9f19340ceea037a71039df20020e2b0671717c678aee3ef32094ba3aeb00b82b

General

Target

14c5f6cd24d9101463e4277dc2f7c7a0_exe32_JC.exe
Size

418KB
MD5

14c5f6cd24d9101463e4277dc2f7c7a0
SHA1

330ae812ce71e509921fbffdf65eb52bbc2664f6
SHA256

9f19340ceea037a71039df20020e2b0671717c678aee3ef32094ba3aeb00b82b
SHA512

3f5731d0687d7854e221f0caf394a317c638cedeee1a93d6ea4ffcef24d014c24dea7e63ab568772341432a31853472896470d36c113c4e2cffed2e811209d6d
SSDEEP

12288:fATRfwHASsXyytKzmQjMYqOWzHS4rLwJjm4uwgZT5tSRi:4VfwHASWKKSMYqO0HS++fBgp5t6i

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4972	jGbbOsYUB8mrMKf.exe
1524	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe"	14c5f6cd24d9101463e4277dc2f7c7a0_exe32_JC.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	spoolsv.exe
File opened (read-only)	\??\e:	jGbbOsYUB8mrMKf.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\spoolsv.exe	14c5f6cd24d9101463e4277dc2f7c7a0_exe32_JC.exe
File created	C:\Windows\spoolsv.exe	spoolsv.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\https:\onsapay.com\loader	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3436	14c5f6cd24d9101463e4277dc2f7c7a0_exe32_JC.exe
Token: SeDebugPrivilege	1524	spoolsv.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 4972	3436	14c5f6cd24d9101463e4277dc2f7c7a0_exe32_JC.exe	84
PID 3436 wrote to memory of 4972	3436	14c5f6cd24d9101463e4277dc2f7c7a0_exe32_JC.exe	84
PID 3436 wrote to memory of 1524	3436	14c5f6cd24d9101463e4277dc2f7c7a0_exe32_JC.exe	83
PID 3436 wrote to memory of 1524	3436	14c5f6cd24d9101463e4277dc2f7c7a0_exe32_JC.exe	83
PID 3436 wrote to memory of 1524	3436	14c5f6cd24d9101463e4277dc2f7c7a0_exe32_JC.exe	83

C:\Users\Admin\AppData\Local\Temp\14c5f6cd24d9101463e4277dc2f7c7a0_exe32_JC.exe
"C:\Users\Admin\AppData\Local\Temp\14c5f6cd24d9101463e4277dc2f7c7a0_exe32_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\spoolsv.exe
  "C:\Windows\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Windows directory
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\jGbbOsYUB8mrMKf.exe
  C:\Users\Admin\AppData\Local\Temp\jGbbOsYUB8mrMKf.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
347KB

MD5
e9bf89b375dbe07ca452fbe35bc77938

SHA1
2ccb25b0625351114746172a41b3e6cee57ce75d

SHA256
778ffaa48c3f8e8c40bf18eca1a5f935f2b1329c319cc39a6f3b852a89624ccc

SHA512
65c8222c08801ddc74abde4d793f5b25598f76a3c9a3e8939683038284fb87e239e99497d1003c0f8f5c5eee10d664a561d555950b3d816263a94ecd28deed39

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGbbOsYUB8mrMKf.exe

Filesize
393KB

MD5
74b2c70e8c03d22668802425f78b8efd

SHA1
e51793468c7699f539fa8b5726873d0c994e96b8

SHA256
d18ee29a30c2028c0bc3f5fcc3e6fae4cc7d07b9dfe5606adf846f08c934ec0d

SHA512
8976f260e96ee5697082f66d0baa370519657550955e293e8ce2b7b2c8056f8792099772917c11d7e2df7918b385b880de771a6ec461a6ed3e8b42cc2a94c589

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGbbOsYUB8mrMKf.exe

Filesize
393KB

MD5
74b2c70e8c03d22668802425f78b8efd

SHA1
e51793468c7699f539fa8b5726873d0c994e96b8

SHA256
d18ee29a30c2028c0bc3f5fcc3e6fae4cc7d07b9dfe5606adf846f08c934ec0d

SHA512
8976f260e96ee5697082f66d0baa370519657550955e293e8ce2b7b2c8056f8792099772917c11d7e2df7918b385b880de771a6ec461a6ed3e8b42cc2a94c589

Download Submit
C:\Windows\spoolsv.exe

Filesize
25KB

MD5
82071fd2379c64429acf376487fcddff

SHA1
2da42c7eaa62ecee65757b441c939f12b52228fb

SHA256
272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8

SHA512
194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb

Download Submit
C:\Windows\spoolsv.exe

Filesize
25KB

MD5
82071fd2379c64429acf376487fcddff

SHA1
2da42c7eaa62ecee65757b441c939f12b52228fb

SHA256
272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8

SHA512
194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads