fc4e7717616226d720bc8614a6b691124b607c79ed8f6a4c2b7816f5dac835b2

General

Target

Wishes for our journey November 2023.scr
Size

643.0MB
MD5

211eb4f3ef90b4de98dbaf02ca4e84ea
SHA1

9cedbdb80bfad19a544b654c1acd1bea05100f3d
SHA256

3987ec9427b0cd379f15d0b47495d82fb02d0d81ff7d97c8ecb1cc89d1579855
SHA512

8ce12429bb100cdc4382c37a35292592129af1870f397182b2e5e071be685634d3ff7e29b347fed489190d0e64456f14c97b08be4068537266c75a3cfc60fdc5
SSDEEP

49152:WJM8HnE4zw7vtvw2DnXSGLZDRSh0z5+huOV0J3xoX7ixFgn:WJpzw7vdRDR54u7oy2n

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1992 cmd.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1992	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Wishes for our journey November 2023.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Wishes for our journey November 2023.scr
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Wishes for our journey November 2023.scr

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2140 timeout.exe

pid	process
2140	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Wishes for our journey November 2023.scr

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Wishes for our journey November 2023.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Wishes for our journey November 2023.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Wishes for our journey November 2023.scr

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

Wishes for our journey November 2023.scr

pid	process
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr
2000	Wishes for our journey November 2023.scr

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Wishes for our journey November 2023.scrcmd.exe

description	pid	process	target process
PID 2000 wrote to memory of 980	2000	Wishes for our journey November 2023.scr	cmd.exe
PID 2000 wrote to memory of 980	2000	Wishes for our journey November 2023.scr	cmd.exe
PID 2000 wrote to memory of 980	2000	Wishes for our journey November 2023.scr	cmd.exe
PID 2000 wrote to memory of 980	2000	Wishes for our journey November 2023.scr	cmd.exe
PID 2000 wrote to memory of 1992	2000	Wishes for our journey November 2023.scr	cmd.exe
PID 2000 wrote to memory of 1992	2000	Wishes for our journey November 2023.scr	cmd.exe
PID 2000 wrote to memory of 1992	2000	Wishes for our journey November 2023.scr	cmd.exe
PID 2000 wrote to memory of 1992	2000	Wishes for our journey November 2023.scr	cmd.exe
PID 1992 wrote to memory of 2140	1992	cmd.exe	timeout.exe
PID 1992 wrote to memory of 2140	1992	cmd.exe	timeout.exe
PID 1992 wrote to memory of 2140	1992	cmd.exe	timeout.exe
PID 1992 wrote to memory of 2140	1992	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\Wishes for our journey November 2023.scr
"C:\Users\Admin\AppData\Local\Temp\Wishes for our journey November 2023.scr" /S
1⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\KJEHCGDBFC.exe"
2⤵
PID:980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Wishes for our journey November 2023.scr" & del "C:\ProgramData\*.dll"" & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:2140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b233d403d1262d57f84b5582dfd36a5d

SHA1
a06f2c3246f28da7e543aad135e5b23c672e1f2b

SHA256
30b7919be52e85a0d8478fefa0efc489cd0eb85151addd4bbf5179bb99583c52

SHA512
dc3ac939257426c084f24274f4a82849b317eda91bb5a5ea4f1b36aa9d8d0967323f956fcaaf9e21e5f9c587ea583327b65dec3c24803be9d2eecf221cbc94c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5708.tmp
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5768.tmp
Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
memory/980-213-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2000-3-0x000000002C020000-0x000000002C25A000-memory.dmp

Filesize
2.2MB

Download
memory/2000-0-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2000-2-0x000000007761F000-0x0000000077620000-memory.dmp

Filesize
4KB

Download
memory/2000-119-0x000000002C020000-0x000000002C25A000-memory.dmp

Filesize
2.2MB

Download
memory/2000-120-0x000000002C020000-0x000000002C25A000-memory.dmp

Filesize
2.2MB

Download
memory/2000-140-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2000-194-0x00000000001A0000-0x00000000011A0000-memory.dmp

Filesize
16.0MB

Download
memory/2000-197-0x000000002AF80000-0x000000002B000000-memory.dmp

Filesize
512KB

Download
memory/2000-199-0x000000002C020000-0x000000002C25A000-memory.dmp

Filesize
2.2MB

Download
memory/2000-1-0x000000002AF80000-0x000000002B000000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads