74b62ded9e42fa2082bb7615a4872fbe45c61736c748a3855ab1329ed7b29543

General

Target

AWB 9057382937.exe
Size

793KB
MD5

e67d13c3670436b5a242a01aa59c70c0
SHA1

43b470a7f37a158396d34d35c62c7f4d6cb55d2d
SHA256

497963cdcfec245455b229692d32c1f6cb8250b86be44fbe747e441552ae2bba
SHA512

47786313ebbdbc0f37b0096295ebd3294bec05c29e16d9501572321a1598c73cd365b0159b186724cc66399807b5d9d6db910ddf59b3b3e147bf852f1da602ea
SSDEEP

12288:NZnDZtz9se3FOIac6yDpq816ZWnwNKEpFHfiQ6b+ZWttSp:N/tJxM/c6yFqYw9F/iQsPttSp

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\svchost.exe.exe"	AWB 9057382937.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	api.ipify.org
32	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3472 set thread context of 3220	3472	AWB 9057382937.exe	91

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3472	AWB 9057382937.exe
3472	AWB 9057382937.exe
3220	AWB 9057382937.exe
3220	AWB 9057382937.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	AWB 9057382937.exe
Token: SeDebugPrivilege	3220	AWB 9057382937.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 3220	3472	AWB 9057382937.exe	91
PID 3472 wrote to memory of 3220	3472	AWB 9057382937.exe	91
PID 3472 wrote to memory of 3220	3472	AWB 9057382937.exe	91
PID 3472 wrote to memory of 3220	3472	AWB 9057382937.exe	91
PID 3472 wrote to memory of 3220	3472	AWB 9057382937.exe	91
PID 3472 wrote to memory of 3220	3472	AWB 9057382937.exe	91
PID 3472 wrote to memory of 3220	3472	AWB 9057382937.exe	91
PID 3472 wrote to memory of 3220	3472	AWB 9057382937.exe	91

C:\Users\Admin\AppData\Local\Temp\AWB 9057382937.exe
"C:\Users\Admin\AppData\Local\Temp\AWB 9057382937.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Users\Admin\AppData\Local\Temp\AWB 9057382937.exe
  "C:\Users\Admin\AppData\Local\Temp\AWB 9057382937.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AWB 9057382937.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/3220-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3220-153-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/3220-152-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3220-151-0x0000000006870000-0x00000000068C0000-memory.dmp

Filesize
320KB

Download
memory/3220-148-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/3220-146-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/3220-145-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-141-0x0000000008600000-0x000000000869C000-memory.dmp

Filesize
624KB

Download
memory/3472-133-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-140-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/3472-139-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-147-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-138-0x0000000005260000-0x000000000526A000-memory.dmp

Filesize
40KB

Download
memory/3472-137-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/3472-136-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/3472-135-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/3472-134-0x0000000000600000-0x00000000006CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads