5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9

General

Target

5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9_JC.exe
Size

379KB
MD5

81a5c535b46c2a330913597e8f888f25
SHA1

168679807c96c893221252a50d8884760e29ac49
SHA256

5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9
SHA512

84941e2e3252eb256fda307f17956a0c8698b53f10e83bb3473e85063835a8f2028a48c7076be35cc01f4eec49c5cf3477503c486ea404669d390132444cfbd5
SSDEEP

6144:BnPdudwDsOGVkx6NDrYDo82AN2B1LUYuhrCd/uAkDR1FyENc/LRxJW6ah4U73C9S:BnPdwOxxCDvAN2B1KChuAk1jWrJWPpyS

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	2640	cmstp.exe
8	2640	cmstp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\International\Geo\Nation	eeuhnbzrv.exe

Executes dropped EXE 2 IoCs

pid	Process
1140	eeuhnbzrv.exe
2176	eeuhnbzrv.exe

Loads dropped DLL 3 IoCs

pid	Process
3020	5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9_JC.exe
1140	eeuhnbzrv.exe
2640	cmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1140 set thread context of 2176	1140	eeuhnbzrv.exe	29
PID 2176 set thread context of 1264	2176	eeuhnbzrv.exe	21
PID 2176 set thread context of 2640	2176	eeuhnbzrv.exe	32
PID 2640 set thread context of 1264	2640	cmstp.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3750544865-3773649541-1858556521-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2176	eeuhnbzrv.exe
2176	eeuhnbzrv.exe
2176	eeuhnbzrv.exe
2176	eeuhnbzrv.exe
2176	eeuhnbzrv.exe
2176	eeuhnbzrv.exe
2176	eeuhnbzrv.exe
2176	eeuhnbzrv.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1140	eeuhnbzrv.exe
2176	eeuhnbzrv.exe
1264	Explorer.EXE
1264	Explorer.EXE
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe
2640	cmstp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	eeuhnbzrv.exe
Token: SeDebugPrivilege	2640	cmstp.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 1140	3020	5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9_JC.exe	28
PID 3020 wrote to memory of 1140	3020	5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9_JC.exe	28
PID 3020 wrote to memory of 1140	3020	5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9_JC.exe	28
PID 3020 wrote to memory of 1140	3020	5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9_JC.exe	28
PID 1140 wrote to memory of 2176	1140	eeuhnbzrv.exe	29
PID 1140 wrote to memory of 2176	1140	eeuhnbzrv.exe	29
PID 1140 wrote to memory of 2176	1140	eeuhnbzrv.exe	29
PID 1140 wrote to memory of 2176	1140	eeuhnbzrv.exe	29
PID 1140 wrote to memory of 2176	1140	eeuhnbzrv.exe	29
PID 1264 wrote to memory of 2640	1264	Explorer.EXE	32
PID 1264 wrote to memory of 2640	1264	Explorer.EXE	32
PID 1264 wrote to memory of 2640	1264	Explorer.EXE	32
PID 1264 wrote to memory of 2640	1264	Explorer.EXE	32
PID 1264 wrote to memory of 2640	1264	Explorer.EXE	32
PID 1264 wrote to memory of 2640	1264	Explorer.EXE	32
PID 1264 wrote to memory of 2640	1264	Explorer.EXE	32
PID 2640 wrote to memory of 2000	2640	cmstp.exe	35
PID 2640 wrote to memory of 2000	2640	cmstp.exe	35
PID 2640 wrote to memory of 2000	2640	cmstp.exe	35
PID 2640 wrote to memory of 2000	2640	cmstp.exe	35
PID 2640 wrote to memory of 2000	2640	cmstp.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9_JC.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe
    "C:\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe
      "C:\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2176
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_4xxj.zip

Filesize
440KB

MD5
5d874a46532117f82095481976117fa1

SHA1
0a33fdef5084db25e24451dbde80238b487fbe78

SHA256
d6ccab1423559c6cf50202bc81a4576f969aa9c275eaaeb9a2ac2c827cd60447

SHA512
f0624277f3b4839c836291e1d1eb03cda875ba192243427afa967819b213f0cdade02f22e20b786b4680e4faaef20c045ad0a456d5f85fc04d3ab2e081ff4c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxypckrhq.ts

Filesize
249KB

MD5
9e10dc8f0b5235c5d5f8e9341a81cf02

SHA1
a064af551534fe9b25ce3b063146334fabcfb54f

SHA256
3803da5830f4ca46d256502e018feb36877a25629b5203a20f94511f09acc2a4

SHA512
153029ec40f58baa12fc2d6f1b58d7b2c06d44dcf3e6b34d27b78bc1cc0500ea3c88f8fbe590b692f396d1af86860fc7b42814c71d20f9d17d6d0a2039b3528f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe

Filesize
194KB

MD5
249fc0616b7d71b8fa6cb6228c706f82

SHA1
10d99aed3d2f47b89b8deca25d9b630efebabc15

SHA256
38e5fd58c7a41df7f5bdd0b4da74ba20a43a48bff92b36f4f1d215fe6c1b8f24

SHA512
eda89083da1e7dd95712205af3c60b7f60d97bba9bcac5c63aa30c1fb8211bb6ff63f6011745e44b7ca1f79e004e8d69593d51906227152cf325410661342178

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe

Filesize
194KB

MD5
249fc0616b7d71b8fa6cb6228c706f82

SHA1
10d99aed3d2f47b89b8deca25d9b630efebabc15

SHA256
38e5fd58c7a41df7f5bdd0b4da74ba20a43a48bff92b36f4f1d215fe6c1b8f24

SHA512
eda89083da1e7dd95712205af3c60b7f60d97bba9bcac5c63aa30c1fb8211bb6ff63f6011745e44b7ca1f79e004e8d69593d51906227152cf325410661342178

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe

Filesize
194KB

MD5
249fc0616b7d71b8fa6cb6228c706f82

SHA1
10d99aed3d2f47b89b8deca25d9b630efebabc15

SHA256
38e5fd58c7a41df7f5bdd0b4da74ba20a43a48bff92b36f4f1d215fe6c1b8f24

SHA512
eda89083da1e7dd95712205af3c60b7f60d97bba9bcac5c63aa30c1fb8211bb6ff63f6011745e44b7ca1f79e004e8d69593d51906227152cf325410661342178

Download Submit
\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe

Filesize
194KB

MD5
249fc0616b7d71b8fa6cb6228c706f82

SHA1
10d99aed3d2f47b89b8deca25d9b630efebabc15

SHA256
38e5fd58c7a41df7f5bdd0b4da74ba20a43a48bff92b36f4f1d215fe6c1b8f24

SHA512
eda89083da1e7dd95712205af3c60b7f60d97bba9bcac5c63aa30c1fb8211bb6ff63f6011745e44b7ca1f79e004e8d69593d51906227152cf325410661342178

Download Submit
\Users\Admin\AppData\Local\Temp\eeuhnbzrv.exe

Filesize
194KB

MD5
249fc0616b7d71b8fa6cb6228c706f82

SHA1
10d99aed3d2f47b89b8deca25d9b630efebabc15

SHA256
38e5fd58c7a41df7f5bdd0b4da74ba20a43a48bff92b36f4f1d215fe6c1b8f24

SHA512
eda89083da1e7dd95712205af3c60b7f60d97bba9bcac5c63aa30c1fb8211bb6ff63f6011745e44b7ca1f79e004e8d69593d51906227152cf325410661342178

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
841KB

MD5
5fc6cd5d5ca1489d2a3c361717359a95

SHA1
5c630e232cd5761e7a611e41515be4afa3e7a141

SHA256
85c8b8a648c56cf5f063912e0e26ecebb90e0caf2f442fd5cdd8287301fe7e81

SHA512
5f9124a721f6b463d4f980920e87925098aa753b0fa2a59a3ff48b48d2b1a45d760fd46445414d84fb66321181cd2c82a4194361811114c15e35b42f838ab792

Download Submit
memory/1140-6-0x0000000000140000-0x0000000000142000-memory.dmp

Filesize
8KB

Download
memory/1264-27-0x0000000004940000-0x00000000049F8000-memory.dmp

Filesize
736KB

Download
memory/1264-28-0x0000000004940000-0x00000000049F8000-memory.dmp

Filesize
736KB

Download
memory/1264-25-0x0000000008B90000-0x000000000ACE9000-memory.dmp

Filesize
33.3MB

Download
memory/1264-31-0x0000000004940000-0x00000000049F8000-memory.dmp

Filesize
736KB

Download
memory/1264-18-0x0000000008B90000-0x000000000ACE9000-memory.dmp

Filesize
33.3MB

Download
memory/2176-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2176-13-0x0000000000850000-0x0000000000B53000-memory.dmp

Filesize
3.0MB

Download
memory/2176-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2176-22-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2176-17-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2176-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2176-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2176-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2640-19-0x0000000000090000-0x00000000000C6000-memory.dmp

Filesize
216KB

Download
memory/2640-26-0x0000000001E00000-0x0000000001E9A000-memory.dmp

Filesize
616KB

Download
memory/2640-29-0x0000000000090000-0x00000000000C6000-memory.dmp

Filesize
216KB

Download
memory/2640-30-0x0000000001E00000-0x0000000001E9A000-memory.dmp

Filesize
616KB

Download
memory/2640-24-0x0000000000090000-0x00000000000C6000-memory.dmp

Filesize
216KB

Download
memory/2640-23-0x00000000020D0000-0x00000000023D3000-memory.dmp

Filesize
3.0MB

Download
memory/2640-20-0x0000000000090000-0x00000000000C6000-memory.dmp

Filesize
216KB

Download
memory/2640-71-0x0000000061E00000-0x0000000061EBF000-memory.dmp

Filesize
764KB

Download
memory/2640-73-0x0000000061E00000-0x0000000061EBF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing