a7f20208e2acdaef29b5684758c3d6c330ecf984982dcbb837ba162c88290950

Analysis

max time kernel
92s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2023 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MQVIFDDBKZ.exe
Size

4.2MB
MD5

5f935bf59dd02975d2fcceebdb704ff5
SHA1

a845035c8abd398980dde847a79f0101df783481
SHA256

adde97df86a4bddb26838cbc17b26a0e02966ba786747ff943150a72fac5fba6
SHA512

03d6bc3b9edb15ca5c0b9a18aa18e72bf8bc9a21e03acbba8917abe6e90aa408fe80176a3081409579e47918e8e80a14991335aa021ad8a99f523e920853d906
SSDEEP

49152:UcPaYhZjSIhfmzp45kfFos9UUEYSoh26XX6KB7d5egU+1dhXpCm9vEMDj2gmYXAt:tjffmSk+YxhBJHDRvAYbvGgw+js

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1388 powershell.exe
1388 powershell.exe
4448 powershell.exe
4448 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1388 powershell.exe
Token: SeDebugPrivilege 4448 powershell.exe

pid	process
1388	powershell.exe
1388	powershell.exe
4448	powershell.exe
4448	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

MQVIFDDBKZ.exe

description	pid	process	target process
PID 3880 wrote to memory of 1388	3880	MQVIFDDBKZ.exe	powershell.exe
PID 3880 wrote to memory of 1388	3880	MQVIFDDBKZ.exe	powershell.exe
PID 3880 wrote to memory of 4448	3880	MQVIFDDBKZ.exe	powershell.exe
PID 3880 wrote to memory of 4448	3880	MQVIFDDBKZ.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\MQVIFDDBKZ.exe
"C:\Users\Admin\AppData\Local\Temp\MQVIFDDBKZ.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -WindowStyle Hidden -Command "Set-MpPreference -ExclusionPath" C:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1kn425t3.jju.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxSwD8GQoPyJBU8GpkWBfL5n3CYDl8\sensfiles.zip
Filesize
4.3MB

MD5
f3fbe6459877cc94efc4def5a81b58de

SHA1
a7c81201c19783433bda974ea532fff9d4c5a758

SHA256
295241a852afa6b161491de30364a84c12050d687de9684154e65f24deb1c472

SHA512
aa8862bdaa39420f64ee3f78ffb89e62a61b730a3164c519386ebcf852dd0ab025ba23719b9c008f48f41974f620dfa229acddf2455e9064def8b12d056aef24

Download Submit
memory/1388-16-0x00007FFEF7130000-0x00007FFEF7BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1388-13-0x00000180DB0C0000-0x00000180DB0D0000-memory.dmp

Filesize
64KB

Download
memory/1388-5-0x00000180DB0D0000-0x00000180DB0F2000-memory.dmp

Filesize
136KB

Download
memory/1388-12-0x00000180DB0C0000-0x00000180DB0D0000-memory.dmp

Filesize
64KB

Download
memory/1388-11-0x00000180DB0C0000-0x00000180DB0D0000-memory.dmp

Filesize
64KB

Download
memory/1388-10-0x00007FFEF7130000-0x00007FFEF7BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4448-18-0x00007FFEF6EE0000-0x00007FFEF79A1000-memory.dmp

Filesize
10.8MB

Download
memory/4448-19-0x0000017FDE740000-0x0000017FDE750000-memory.dmp

Filesize
64KB

Download
memory/4448-29-0x0000017FDE740000-0x0000017FDE750000-memory.dmp

Filesize
64KB

Download
memory/4448-31-0x0000017FDE740000-0x0000017FDE750000-memory.dmp

Filesize
64KB

Download
memory/4448-34-0x00007FFEF6EE0000-0x00007FFEF79A1000-memory.dmp

Filesize
10.8MB

Download