Token: 35	1076	wmic.exe
Token: SeIncreaseQuotaPrivilege	1636	wmic.exe
Token: SeSecurityPrivilege	1636	wmic.exe
Token: SeTakeOwnershipPrivilege	1636	wmic.exe
Token: SeLoadDriverPrivilege	1636	wmic.exe
Token: SeSystemProfilePrivilege	1636	wmic.exe
Token: SeSystemtimePrivilege	1636	wmic.exe
Token: SeProfSingleProcessPrivilege	1636	wmic.exe
Token: SeIncBasePriorityPrivilege	1636	wmic.exe
Token: SeCreatePagefilePrivilege	1636	wmic.exe
Token: SeBackupPrivilege	1636	wmic.exe
Token: SeRestorePrivilege	1636	wmic.exe
Token: SeShutdownPrivilege	1636	wmic.exe
Token: SeDebugPrivilege	1636	wmic.exe
Token: SeSystemEnvironmentPrivilege	1636	wmic.exe
Token: SeRemoteShutdownPrivilege	1636	wmic.exe
Token: SeUndockPrivilege	1636	wmic.exe
Token: SeManageVolumePrivilege	1636	wmic.exe
Token: 33	1636	wmic.exe
Token: 34	1636	wmic.exe
Token: 35	1636	wmic.exe
Token: SeIncreaseQuotaPrivilege	1636	wmic.exe
Token: SeSecurityPrivilege	1636	wmic.exe
Token: SeTakeOwnershipPrivilege	1636	wmic.exe
Token: SeLoadDriverPrivilege	1636	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 844	1264	b2.exe	28
PID 1264 wrote to memory of 844	1264	b2.exe	28
PID 1264 wrote to memory of 844	1264	b2.exe	28
PID 1264 wrote to memory of 1076	1264	b2.exe	29
PID 1264 wrote to memory of 1076	1264	b2.exe	29
PID 1264 wrote to memory of 1076	1264	b2.exe	29
PID 1264 wrote to memory of 1636	1264	b2.exe	31
PID 1264 wrote to memory of 1636	1264	b2.exe	31
PID 1264 wrote to memory of 1636	1264	b2.exe	31
PID 1264 wrote to memory of 880	1264	b2.exe	32
PID 1264 wrote to memory of 880	1264	b2.exe	32
PID 1264 wrote to memory of 880	1264	b2.exe	32
PID 880 wrote to memory of 916	880	cmd.exe	33
PID 880 wrote to memory of 916	880	cmd.exe	33
PID 880 wrote to memory of 916	880	cmd.exe	33
PID 916 wrote to memory of 1852	916	net.exe	34
PID 916 wrote to memory of 1852	916	net.exe	34
PID 916 wrote to memory of 1852	916	net.exe	34
PID 1264 wrote to memory of 1060	1264	b2.exe	35
PID 1264 wrote to memory of 1060	1264	b2.exe	35
PID 1264 wrote to memory of 1060	1264	b2.exe	35
PID 1264 wrote to memory of 944	1264	b2.exe	37
PID 1264 wrote to memory of 944	1264	b2.exe	37
PID 1264 wrote to memory of 944	1264	b2.exe	37

C:\Users\Admin\AppData\Local\Temp\b2.exe
"C:\Users\Admin\AppData\Local\Temp\b2.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\system32\cmd.exe
  cmd /c
  2⤵
  PID:844
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\System32\Wbem\wmic.exe
  wmic desktopmonitor get "screenheight, screenwidth"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\system32\cmd.exe
  cmd /C net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:1852
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:1060
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Telegram.exe
  2⤵
  - Kills process with taskkill
  PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab53ED.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar54AB.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/1264-54-0x000000013F260000-0x00000001400B4000-memory.dmp

Filesize
14.3MB

Download
memory/1264-100-0x000000013F260000-0x00000001400B4000-memory.dmp

Filesize
14.3MB

Download
memory/1264-138-0x000000013F260000-0x00000001400B4000-memory.dmp

Filesize
14.3MB

Download
memory/1264-148-0x000000013F260000-0x00000001400B4000-memory.dmp

Filesize
14.3MB

Download
memory/1264-186-0x000000013F260000-0x00000001400B4000-memory.dmp

Filesize
14.3MB

Download
memory/1264-189-0x000000013F260000-0x00000001400B4000-memory.dmp

Filesize
14.3MB

Download