5e49ab8fc5ff67a3e4a8fa296e428d95fe19f868367b1ab3b9fd837a6c7d98c4

Analysis

max time kernel
140s
max time network
144s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
30/08/2023, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e49ab8fc5ff67a3e4a8fa296e428d95fe19f868367b1ab3b9fd837a6c7d98c4.exe
Size

817KB
MD5

a1ad8b7961ff0cd54e59af81abdb24fb
SHA1

a07df462d0c29c0bbcc5d4165a8676010da9c4a6
SHA256

5e49ab8fc5ff67a3e4a8fa296e428d95fe19f868367b1ab3b9fd837a6c7d98c4
SHA512

8dcbae212bf1a2bdbc200454fef24bbc5b5c7fa726be77215ee8219fa4fb557ec3d89772efb79aa9401d807e007809d76c152dca4ce3be9acdf2b67aa9ddacf5
SSDEEP

12288:EAPc/z15+35scLm5OKzV2jb74Eb/NoKVABtg4VXa5du5mPkBseFf2NWQVgEz8wo:EDr2Om4ERiVXaTDieNWQVDowo

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
4000	Kjbqatck.exe
2544	Dzvgqyjd.exe
980	Kjbqatck.exe
5000	Kjbqatck.exe
2672	Kjbqatck.exe
4460	Kjbqatck.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 4380	2540	5e49ab8fc5ff67a3e4a8fa296e428d95fe19f868367b1ab3b9fd837a6c7d98c4.exe	72
PID 4000 set thread context of 4460	4000	Kjbqatck.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4844	4460	WerFault.exe	78

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4380	RegAsm.exe
4380	RegAsm.exe
4000	Kjbqatck.exe
4000	Kjbqatck.exe
4000	Kjbqatck.exe
4000	Kjbqatck.exe
4000	Kjbqatck.exe
4000	Kjbqatck.exe
4460	Kjbqatck.exe
4460	Kjbqatck.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	5e49ab8fc5ff67a3e4a8fa296e428d95fe19f868367b1ab3b9fd837a6c7d98c4.exe
Token: SeDebugPrivilege	4380	RegAsm.exe
Token: SeDebugPrivilege	4000	Kjbqatck.exe
Token: SeDebugPrivilege	2544	Dzvgqyjd.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 4380	2540	5e49ab8fc5ff67a3e4a8fa296e428d95fe19f868367b1ab3b9fd837a6c7d98c4.exe	72
PID 2540 wrote to memory of 4380	2540	5e49ab8fc5ff67a3e4a8fa296e428d95fe19f868367b1ab3b9fd837a6c7d98c4.exe	72
PID 2540 wrote to memory of 4380	2540	5e49ab8fc5ff67a3e4a8fa296e428d95fe19f868367b1ab3b9fd837a6c7d98c4.exe	72
PID 2540 wrote to memory of 4380	2540	5e49ab8fc5ff67a3e4a8fa296e428d95fe19f868367b1ab3b9fd837a6c7d98c4.exe	72
PID 2540 wrote to memory of 4380	2540	5e49ab8fc5ff67a3e4a8fa296e428d95fe19f868367b1ab3b9fd837a6c7d98c4.exe	72
PID 2540 wrote to memory of 4380	2540	5e49ab8fc5ff67a3e4a8fa296e428d95fe19f868367b1ab3b9fd837a6c7d98c4.exe	72
PID 4380 wrote to memory of 4000	4380	RegAsm.exe	73
PID 4380 wrote to memory of 4000	4380	RegAsm.exe	73
PID 4380 wrote to memory of 4000	4380	RegAsm.exe	73
PID 4000 wrote to memory of 2544	4000	Kjbqatck.exe	75
PID 4000 wrote to memory of 2544	4000	Kjbqatck.exe	75
PID 4000 wrote to memory of 980	4000	Kjbqatck.exe	76
PID 4000 wrote to memory of 980	4000	Kjbqatck.exe	76
PID 4000 wrote to memory of 980	4000	Kjbqatck.exe	76
PID 4000 wrote to memory of 5000	4000	Kjbqatck.exe	77
PID 4000 wrote to memory of 5000	4000	Kjbqatck.exe	77
PID 4000 wrote to memory of 5000	4000	Kjbqatck.exe	77
PID 4000 wrote to memory of 2672	4000	Kjbqatck.exe	79
PID 4000 wrote to memory of 2672	4000	Kjbqatck.exe	79
PID 4000 wrote to memory of 2672	4000	Kjbqatck.exe	79
PID 4000 wrote to memory of 4460	4000	Kjbqatck.exe	78
PID 4000 wrote to memory of 4460	4000	Kjbqatck.exe	78
PID 4000 wrote to memory of 4460	4000	Kjbqatck.exe	78
PID 4000 wrote to memory of 4460	4000	Kjbqatck.exe	78
PID 4000 wrote to memory of 4460	4000	Kjbqatck.exe	78
PID 4000 wrote to memory of 4460	4000	Kjbqatck.exe	78
PID 4000 wrote to memory of 4460	4000	Kjbqatck.exe	78
PID 4000 wrote to memory of 4460	4000	Kjbqatck.exe	78

C:\Users\Admin\AppData\Local\Temp\5e49ab8fc5ff67a3e4a8fa296e428d95fe19f868367b1ab3b9fd837a6c7d98c4.exe
"C:\Users\Admin\AppData\Local\Temp\5e49ab8fc5ff67a3e4a8fa296e428d95fe19f868367b1ab3b9fd837a6c7d98c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe
    "C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\Dzvgqyjd.exe
      "C:\Users\Admin\AppData\Local\Temp\Dzvgqyjd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe
      C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe
      4⤵
      Executes dropped EXE
      PID:980
  - - C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe
      C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe
      4⤵
      Executes dropped EXE
      PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe
      C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 388
        5⤵
        Program crash
        
        PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe
      C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe
      4⤵
      Executes dropped EXE
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dzvgqyjd.exe

Filesize
819KB

MD5
43e7dbaf9f33f72eb76a89793345dde8

SHA1
acef7059fed5f1fe751977c8365792945908c271

SHA256
d473fc698d24ec201f5d2977ab9abb5bfcee6bd9c0dbdb5648115a4785158a6b

SHA512
dc749551e8bafc128e3cab613b6dea30530e564c668e3b285062e3aae6e8f56f95b66491fd4c7f09e2c7c9f88baf0d767b472661a7c070d648ba4fe9886e1494

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dzvgqyjd.exe

Filesize
819KB

MD5
43e7dbaf9f33f72eb76a89793345dde8

SHA1
acef7059fed5f1fe751977c8365792945908c271

SHA256
d473fc698d24ec201f5d2977ab9abb5bfcee6bd9c0dbdb5648115a4785158a6b

SHA512
dc749551e8bafc128e3cab613b6dea30530e564c668e3b285062e3aae6e8f56f95b66491fd4c7f09e2c7c9f88baf0d767b472661a7c070d648ba4fe9886e1494

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe

Filesize
821KB

MD5
a0014ecf2a13cd6b30de89b10e9090a6

SHA1
6bbbd819e0002f3980056878b043d40c3ec1c487

SHA256
4672bb7da4b1541532d56250a19538626a1f209b8ff2e8aff8267232590bbd74

SHA512
a1603ba6f08424540966c38a62a7083977c71667b62bd29439aa957c17b3c690fe6a7fa396cff6a824ae6ec6165c6160d0f3fd7378a78f97336eb0186d1a3a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe

Filesize
821KB

MD5
a0014ecf2a13cd6b30de89b10e9090a6

SHA1
6bbbd819e0002f3980056878b043d40c3ec1c487

SHA256
4672bb7da4b1541532d56250a19538626a1f209b8ff2e8aff8267232590bbd74

SHA512
a1603ba6f08424540966c38a62a7083977c71667b62bd29439aa957c17b3c690fe6a7fa396cff6a824ae6ec6165c6160d0f3fd7378a78f97336eb0186d1a3a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe

Filesize
821KB

MD5
a0014ecf2a13cd6b30de89b10e9090a6

SHA1
6bbbd819e0002f3980056878b043d40c3ec1c487

SHA256
4672bb7da4b1541532d56250a19538626a1f209b8ff2e8aff8267232590bbd74

SHA512
a1603ba6f08424540966c38a62a7083977c71667b62bd29439aa957c17b3c690fe6a7fa396cff6a824ae6ec6165c6160d0f3fd7378a78f97336eb0186d1a3a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe

Filesize
821KB

MD5
a0014ecf2a13cd6b30de89b10e9090a6

SHA1
6bbbd819e0002f3980056878b043d40c3ec1c487

SHA256
4672bb7da4b1541532d56250a19538626a1f209b8ff2e8aff8267232590bbd74

SHA512
a1603ba6f08424540966c38a62a7083977c71667b62bd29439aa957c17b3c690fe6a7fa396cff6a824ae6ec6165c6160d0f3fd7378a78f97336eb0186d1a3a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe

Filesize
821KB

MD5
a0014ecf2a13cd6b30de89b10e9090a6

SHA1
6bbbd819e0002f3980056878b043d40c3ec1c487

SHA256
4672bb7da4b1541532d56250a19538626a1f209b8ff2e8aff8267232590bbd74

SHA512
a1603ba6f08424540966c38a62a7083977c71667b62bd29439aa957c17b3c690fe6a7fa396cff6a824ae6ec6165c6160d0f3fd7378a78f97336eb0186d1a3a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kjbqatck.exe

Filesize
821KB

MD5
a0014ecf2a13cd6b30de89b10e9090a6

SHA1
6bbbd819e0002f3980056878b043d40c3ec1c487

SHA256
4672bb7da4b1541532d56250a19538626a1f209b8ff2e8aff8267232590bbd74

SHA512
a1603ba6f08424540966c38a62a7083977c71667b62bd29439aa957c17b3c690fe6a7fa396cff6a824ae6ec6165c6160d0f3fd7378a78f97336eb0186d1a3a98

Download Submit
memory/2540-51-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-61-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-15-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-17-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-19-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-21-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-23-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-25-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-27-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-29-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-31-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-33-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-35-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-37-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-39-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-41-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-43-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-45-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-47-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-49-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-0-0x0000012B5CF10000-0x0000012B5CFE0000-memory.dmp

Filesize
832KB

Download
memory/2540-53-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-55-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-57-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-59-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-13-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-63-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-65-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-67-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-619-0x00007FFD31F20000-0x00007FFD3290C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-852-0x0000012B77420000-0x0000012B77430000-memory.dmp

Filesize
64KB

Download
memory/2540-1082-0x0000012B5D3B0000-0x0000012B5D3B1000-memory.dmp

Filesize
4KB

Download
memory/2540-1083-0x0000012B78650000-0x0000012B78748000-memory.dmp

Filesize
992KB

Download
memory/2540-1084-0x0000012B78750000-0x0000012B7879C000-memory.dmp

Filesize
304KB

Download
memory/2540-1-0x00007FFD31F20000-0x00007FFD3290C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-2-0x0000012B77420000-0x0000012B77430000-memory.dmp

Filesize
64KB

Download
memory/2540-1088-0x00007FFD31F20000-0x00007FFD3290C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-3-0x0000012B784D0000-0x0000012B7864E000-memory.dmp

Filesize
1.5MB

Download
memory/2540-4-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-5-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-7-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-9-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2540-11-0x0000012B784D0000-0x0000012B78647000-memory.dmp

Filesize
1.5MB

Download
memory/2544-4383-0x0000027FFC3A0000-0x0000027FFC3B0000-memory.dmp

Filesize
64KB

Download
memory/2544-4377-0x0000027FF9C60000-0x0000027FF9D32000-memory.dmp

Filesize
840KB

Download
memory/2544-4376-0x00007FFD31F20000-0x00007FFD3290C000-memory.dmp

Filesize
9.9MB

Download
memory/2544-4389-0x0000027FFD310000-0x0000027FFD4C4000-memory.dmp

Filesize
1.7MB

Download
memory/2544-5207-0x00007FFD31F20000-0x00007FFD3290C000-memory.dmp

Filesize
9.9MB

Download
memory/2544-5284-0x0000027FFC3A0000-0x0000027FFC3B0000-memory.dmp

Filesize
64KB

Download
memory/2544-5470-0x0000027FFA100000-0x0000027FFA101000-memory.dmp

Filesize
4KB

Download
memory/2544-5471-0x0000027FFCD50000-0x0000027FFCE7E000-memory.dmp

Filesize
1.2MB

Download
memory/4000-4367-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/4000-3287-0x0000000007EE0000-0x0000000008022000-memory.dmp

Filesize
1.3MB

Download
memory/4000-4388-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/4000-4229-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/4000-3286-0x0000000003380000-0x000000000338A000-memory.dmp

Filesize
40KB

Download
memory/4000-4368-0x0000000006AA0000-0x0000000006AA1000-memory.dmp

Filesize
4KB

Download
memory/4000-4369-0x0000000006C50000-0x0000000006D0E000-memory.dmp

Filesize
760KB

Download
memory/4000-4370-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/4000-3285-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/4000-3284-0x0000000005960000-0x00000000059F2000-memory.dmp

Filesize
584KB

Download
memory/4000-3283-0x0000000005FA0000-0x000000000649E000-memory.dmp

Filesize
5.0MB

Download
memory/4000-3281-0x0000000000FB0000-0x0000000001084000-memory.dmp

Filesize
848KB

Download
memory/4000-3282-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/4380-3268-0x000002B4F4F30000-0x000002B4F4FAA000-memory.dmp

Filesize
488KB

Download
memory/4380-3249-0x000002B4DC360000-0x000002B4DC386000-memory.dmp

Filesize
152KB

Download
memory/4380-3248-0x000002B4F4BD0000-0x000002B4F4C6E000-memory.dmp

Filesize
632KB

Download
memory/4380-2883-0x000002B4F4D80000-0x000002B4F4D90000-memory.dmp

Filesize
64KB

Download
memory/4380-3341-0x00007FFD31F20000-0x00007FFD3290C000-memory.dmp

Filesize
9.9MB

Download
memory/4380-2759-0x00007FFD31F20000-0x00007FFD3290C000-memory.dmp

Filesize
9.9MB

Download
memory/4380-1090-0x000002B4F4D80000-0x000002B4F4D90000-memory.dmp

Filesize
64KB

Download
memory/4380-1091-0x000002B4DC3A0000-0x000002B4DC4A8000-memory.dmp

Filesize
1.0MB

Download
memory/4380-1089-0x00007FFD31F20000-0x00007FFD3290C000-memory.dmp

Filesize
9.9MB

Download
memory/4380-1087-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/4460-4387-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4460-5419-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download