8cc194e2597c33ce73f4e69095c19a71a6c5340d3e5abb29bb699d7edb7b038b

General

Target

8cc194e2597c33ce73f4e69095c19a71a6c5340d3e5abb29bb699d7edb7b038b.exe
Size

26KB
MD5

953b34ddc7bee903b268fb7533ed1628
SHA1

46209d31204cadd1c6b96e39b4945b5a472d7d75
SHA256

8cc194e2597c33ce73f4e69095c19a71a6c5340d3e5abb29bb699d7edb7b038b
SHA512

96d37ee211584dbb5881aeb429eef11fc31a956d18826e2c09df56a5bdd5cf4a1474369eeac8e0498f9325f38bf87daafd225e38263742a9d2bd17aa591084d6
SSDEEP

384:qc0J+vqBoLotA8oPNIrxKRQSv7QrzVVvOytGxboE9K/mKHrjpjvJPM:8Q3LotOPNSQVwVVxGKEvKHrVJPM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3592	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe"	8cc194e2597c33ce73f4e69095c19a71a6c5340d3e5abb29bb699d7edb7b038b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe"	spoolsv.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\spoolsv.exe	spoolsv.exe
File created	C:\Windows\spoolsv.exe	8cc194e2597c33ce73f4e69095c19a71a6c5340d3e5abb29bb699d7edb7b038b.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\https:\onsapay.com\loader	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	8cc194e2597c33ce73f4e69095c19a71a6c5340d3e5abb29bb699d7edb7b038b.exe
Token: SeDebugPrivilege	3592	spoolsv.exe
Token: SeManageVolumePrivilege	2420	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 3592	2716	8cc194e2597c33ce73f4e69095c19a71a6c5340d3e5abb29bb699d7edb7b038b.exe	81
PID 2716 wrote to memory of 3592	2716	8cc194e2597c33ce73f4e69095c19a71a6c5340d3e5abb29bb699d7edb7b038b.exe	81
PID 2716 wrote to memory of 3592	2716	8cc194e2597c33ce73f4e69095c19a71a6c5340d3e5abb29bb699d7edb7b038b.exe	81

C:\Users\Admin\AppData\Local\Temp\8cc194e2597c33ce73f4e69095c19a71a6c5340d3e5abb29bb699d7edb7b038b.exe
"C:\Users\Admin\AppData\Local\Temp\8cc194e2597c33ce73f4e69095c19a71a6c5340d3e5abb29bb699d7edb7b038b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\spoolsv.exe
  "C:\Windows\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:3592

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
72c770f97505d3e10b9755f2035efc94

SHA1
f78caa60b5338b07c55a13a1521b91c610dd954f

SHA256
a9e8d9b19a90c416debaccfd4d0bd01ff3d0dae66698d3f1480e7291719f6a35

SHA512
bbe52a89cddfe71d737b2dabda1bc78296cf1b41d81890a792ca5a4d84b16d249de152452b03321828ca6f6813a4f83c726e4f2ad34a25b937f447f50b50034b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
347KB

MD5
ee680eb85e3cf83c8e3717da61d313e7

SHA1
1a416e7455c8d47137a23d5734591179948fd7d0

SHA256
23fd4c3576e713b060fd088fd2aacbf64745710cdce1fa7205c399d9be606e3d

SHA512
71311482dbb83186c646fb9cb9603fa778f27cd5f792666b663b60729213436cbc047322912cadbd0cec859f74afe4baee9e4964eeeed331c66df13b0f56ffeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFl2SaUrrSUyZlA.exe

Filesize
26KB

MD5
4d995daf48f3e8bacd18e97fc4b563a1

SHA1
9823e63e64299966375cd94ee1b731ca72f9bf88

SHA256
eccef61503c7d85983e2bb54681dd50cb9f662e7d1d33c3d9ccff1351424b6ea

SHA512
c0fd2e3258efdf4acd985e1fe2db47b258f60325fbc3a0ae90269c977a0060a408802089f8b13200ffbc2f5be133df0e43c1850ca4ab79a229d024555450a1c7

Download Submit
C:\Windows\spoolsv.exe

Filesize
25KB

MD5
82071fd2379c64429acf376487fcddff

SHA1
2da42c7eaa62ecee65757b441c939f12b52228fb

SHA256
272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8

SHA512
194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb

Download Submit
C:\Windows\spoolsv.exe

Filesize
25KB

MD5
82071fd2379c64429acf376487fcddff

SHA1
2da42c7eaa62ecee65757b441c939f12b52228fb

SHA256
272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8

SHA512
194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb

Download Submit
memory/2420-67-0x000002495F840000-0x000002495F841000-memory.dmp

Filesize
4KB

Download
memory/2420-71-0x000002495F840000-0x000002495F841000-memory.dmp

Filesize
4KB

Download
memory/2420-62-0x000002495F840000-0x000002495F841000-memory.dmp

Filesize
4KB

Download
memory/2420-63-0x000002495F840000-0x000002495F841000-memory.dmp

Filesize
4KB

Download
memory/2420-64-0x000002495F840000-0x000002495F841000-memory.dmp

Filesize
4KB

Download
memory/2420-65-0x000002495F840000-0x000002495F841000-memory.dmp

Filesize
4KB

Download
memory/2420-66-0x000002495F840000-0x000002495F841000-memory.dmp

Filesize
4KB

Download
memory/2420-45-0x0000024957240000-0x0000024957250000-memory.dmp

Filesize
64KB

Download
memory/2420-68-0x000002495F840000-0x000002495F841000-memory.dmp

Filesize
4KB

Download
memory/2420-69-0x000002495F840000-0x000002495F841000-memory.dmp

Filesize
4KB

Download
memory/2420-70-0x000002495F840000-0x000002495F841000-memory.dmp

Filesize
4KB

Download
memory/2420-61-0x000002495F810000-0x000002495F811000-memory.dmp

Filesize
4KB

Download
memory/2420-72-0x000002495F460000-0x000002495F461000-memory.dmp

Filesize
4KB

Download
memory/2420-73-0x000002495F450000-0x000002495F451000-memory.dmp

Filesize
4KB

Download
memory/2420-75-0x000002495F460000-0x000002495F461000-memory.dmp

Filesize
4KB

Download
memory/2420-78-0x000002495F450000-0x000002495F451000-memory.dmp

Filesize
4KB

Download
memory/2420-81-0x000002495F390000-0x000002495F391000-memory.dmp

Filesize
4KB

Download
memory/2420-29-0x0000024957140000-0x0000024957150000-memory.dmp

Filesize
64KB

Download
memory/2420-93-0x000002495F590000-0x000002495F591000-memory.dmp

Filesize
4KB

Download
memory/2420-95-0x000002495F5A0000-0x000002495F5A1000-memory.dmp

Filesize
4KB

Download
memory/2420-96-0x000002495F5A0000-0x000002495F5A1000-memory.dmp

Filesize
4KB

Download
memory/2420-97-0x000002495F6B0000-0x000002495F6B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads