4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3

General

Target

4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3.exe
Size

183KB
MD5

0303a17fe201386700406928e5c50e48
SHA1

c2736ab3cd708ccd5b6fcf3244d6ac45d07c8486
SHA256

4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3
SHA512

e2d6240281d829a3799d24c4c8aa0e38c2c47cc26eef6eb6a6a49dd332baf84dec09a1fd22b7ce0f7177e44e69632487736e14158b6099b401e650038b0460e0
SSDEEP

3072:GUI/zCt5UXBUkH+LGP34oeKerVUzeeDXbwa21Dq9ua/aHyvZR6d2iT:GUI/+t5USmbwv

Score

7^/10

collection persistence spyware stealer

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyOtApp = "C:\\Users\\Admin\\AppData\\Roaming\\audiodog\\audiodog.exe"	4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	checkip.dyndns.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5052	4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3.exe
5052	4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5052	4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5052	4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3.exe
Token: SeManageVolumePrivilege	1804	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5052	4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3.exe

C:\Users\Admin\AppData\Local\Temp\4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3.exe
"C:\Users\Admin\AppData\Local\Temp\4eda7fdcc6081486e3a840365c46e5d069fb5c521b9eecad775456fea48c9ab3.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:5052

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1804-25-0x0000023F0A240000-0x0000023F0A250000-memory.dmp

Filesize
64KB

Download
memory/1804-46-0x0000023F126B0000-0x0000023F126B1000-memory.dmp

Filesize
4KB

Download
memory/1804-45-0x0000023F125A0000-0x0000023F125A1000-memory.dmp

Filesize
4KB

Download
memory/1804-44-0x0000023F125A0000-0x0000023F125A1000-memory.dmp

Filesize
4KB

Download
memory/1804-41-0x0000023F12570000-0x0000023F12571000-memory.dmp

Filesize
4KB

Download
memory/5052-6-0x0000000001110000-0x0000000001120000-memory.dmp

Filesize
64KB

Download
memory/5052-0-0x0000000074790000-0x0000000074D41000-memory.dmp

Filesize
5.7MB

Download
memory/5052-5-0x0000000001110000-0x0000000001120000-memory.dmp

Filesize
64KB

Download
memory/5052-4-0x0000000074790000-0x0000000074D41000-memory.dmp

Filesize
5.7MB

Download
memory/5052-42-0x0000000001110000-0x0000000001120000-memory.dmp

Filesize
64KB

Download
memory/5052-3-0x0000000001110000-0x0000000001120000-memory.dmp

Filesize
64KB

Download
memory/5052-2-0x0000000001110000-0x0000000001120000-memory.dmp

Filesize
64KB

Download
memory/5052-1-0x0000000074790000-0x0000000074D41000-memory.dmp

Filesize
5.7MB

Download
memory/5052-48-0x0000000001110000-0x0000000001120000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads