2711f3762b3544e8eaf83a14fa1716cf2fe1e80f3a86fb05b86948c6dc5a7afe

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2023 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2711f3762b3544e8eaf83a14fa1716cf2fe1e80f3a86fb05b86948c6dc5a7afe.exe
Size

16KB
MD5

ce53363d74457576352fadf15d61f915
SHA1

5cd78ae5cafccf9350cd88918c26995f8a8dceea
SHA256

2711f3762b3544e8eaf83a14fa1716cf2fe1e80f3a86fb05b86948c6dc5a7afe
SHA512

0106eee731e02b2757cc2a87df6d37cc0c07572faf2deb14f8b8ba3212a2130d267662d0171ac4b5e180bfec9241557679638f2d135649d2429ee9ce326c638a
SSDEEP

192:YcA0hyErRBqgOnPQPdcIdq20dqE5Ps6Z6GQO0bDDvz0EHITbKH62RTUz/Pwv8T:vJN0xIwtdn536bOEboEo3KH0z/Pwv+

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
500	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe"	2711f3762b3544e8eaf83a14fa1716cf2fe1e80f3a86fb05b86948c6dc5a7afe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe"	spoolsv.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\spoolsv.exe	2711f3762b3544e8eaf83a14fa1716cf2fe1e80f3a86fb05b86948c6dc5a7afe.exe
File created	C:\Windows\spoolsv.exe	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	660	2711f3762b3544e8eaf83a14fa1716cf2fe1e80f3a86fb05b86948c6dc5a7afe.exe
Token: SeDebugPrivilege	500	spoolsv.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 500	660	2711f3762b3544e8eaf83a14fa1716cf2fe1e80f3a86fb05b86948c6dc5a7afe.exe	89
PID 660 wrote to memory of 500	660	2711f3762b3544e8eaf83a14fa1716cf2fe1e80f3a86fb05b86948c6dc5a7afe.exe	89
PID 660 wrote to memory of 500	660	2711f3762b3544e8eaf83a14fa1716cf2fe1e80f3a86fb05b86948c6dc5a7afe.exe	89

C:\Users\Admin\AppData\Local\Temp\2711f3762b3544e8eaf83a14fa1716cf2fe1e80f3a86fb05b86948c6dc5a7afe.exe
"C:\Users\Admin\AppData\Local\Temp\2711f3762b3544e8eaf83a14fa1716cf2fe1e80f3a86fb05b86948c6dc5a7afe.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\spoolsv.exe
  "C:\Windows\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
339KB

MD5
28cb82467295fb611bd70896aa2198c3

SHA1
99a022757228ef3dacb42028eb7ca0cfbe9c19ae

SHA256
be4f017e6e305aa473fcaa16571c72c6456ccc8930c3f55fa341fb9ea1cd0311

SHA512
9315cb01fe5080913705d467ccf87b71212d0fb3147cfed8068978996d6e498519caa387571153a049c02ce5850475d1e730b1a835205a4c61ef80dae6db8611

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pu170OtLcmIIzJr.exe

Filesize
16KB

MD5
809a552ccb5f45816cbde8445d193b2b

SHA1
7244832a32f891c572763798796fe39b2bf31e3b

SHA256
d88be4b454b4a282b340fa25e58174e624cdbe3881e151aea59e1559cc4edf8e

SHA512
eca096ce647d2de8922af188e5450eabed8eafdb66f34e4945df37387b5db93742015dac519499b736a6a50b077c1e7be9c3ea4f44163fae4ed90a6a05146266

Download Submit
C:\Windows\spoolsv.exe

Filesize
16KB

MD5
361c84c05ec741535ded781e8e4ec642

SHA1
428b169536a5bb7c3b5a0c83e0ea0b0b48142b80

SHA256
6baa7bb87b1fb6faae543d8101b2006648ab11884c1f871e44cc23894e879ae7

SHA512
bd8aea4481289d1a42fb5e62453df6bff0f82dd567fd8e73c7342f0fc1c0331cb9d372aee732af9442f364bf13d40070ee818548874ffe4196def3527608fcaf

Download Submit
C:\Windows\spoolsv.exe

Filesize
16KB

MD5
361c84c05ec741535ded781e8e4ec642

SHA1
428b169536a5bb7c3b5a0c83e0ea0b0b48142b80

SHA256
6baa7bb87b1fb6faae543d8101b2006648ab11884c1f871e44cc23894e879ae7

SHA512
bd8aea4481289d1a42fb5e62453df6bff0f82dd567fd8e73c7342f0fc1c0331cb9d372aee732af9442f364bf13d40070ee818548874ffe4196def3527608fcaf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads