5ad0285de999973d1a665bcfe5d7040494f64c113d8ef8664d3bda3ae66b8d67

Analysis

max time kernel
140s
max time network
144s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
30/09/2023, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe
Size

200KB
MD5

2403072d939599e88431e5d0ed0e2b1b
SHA1

507d6e48c7d74af7651a1af5e1d0844f45f9c263
SHA256

5ad0285de999973d1a665bcfe5d7040494f64c113d8ef8664d3bda3ae66b8d67
SHA512

5ecf81cd8be3ed57da1dbc063e517ffda89f4694356cd3ea5b2ea03c4dd53038a88655486e43d4f3d62c5b356072a6918a10b6befa7244634cea1d268aa111b6
SSDEEP

3072:K73LYJiZfUO7JAkH+wWtaiYGlIQZboLRi9ua/aHyvh1d2itL:K77gIfU2T7ZGlVbA

Score

8^/10

collection spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
2620	audiodg.exe
1632	audiodg.exe
1404	audiodg.exe
2632	audiodg.exe
2764	audiodg.exe
2772	audiodg.exe

Loads dropped DLL 6 IoCs

pid	Process
1740	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe
2620	audiodg.exe
2620	audiodg.exe
2620	audiodg.exe
2620	audiodg.exe
2620	audiodg.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	checkip.dyndns.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1740	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe
1740	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe
2620	audiodg.exe
2620	audiodg.exe
2620	audiodg.exe
2620	audiodg.exe
2620	audiodg.exe
2620	audiodg.exe
2620	audiodg.exe
2620	audiodg.exe
2620	audiodg.exe
2620	audiodg.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1740	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe
Token: SeDebugPrivilege	2620	audiodg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1740	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2620	1740	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe	30
PID 1740 wrote to memory of 2620	1740	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe	30
PID 1740 wrote to memory of 2620	1740	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe	30
PID 1740 wrote to memory of 2620	1740	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe	30
PID 2620 wrote to memory of 1632	2620	audiodg.exe	33
PID 2620 wrote to memory of 1632	2620	audiodg.exe	33
PID 2620 wrote to memory of 1632	2620	audiodg.exe	33
PID 2620 wrote to memory of 1632	2620	audiodg.exe	33
PID 2620 wrote to memory of 1404	2620	audiodg.exe	34
PID 2620 wrote to memory of 1404	2620	audiodg.exe	34
PID 2620 wrote to memory of 1404	2620	audiodg.exe	34
PID 2620 wrote to memory of 1404	2620	audiodg.exe	34
PID 2620 wrote to memory of 2632	2620	audiodg.exe	35
PID 2620 wrote to memory of 2632	2620	audiodg.exe	35
PID 2620 wrote to memory of 2632	2620	audiodg.exe	35
PID 2620 wrote to memory of 2632	2620	audiodg.exe	35
PID 2620 wrote to memory of 2764	2620	audiodg.exe	36
PID 2620 wrote to memory of 2764	2620	audiodg.exe	36
PID 2620 wrote to memory of 2764	2620	audiodg.exe	36
PID 2620 wrote to memory of 2764	2620	audiodg.exe	36
PID 2620 wrote to memory of 2772	2620	audiodg.exe	37
PID 2620 wrote to memory of 2772	2620	audiodg.exe	37
PID 2620 wrote to memory of 2772	2620	audiodg.exe	37
PID 2620 wrote to memory of 2772	2620	audiodg.exe	37

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe

C:\Users\Admin\AppData\Local\Temp\avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe
"C:\Users\Admin\AppData\Local\Temp\avira_en_vpnb0_19374396-127457345__pvpnws-spotlightvpnadw-test.exe"
1⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1740
- C:\Users\Admin\AppData\Local\Temp\audiodg.exe
  "C:\Users\Admin\AppData\Local\Temp\audiodg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\audiodg.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    PID:1632
- - C:\Users\Admin\AppData\Local\Temp\audiodg.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    PID:1404
- - C:\Users\Admin\AppData\Local\Temp\audiodg.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    PID:2632
- - C:\Users\Admin\AppData\Local\Temp\audiodg.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\audiodg.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\audiodg.exe

Filesize
694KB

MD5
a1f785bfdea5c75ed569fc48681eb610

SHA1
89eb5b87feb47c6d47386555658aa6308e0ffef3

SHA256
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b

SHA512
7fb1c1f55273b062ca19d6b898e043ad5d3f212b7f8d74532af2e384a896802052acf0a1c52a5a99913c0697cbdcbef2b4040d9baa0ad7d303508ef082787967

Download Submit
C:\Users\Admin\AppData\Local\Temp\audiodg.exe

Filesize
694KB

MD5
a1f785bfdea5c75ed569fc48681eb610

SHA1
89eb5b87feb47c6d47386555658aa6308e0ffef3

SHA256
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b

SHA512
7fb1c1f55273b062ca19d6b898e043ad5d3f212b7f8d74532af2e384a896802052acf0a1c52a5a99913c0697cbdcbef2b4040d9baa0ad7d303508ef082787967

Download Submit
C:\Users\Admin\AppData\Local\Temp\audiodg.exe

Filesize
694KB

MD5
a1f785bfdea5c75ed569fc48681eb610

SHA1
89eb5b87feb47c6d47386555658aa6308e0ffef3

SHA256
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b

SHA512
7fb1c1f55273b062ca19d6b898e043ad5d3f212b7f8d74532af2e384a896802052acf0a1c52a5a99913c0697cbdcbef2b4040d9baa0ad7d303508ef082787967

Download Submit
C:\Users\Admin\AppData\Local\Temp\audiodg.exe

Filesize
694KB

MD5
a1f785bfdea5c75ed569fc48681eb610

SHA1
89eb5b87feb47c6d47386555658aa6308e0ffef3

SHA256
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b

SHA512
7fb1c1f55273b062ca19d6b898e043ad5d3f212b7f8d74532af2e384a896802052acf0a1c52a5a99913c0697cbdcbef2b4040d9baa0ad7d303508ef082787967

Download Submit
C:\Users\Admin\AppData\Local\Temp\audiodg.exe

Filesize
694KB

MD5
a1f785bfdea5c75ed569fc48681eb610

SHA1
89eb5b87feb47c6d47386555658aa6308e0ffef3

SHA256
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b

SHA512
7fb1c1f55273b062ca19d6b898e043ad5d3f212b7f8d74532af2e384a896802052acf0a1c52a5a99913c0697cbdcbef2b4040d9baa0ad7d303508ef082787967

Download Submit
C:\Users\Admin\AppData\Local\Temp\audiodg.exe

Filesize
694KB

MD5
a1f785bfdea5c75ed569fc48681eb610

SHA1
89eb5b87feb47c6d47386555658aa6308e0ffef3

SHA256
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b

SHA512
7fb1c1f55273b062ca19d6b898e043ad5d3f212b7f8d74532af2e384a896802052acf0a1c52a5a99913c0697cbdcbef2b4040d9baa0ad7d303508ef082787967

Download Submit
C:\Users\Admin\AppData\Local\Temp\audiodg.exe

Filesize
694KB

MD5
a1f785bfdea5c75ed569fc48681eb610

SHA1
89eb5b87feb47c6d47386555658aa6308e0ffef3

SHA256
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b

SHA512
7fb1c1f55273b062ca19d6b898e043ad5d3f212b7f8d74532af2e384a896802052acf0a1c52a5a99913c0697cbdcbef2b4040d9baa0ad7d303508ef082787967

Download Submit
\Users\Admin\AppData\Local\Temp\audiodg.exe

Filesize
694KB

MD5
a1f785bfdea5c75ed569fc48681eb610

SHA1
89eb5b87feb47c6d47386555658aa6308e0ffef3

SHA256
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b

SHA512
7fb1c1f55273b062ca19d6b898e043ad5d3f212b7f8d74532af2e384a896802052acf0a1c52a5a99913c0697cbdcbef2b4040d9baa0ad7d303508ef082787967

Download Submit
\Users\Admin\AppData\Local\Temp\audiodg.exe

Filesize
694KB

MD5
a1f785bfdea5c75ed569fc48681eb610

SHA1
89eb5b87feb47c6d47386555658aa6308e0ffef3

SHA256
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b

SHA512
7fb1c1f55273b062ca19d6b898e043ad5d3f212b7f8d74532af2e384a896802052acf0a1c52a5a99913c0697cbdcbef2b4040d9baa0ad7d303508ef082787967

Download Submit
\Users\Admin\AppData\Local\Temp\audiodg.exe

Filesize
694KB

MD5
a1f785bfdea5c75ed569fc48681eb610

SHA1
89eb5b87feb47c6d47386555658aa6308e0ffef3

SHA256
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b

SHA512
7fb1c1f55273b062ca19d6b898e043ad5d3f212b7f8d74532af2e384a896802052acf0a1c52a5a99913c0697cbdcbef2b4040d9baa0ad7d303508ef082787967

Download Submit
\Users\Admin\AppData\Local\Temp\audiodg.exe

Filesize
694KB

MD5
a1f785bfdea5c75ed569fc48681eb610

SHA1
89eb5b87feb47c6d47386555658aa6308e0ffef3

SHA256
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b

SHA512
7fb1c1f55273b062ca19d6b898e043ad5d3f212b7f8d74532af2e384a896802052acf0a1c52a5a99913c0697cbdcbef2b4040d9baa0ad7d303508ef082787967

Download Submit
\Users\Admin\AppData\Local\Temp\audiodg.exe

Filesize
694KB

MD5
a1f785bfdea5c75ed569fc48681eb610

SHA1
89eb5b87feb47c6d47386555658aa6308e0ffef3

SHA256
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b

SHA512
7fb1c1f55273b062ca19d6b898e043ad5d3f212b7f8d74532af2e384a896802052acf0a1c52a5a99913c0697cbdcbef2b4040d9baa0ad7d303508ef082787967

Download Submit
\Users\Admin\AppData\Local\Temp\audiodg.exe

Filesize
694KB

MD5
a1f785bfdea5c75ed569fc48681eb610

SHA1
89eb5b87feb47c6d47386555658aa6308e0ffef3

SHA256
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b

SHA512
7fb1c1f55273b062ca19d6b898e043ad5d3f212b7f8d74532af2e384a896802052acf0a1c52a5a99913c0697cbdcbef2b4040d9baa0ad7d303508ef082787967

Download Submit
memory/1740-0-0x0000000000190000-0x00000000001C8000-memory.dmp

Filesize
224KB

Download
memory/1740-36-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/1740-34-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/1740-1-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/1740-2-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/1740-3-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/1740-5-0x0000000001D90000-0x0000000001D9A000-memory.dmp

Filesize
40KB

Download
memory/1740-4-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/2620-21-0x0000000004E00000-0x0000000004E80000-memory.dmp

Filesize
512KB

Download
memory/2620-17-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/2620-15-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/2620-14-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2620-22-0x00000000020A0000-0x00000000020E2000-memory.dmp

Filesize
264KB

Download
memory/2620-16-0x000000007EF40000-0x000000007EF50000-memory.dmp

Filesize
64KB

Download
memory/2620-13-0x0000000000390000-0x0000000000444000-memory.dmp

Filesize
720KB

Download
memory/2620-20-0x000000007EF40000-0x000000007EF50000-memory.dmp

Filesize
64KB

Download
memory/2620-33-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2620-19-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/2620-18-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download