a285da59a4bd7b27ff2c1c456dd2570d08ee0583e27f6daecb5ef8a7221420e9

General

Target

STATEMENT IN JUN 2023.exe
Size

742KB
MD5

ab3a7089c3c5968977aebfa85fdc05cd
SHA1

da9ca170ca878ba9b6c2b6b38c462491813edce0
SHA256

2743a30069ac7bd06abed1ca7b5a867d034b3c0793d92eba2b91bce0e98f67f6
SHA512

b8cd71c5a903c3e57b90b95e47b271a00a7a0fb5ebd3f3fe8db1705b55451c7e624e18c79c52ad6428b17ffcbbc97d27caabcd64ce3ef7448791fd9a5cbea0a0
SSDEEP

12288:xRju+nO5ReCNLwJPqOIAEibVK1g9u3pppNpppppoOQpppNpppppoO:xA5RtNCIjiBK1gY3pppNpppppoOQpppv

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\yStNrF = "C:\\Users\\Admin\\AppData\\Roaming\\yStNrF\\yStNrF.exe"	STATEMENT IN JUN 2023.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 2716	3032	STATEMENT IN JUN 2023.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3032	STATEMENT IN JUN 2023.exe
2716	STATEMENT IN JUN 2023.exe
2716	STATEMENT IN JUN 2023.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	STATEMENT IN JUN 2023.exe
Token: SeDebugPrivilege	2716	STATEMENT IN JUN 2023.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2716	STATEMENT IN JUN 2023.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2748	3032	STATEMENT IN JUN 2023.exe	30
PID 3032 wrote to memory of 2748	3032	STATEMENT IN JUN 2023.exe	30
PID 3032 wrote to memory of 2748	3032	STATEMENT IN JUN 2023.exe	30
PID 3032 wrote to memory of 2748	3032	STATEMENT IN JUN 2023.exe	30
PID 3032 wrote to memory of 2716	3032	STATEMENT IN JUN 2023.exe	32
PID 3032 wrote to memory of 2716	3032	STATEMENT IN JUN 2023.exe	32
PID 3032 wrote to memory of 2716	3032	STATEMENT IN JUN 2023.exe	32
PID 3032 wrote to memory of 2716	3032	STATEMENT IN JUN 2023.exe	32
PID 3032 wrote to memory of 2716	3032	STATEMENT IN JUN 2023.exe	32
PID 3032 wrote to memory of 2716	3032	STATEMENT IN JUN 2023.exe	32
PID 3032 wrote to memory of 2716	3032	STATEMENT IN JUN 2023.exe	32
PID 3032 wrote to memory of 2716	3032	STATEMENT IN JUN 2023.exe	32
PID 3032 wrote to memory of 2716	3032	STATEMENT IN JUN 2023.exe	32

C:\Users\Admin\AppData\Local\Temp\STATEMENT IN JUN 2023.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT IN JUN 2023.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZwrdyQchFvwQSI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpECDE.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\STATEMENT IN JUN 2023.exe
  "{path}"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpECDE.tmp

Filesize
1KB

MD5
f71b73c7be6de317a6534ed38adcf667

SHA1
76516a46d4bca69c33959d4c3c9af7c9f5cc7db6

SHA256
204538eb14a47fa16e562f76312601fc07326e3f0f3358b053ef2eda683990bc

SHA512
eb6ebdd0a1524d9ffc8d922aca76b2258965d2af813794bcce3e53bc7ef3e65c78062f0b3c09e2ca3cc724e7100f1608237e81b196d5ad2455932ea9f2eca179

Download Submit
memory/2716-74-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-80-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/2716-78-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download
memory/2716-77-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/2716-76-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-81-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download
memory/2716-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-66-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3032-59-0x00000000002A0000-0x00000000002B4000-memory.dmp

Filesize
80KB

Download
memory/3032-61-0x0000000000850000-0x0000000000892000-memory.dmp

Filesize
264KB

Download
memory/3032-73-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/3032-60-0x0000000004840000-0x00000000048BA000-memory.dmp

Filesize
488KB

Download
memory/3032-54-0x0000000000320000-0x00000000003E0000-memory.dmp

Filesize
768KB

Download
memory/3032-58-0x00000000042A0000-0x00000000042E0000-memory.dmp

Filesize
256KB

Download
memory/3032-57-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/3032-56-0x00000000042A0000-0x00000000042E0000-memory.dmp

Filesize
256KB

Download
memory/3032-55-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads