3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3

Analysis

max time kernel
153s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe
Size

25KB
MD5

4b8261a668e8b609703769edddcb4c97
SHA1

55850fc5db482729a97926a604761b89b2f4f696
SHA256

3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3
SHA512

a138dc8da89284b3a440b883abc56a3700997cb6ff10ca3ca3b57f22ea807a31bf88f7f7d09e1f73d7d5b129523b180a2e915bb4372f8d84fb7b707db944a5fd
SSDEEP

384:fJ1mIUcCgKY2mPNIrJwIhn7ytQtJUMTNOt894boE9K/mKHboI3:Xm55gKGPNSHftJDhEvKHbo6

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
960	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\spoolsv.exe"	3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\spoolsv.exe"	spoolsv.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\spoolsv.exe	3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe
File created	C:\Windows\spoolsv.exe	spoolsv.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\https:\www.google.com	3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\https:\www.google.com	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3344	3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe
Token: SeDebugPrivilege	960	spoolsv.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 960	3344	3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe	85
PID 3344 wrote to memory of 960	3344	3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe	85
PID 3344 wrote to memory of 960	3344	3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe	85

C:\Users\Admin\AppData\Local\Temp\3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe
"C:\Users\Admin\AppData\Local\Temp\3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\spoolsv.exe
  "C:\Windows\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
347KB

MD5
c3dfea2840b207c14b34466563204053

SHA1
16c990262fbed14e35ad294ff259f756b15b671c

SHA256
846ac78931e52ff11698a904d2ffb4abd2d9e645c538e248903e5934e5faaafb

SHA512
3e2b2529efee9a340b210ed235191130f423f2b0a5b6dc24de92f546f0fce98e693d8ac1a4cd750a60de787518abd3058d4b3e1fb84fec0989d27028fd2ee416

Download Submit
C:\Users\Admin\AppData\Local\Temp\vKUT9EKZQbgDPux.exe

Filesize
25KB

MD5
7105251150f5420e16bb1d34fe5b1672

SHA1
9e73b7ef98288724efa1401ee7429f174e6c289d

SHA256
3961b551ed592d7e3420e740b33db2571e2583fbfeb826d832faf285ef278028

SHA512
3063e3ac9203c9d4a0f2b6f00171ce315af0c5a5613d7e43cf05287148eeabffb49f511246484842f94dc594db6e36908e6507a5560e51c84e53cafad6719c6b

Download Submit
C:\Windows\spoolsv.exe

Filesize
25KB

MD5
9ba0942ba2b766b43b832ad20b186324

SHA1
4352dd8ee4fcf525400ba6d8cd31ef296f421790

SHA256
b788302ea044a0843019e224643d5af1935d420ba716e783b28750b9301c0f4c

SHA512
9d485424f423342f6135da72a2e396f6215320cf7849deb3d6a24da0d72b1d3d937a3d6a38023607d8bb760948b5e37c5ff4c743e4246d25c259e5f0ecef6b0b

Download Submit
C:\Windows\spoolsv.exe

Filesize
25KB

MD5
9ba0942ba2b766b43b832ad20b186324

SHA1
4352dd8ee4fcf525400ba6d8cd31ef296f421790

SHA256
b788302ea044a0843019e224643d5af1935d420ba716e783b28750b9301c0f4c

SHA512
9d485424f423342f6135da72a2e396f6215320cf7849deb3d6a24da0d72b1d3d937a3d6a38023607d8bb760948b5e37c5ff4c743e4246d25c259e5f0ecef6b0b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads