49dbb9131dae2a475e9587798763901fbba6c7ebc5e57c03af968e1bdd5af6ec

General

Target

NEAS.5cf1a37d31c168f9ad33404b696dc790.exe
Size

168KB
MD5

5cf1a37d31c168f9ad33404b696dc790
SHA1

e87c54472c8a614689e339c29be89f586d0b1b2b
SHA256

49dbb9131dae2a475e9587798763901fbba6c7ebc5e57c03af968e1bdd5af6ec
SHA512

74dfb55db7518373d06ffc5e453c33832a20dd83473c58ce6b998c935ad62b3f2bbddadacc65e64afe24a296a86be1ecefac784dea3d27c0954fe1cc36928a32
SSDEEP

3072:vFU+XvKLV3DsOR6/0JkAgaDgSyfrr5ak8xH5KLcUvyq58lUFpX7uH92Lm:vXXvkV3DR5eaDg1aBxHlUKq53Fm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
748	xXk3UDGs30mgJ7y.exe
4420	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe"	NEAS.5cf1a37d31c168f9ad33404b696dc790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe"	spoolsv.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\spoolsv.exe	NEAS.5cf1a37d31c168f9ad33404b696dc790.exe
File created	C:\Windows\spoolsv.exe	spoolsv.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\https:\onsapay.com\loader	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	NEAS.5cf1a37d31c168f9ad33404b696dc790.exe
Token: SeDebugPrivilege	4420	spoolsv.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 748	4136	NEAS.5cf1a37d31c168f9ad33404b696dc790.exe	89
PID 4136 wrote to memory of 748	4136	NEAS.5cf1a37d31c168f9ad33404b696dc790.exe	89
PID 4136 wrote to memory of 4420	4136	NEAS.5cf1a37d31c168f9ad33404b696dc790.exe	91
PID 4136 wrote to memory of 4420	4136	NEAS.5cf1a37d31c168f9ad33404b696dc790.exe	91
PID 4136 wrote to memory of 4420	4136	NEAS.5cf1a37d31c168f9ad33404b696dc790.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.5cf1a37d31c168f9ad33404b696dc790.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5cf1a37d31c168f9ad33404b696dc790.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\xXk3UDGs30mgJ7y.exe
  C:\Users\Admin\AppData\Local\Temp\xXk3UDGs30mgJ7y.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\spoolsv.exe
  "C:\Windows\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xXk3UDGs30mgJ7y.exe.log

Filesize
25KB

MD5
9169929699cb174969dbf55cddebb7a9

SHA1
3d3ecd4e2ff4fdd2ed4fbd69f4be976d843bf57b

SHA256
7a61ba89a7eca20a81479883de74fe70121c6b95993453e680b4c39e5c012f31

SHA512
2d3c9f97b25acd544a11226344f041c2096c843239f41d3b35f524e03f5731afd10a9cf1848670eb0195da4cc87586dab0a72c79b0dc5a96b9225508654750a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
27KB

MD5
585714762249ebce7f9b6915c42864a9

SHA1
8fd8b81ba5f3dc935ee62bf36003408c8de19294

SHA256
6b30ddc5c4eee98c8274a2352367f7f1cca1806659ce4833f07ac192022c3089

SHA512
3005a32e0eaa4fd38bea4488186c5f58cae115fe4396f9034c176cd8b0d3043c78f0ef4fd8baad57545ce67b4c16a40845df572e81ae84a463b44d5e81f2fbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xXk3UDGs30mgJ7y.exe

Filesize
143KB

MD5
c583d768336377e263ed3de978da7c6e

SHA1
2c48977d57dfe983781ae622056588233d7d67ee

SHA256
54836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac

SHA512
284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\xXk3UDGs30mgJ7y.exe

Filesize
143KB

MD5
c583d768336377e263ed3de978da7c6e

SHA1
2c48977d57dfe983781ae622056588233d7d67ee

SHA256
54836a96884e0e9b30b1ff5b3ece61ce17dd472a4b09137296cd7915ec4a0fac

SHA512
284adabd0b025057d4f43e860b9cb64fd9505439c658cf011b87fcce5b15c6d6ebeae1134373c48401b559bdb465e882798127edb7c0fbbba59f225f85150b93

Download Submit
C:\Windows\spoolsv.exe

Filesize
25KB

MD5
82071fd2379c64429acf376487fcddff

SHA1
2da42c7eaa62ecee65757b441c939f12b52228fb

SHA256
272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8

SHA512
194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb

Download Submit
C:\Windows\spoolsv.exe

Filesize
25KB

MD5
82071fd2379c64429acf376487fcddff

SHA1
2da42c7eaa62ecee65757b441c939f12b52228fb

SHA256
272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8

SHA512
194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb

Download Submit
memory/748-5-0x0000000000EF0000-0x0000000000F18000-memory.dmp

Filesize
160KB

Download
memory/748-10-0x00007FFA81260000-0x00007FFA81D21000-memory.dmp

Filesize
10.8MB

Download
memory/748-25-0x00007FFA81260000-0x00007FFA81D21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads