208b0ac0027164a7feebd1bb4c9db90d27b7019ab6b49fe546a331e43cbe39c9

General

Target

PO--080523-FM 06.exe
Size

780KB
MD5

ef9872c017473716478f16036dcc09a8
SHA1

51d443812ec2c0185fa7c9eb50643e95a2889f14
SHA256

6f4954a23f51c48f450992f809848da3a8bb5c1d7c4bc262332fa2507f1a1cc9
SHA512

70e5638f7e9682298fae323439bc43a4835c427a0999c2c42eb4ee5de40bebebd55a188e0e3730dff937d51706bc374ed7586b0a09c78bf7307860708ea45f2d
SSDEEP

12288:9XmYUJhz9u9GaG1/rVVPqUXvfrHMdQV4PKuyu+ZjF5oqt+yCXAV:IJu9tq/rbPpvjHM2MO9ZjF5oqotXAV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\wSStSI = "C:\\Users\\Admin\\AppData\\Roaming\\wSStSI\\wSStSI.exe"	PO--080523-FM 06.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2076 set thread context of 2472	2076	PO--080523-FM 06.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2076	PO--080523-FM 06.exe
2076	PO--080523-FM 06.exe
2472	PO--080523-FM 06.exe
2472	PO--080523-FM 06.exe
1708	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	PO--080523-FM 06.exe
Token: SeDebugPrivilege	2472	PO--080523-FM 06.exe
Token: SeDebugPrivilege	1708	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1708	2076	PO--080523-FM 06.exe	30
PID 2076 wrote to memory of 1708	2076	PO--080523-FM 06.exe	30
PID 2076 wrote to memory of 1708	2076	PO--080523-FM 06.exe	30
PID 2076 wrote to memory of 1708	2076	PO--080523-FM 06.exe	30
PID 2076 wrote to memory of 2832	2076	PO--080523-FM 06.exe	32
PID 2076 wrote to memory of 2832	2076	PO--080523-FM 06.exe	32
PID 2076 wrote to memory of 2832	2076	PO--080523-FM 06.exe	32
PID 2076 wrote to memory of 2832	2076	PO--080523-FM 06.exe	32
PID 2076 wrote to memory of 2472	2076	PO--080523-FM 06.exe	34
PID 2076 wrote to memory of 2472	2076	PO--080523-FM 06.exe	34
PID 2076 wrote to memory of 2472	2076	PO--080523-FM 06.exe	34
PID 2076 wrote to memory of 2472	2076	PO--080523-FM 06.exe	34
PID 2076 wrote to memory of 2472	2076	PO--080523-FM 06.exe	34
PID 2076 wrote to memory of 2472	2076	PO--080523-FM 06.exe	34
PID 2076 wrote to memory of 2472	2076	PO--080523-FM 06.exe	34
PID 2076 wrote to memory of 2472	2076	PO--080523-FM 06.exe	34
PID 2076 wrote to memory of 2472	2076	PO--080523-FM 06.exe	34

C:\Users\Admin\AppData\Local\Temp\PO--080523-FM 06.exe
"C:\Users\Admin\AppData\Local\Temp\PO--080523-FM 06.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vxCkxWKvbwwokh.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vxCkxWKvbwwokh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp667.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\PO--080523-FM 06.exe
  "C:\Users\Admin\AppData\Local\Temp\PO--080523-FM 06.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp667.tmp

Filesize
1KB

MD5
f09b152ba022de171b0e5430c5f38b11

SHA1
0976a2500d3b636b63890da35910275288728035

SHA256
2545fbed223704fa444c3dd9cce0a7947da7c9a1bb9a2546708cd5457c035b2d

SHA512
c319398f1f04fe8997d535bba383e8bf19fdd41951b3341dd9477ad8a2e96ec7ce2a6634144eb75da5bab9a6a98269b9d98a419262a1cefd81ecb9efa4935bf0

Download Submit
memory/1708-83-0x000000006ED20000-0x000000006F2CB000-memory.dmp

Filesize
5.7MB

Download
memory/1708-84-0x000000006ED20000-0x000000006F2CB000-memory.dmp

Filesize
5.7MB

Download
memory/1708-86-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/1708-87-0x000000006ED20000-0x000000006F2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2076-57-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2076-60-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2076-61-0x0000000004DD0000-0x0000000004E4C000-memory.dmp

Filesize
496KB

Download
memory/2076-59-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download
memory/2076-58-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2076-54-0x0000000000E90000-0x0000000000F5A000-memory.dmp

Filesize
808KB

Download
memory/2076-82-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2076-56-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download
memory/2076-55-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2472-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2472-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2472-77-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2472-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2472-74-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2472-85-0x0000000004800000-0x0000000004840000-memory.dmp

Filesize
256KB

Download
memory/2472-73-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2472-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads