95db9ea9df83185a3ab4cdcdac19f62ebf64daaf94ce2ba1f77677bcb361ba9e

General

Target

Q7ZiqgD1IZjP7fs.exe
Size

600KB
MD5

c93b8ad115f2693f3e5e33f505f44d06
SHA1

9b9e46a0140773ebb1686bb5d4567a4a7895f2da
SHA256

95db9ea9df83185a3ab4cdcdac19f62ebf64daaf94ce2ba1f77677bcb361ba9e
SHA512

e25b8859feaef40d340238ffd112dd80ab65369761c81f30a0fe12b5a74795a63f86e3e9699d39f37024c819da2cd93de71f782df11d6fde18902a0871f53025
SSDEEP

12288:DXy8oCF8Jwc0mfNXgotB4mmTnufYT1c4gWLpYX1WRMZicwHvZqvDH5f:DXFO2c0SNd74mNwZYX1WWZibP4F

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2800	credwiz.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 2728	2148	Q7ZiqgD1IZjP7fs.exe	28
PID 2728 set thread context of 1236	2728	Q7ZiqgD1IZjP7fs.exe	8
PID 2728 set thread context of 2800	2728	Q7ZiqgD1IZjP7fs.exe	31
PID 2800 set thread context of 1236	2800	credwiz.exe	8

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1154728922-3261336865-3456416385-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	credwiz.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2728	Q7ZiqgD1IZjP7fs.exe
2728	Q7ZiqgD1IZjP7fs.exe
2728	Q7ZiqgD1IZjP7fs.exe
2728	Q7ZiqgD1IZjP7fs.exe
2728	Q7ZiqgD1IZjP7fs.exe
2728	Q7ZiqgD1IZjP7fs.exe
2728	Q7ZiqgD1IZjP7fs.exe
2728	Q7ZiqgD1IZjP7fs.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1236	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2728	Q7ZiqgD1IZjP7fs.exe
1236	Explorer.EXE
1236	Explorer.EXE
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe
2800	credwiz.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2728	2148	Q7ZiqgD1IZjP7fs.exe	28
PID 2148 wrote to memory of 2728	2148	Q7ZiqgD1IZjP7fs.exe	28
PID 2148 wrote to memory of 2728	2148	Q7ZiqgD1IZjP7fs.exe	28
PID 2148 wrote to memory of 2728	2148	Q7ZiqgD1IZjP7fs.exe	28
PID 2148 wrote to memory of 2728	2148	Q7ZiqgD1IZjP7fs.exe	28
PID 2148 wrote to memory of 2728	2148	Q7ZiqgD1IZjP7fs.exe	28
PID 2148 wrote to memory of 2728	2148	Q7ZiqgD1IZjP7fs.exe	28
PID 1236 wrote to memory of 2800	1236	Explorer.EXE	31
PID 1236 wrote to memory of 2800	1236	Explorer.EXE	31
PID 1236 wrote to memory of 2800	1236	Explorer.EXE	31
PID 1236 wrote to memory of 2800	1236	Explorer.EXE	31
PID 2800 wrote to memory of 1424	2800	credwiz.exe	33
PID 2800 wrote to memory of 1424	2800	credwiz.exe	33
PID 2800 wrote to memory of 1424	2800	credwiz.exe	33
PID 2800 wrote to memory of 1424	2800	credwiz.exe	33
PID 2800 wrote to memory of 1424	2800	credwiz.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\Q7ZiqgD1IZjP7fs.exe
  "C:\Users\Admin\AppData\Local\Temp\Q7ZiqgD1IZjP7fs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\Q7ZiqgD1IZjP7fs.exe
    "C:\Users\Admin\AppData\Local\Temp\Q7ZiqgD1IZjP7fs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2728
- C:\Windows\SysWOW64\credwiz.exe
  "C:\Windows\SysWOW64\credwiz.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bbb4p.zip

Filesize
478KB

MD5
72b88067a5a1a4f8d52c45e6621d13fe

SHA1
f84542474b8583f4371749282e5cc4d52661c222

SHA256
70a11669bb8ad1099fd7fba9da92e1a75124bef0d16a01fd10dcdc45e9582092

SHA512
a8bf75fd4f38e4c8dee5e6f2527062c5be21f5a8bae4ea561f4aa28139d65a6f215afb212f1e4857ee482e16e813fc0d63ef8ec43ec94d5f8a722489e89e154d

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
910KB

MD5
d79258c5189103d69502eac786addb04

SHA1
f34b33681cfe8ce649218173a7f58b237821c1ef

SHA256
57d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675

SHA512
da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2

Download Submit
memory/1236-71-0x0000000004EF0000-0x0000000004FE5000-memory.dmp

Filesize
980KB

Download
memory/1236-25-0x0000000004EF0000-0x0000000004FE5000-memory.dmp

Filesize
980KB

Download
memory/1236-26-0x0000000004EF0000-0x0000000004FE5000-memory.dmp

Filesize
980KB

Download
memory/1236-18-0x0000000008B00000-0x000000000AD8C000-memory.dmp

Filesize
34.5MB

Download
memory/1236-27-0x0000000008B00000-0x000000000AD8C000-memory.dmp

Filesize
34.5MB

Download
memory/2148-3-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/2148-0-0x0000000000E00000-0x0000000000E9C000-memory.dmp

Filesize
624KB

Download
memory/2148-6-0x0000000004DD0000-0x0000000004E4E000-memory.dmp

Filesize
504KB

Download
memory/2148-5-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/2148-12-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2148-4-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2148-2-0x00000000003D0000-0x0000000000410000-memory.dmp

Filesize
256KB

Download
memory/2148-1-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-13-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/2728-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-17-0x0000000000210000-0x0000000000232000-memory.dmp

Filesize
136KB

Download
memory/2800-24-0x0000000001CF0000-0x0000000001D91000-memory.dmp

Filesize
644KB

Download
memory/2800-23-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2800-22-0x0000000001E70000-0x0000000002173000-memory.dmp

Filesize
3.0MB

Download
memory/2800-51-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2800-20-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2800-69-0x0000000061E00000-0x0000000061ECF000-memory.dmp

Filesize
828KB

Download
memory/2800-70-0x0000000001CF0000-0x0000000001D91000-memory.dmp

Filesize
644KB

Download
memory/2800-19-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing