e3ff5ca6952b263f1e3280b8ac648316a25fe1b5be45dae11317918d8856612a

General

Target

launcher.bat
Size

87B
MD5

864189b29e0ee9338690f34f60d9ed61
SHA1

2f130b692da72031ca0089894b84d716319c3b9a
SHA256

6887bbcea8d76ccb3cdf324d5a7b0feea4a7bbc17e4c05c9e7e07c735ba565a4
SHA512

957853c8a9a67d0555ddeb3981440d9709ff2762a4e4ae7cf48bc2a8a4cb9304154b696411ea4a521871b8322bdb433fd36988e230b91d1656f6c0c8488abafb

Score

8^/10

dave discovery spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 40 IoCs

Processes:

rundll32.exe

flow	pid	process
2	2412	rundll32.exe
3	2412	rundll32.exe
4	2412	rundll32.exe
5	2412	rundll32.exe
6	2412	rundll32.exe
7	2412	rundll32.exe
8	2412	rundll32.exe
9	2412	rundll32.exe
10	2412	rundll32.exe
11	2412	rundll32.exe
12	2412	rundll32.exe
13	2412	rundll32.exe
14	2412	rundll32.exe
15	2412	rundll32.exe
16	2412	rundll32.exe
17	2412	rundll32.exe
18	2412	rundll32.exe
19	2412	rundll32.exe
20	2412	rundll32.exe
20	2412	rundll32.exe
21	2412	rundll32.exe
22	2412	rundll32.exe
23	2412	rundll32.exe
24	2412	rundll32.exe
25	2412	rundll32.exe
26	2412	rundll32.exe
27	2412	rundll32.exe
28	2412	rundll32.exe
29	2412	rundll32.exe
30	2412	rundll32.exe
31	2412	rundll32.exe
32	2412	rundll32.exe
33	2412	rundll32.exe
34	2412	rundll32.exe
35	2412	rundll32.exe
36	2412	rundll32.exe
37	2412	rundll32.exe
38	2412	rundll32.exe
39	2412	rundll32.exe
40	2412	rundll32.exe

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral3/memory/2412-2-0x0000000002440000-0x0000000002816000-memory.dmp	dave

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2412 set thread context of 2112 2412 rundll32.exe rundll32.exe

description	pid	process	target process
PID 2412 set thread context of 2112	2412	rundll32.exe	rundll32.exe

Drops file in Program Files directory 11 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.ini	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1864 2412 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1864	2412	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A0A53CEFED1F05209AC9C29109E4222C7C043A8B	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A0A53CEFED1F05209AC9C29109E4222C7C043A8B\Blob = 030000000100000014000000a0a53cefed1f05209ac9c29109e4222c7c043a8b2000000001000000340200003082023030820199a003020102020805b4301b7c3e8bc7300d06092a864886f70d01010b050030503132303006035504030c294d6963726f736f66742041757468656d7469636f646528746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b3009060355040613025553301e170d3231313232303139303432345a170d3235313231393139303432345a30503132303006035504030c294d6963726f736f66742041757468656d7469636f646528746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100f4263d7b53eb4278477812222550304e610d29a5c072237147566d9496a2614b3ab836c8bfa20cf7e95e8d60b2b3931f50a8357264db14c612a639edfe5ac9790365bfd7244f8e84eb97610938a990bcdbef690fc0aa9cfeaee0a0addfc8e173737bbaf9bd7296f92afb690771665f689cef7e89c4eb69062c49f24e355214a70203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003818100ed39cbe91cfa7db337c2ea7b3237fbd7acd1f816607098dfc7fc9fd7e96c577902618fdb121fd080d6e4bfa66123093f9f1b0125dbd90fd5dbe16ad9f49353802e5e6feac2546630d88c666f812faffbc6123f52cc06c1ebbfe00105ff498604a046dff5777824e6a3918490c37fea87254efda1c1474e3b41f83c80ac1ecd5a	rundll32.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

rundll32.exepowershell.exe

pid process

2412 rundll32.exe
2412 rundll32.exe
2412 rundll32.exe
2412 rundll32.exe
2412 rundll32.exe
2412 rundll32.exe
528 powershell.exe

pid	process
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
528	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

rundll32.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	528	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

2112 rundll32.exe

pid	process
2112	rundll32.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

cmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1976 wrote to memory of 2652	1976	cmd.exe	rundll32.exe
PID 1976 wrote to memory of 2652	1976	cmd.exe	rundll32.exe
PID 1976 wrote to memory of 2652	1976	cmd.exe	rundll32.exe
PID 2652 wrote to memory of 2412	2652	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 2412	2652	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 2412	2652	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 2412	2652	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 2412	2652	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 2412	2652	rundll32.exe	rundll32.exe
PID 2652 wrote to memory of 2412	2652	rundll32.exe	rundll32.exe
PID 2412 wrote to memory of 528	2412	rundll32.exe	powershell.exe
PID 2412 wrote to memory of 528	2412	rundll32.exe	powershell.exe
PID 2412 wrote to memory of 528	2412	rundll32.exe	powershell.exe
PID 2412 wrote to memory of 528	2412	rundll32.exe	powershell.exe
PID 2412 wrote to memory of 2112	2412	rundll32.exe	rundll32.exe
PID 2412 wrote to memory of 2112	2412	rundll32.exe	rundll32.exe
PID 2412 wrote to memory of 2112	2412	rundll32.exe	rundll32.exe
PID 2412 wrote to memory of 2112	2412	rundll32.exe	rundll32.exe
PID 2412 wrote to memory of 2112	2412	rundll32.exe	rundll32.exe
PID 2412 wrote to memory of 2112	2412	rundll32.exe	rundll32.exe
PID 2412 wrote to memory of 2112	2412	rundll32.exe	rundll32.exe
PID 2412 wrote to memory of 2112	2412	rundll32.exe	rundll32.exe
PID 2412 wrote to memory of 1864	2412	rundll32.exe	WerFault.exe
PID 2412 wrote to memory of 1864	2412	rundll32.exe	WerFault.exe
PID 2412 wrote to memory of 1864	2412	rundll32.exe	WerFault.exe
PID 2412 wrote to memory of 1864	2412	rundll32.exe	WerFault.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\rundll32.exe
rundll32.exe dino.dll ADMISSIONS_get0_admissionAuthority
2⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe dino.dll ADMISSIONS_get0_admissionAuthority
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
4⤵
- Suspicious use of FindShellTrayWindow
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 1344
4⤵
- Program crash
PID:1864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\containers.json
Filesize
939B

MD5
94a3843fad8c45c48b0e07342df3dfdc

SHA1
d55b650208bda884d573afebd90830a3f4d7c201

SHA256
854ff2076f71097b030c302a1ea71d8e851d2920b9ff5fc8dc8f16c91ba95b72

SHA512
4d2a6b2a223ad81bb97195abb27685cf88453caf5769de154b373486d5245f02e0c0f664281d8e3bb33bfcdf1d6f7b3d9602303864d4e56481382adcb0b932db

Download Submit
memory/528-94-0x00000000735C0000-0x0000000073B6B000-memory.dmp

Filesize
5.7MB

Download
memory/528-103-0x00000000735C0000-0x0000000073B6B000-memory.dmp

Filesize
5.7MB

Download
memory/528-99-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/528-92-0x00000000735C0000-0x0000000073B6B000-memory.dmp

Filesize
5.7MB

Download
memory/528-93-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/528-97-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/2112-96-0x0000000000750000-0x0000000000890000-memory.dmp

Filesize
1.2MB

Download
memory/2112-98-0x0000000000290000-0x00000000004C1000-memory.dmp

Filesize
2.2MB

Download
memory/2112-53-0x0000000000230000-0x000000000024A000-memory.dmp

Filesize
104KB

Download
memory/2112-85-0x0000000077720000-0x0000000077721000-memory.dmp

Filesize
4KB

Download
memory/2112-88-0x00000000021B0000-0x00000000023F2000-memory.dmp

Filesize
2.3MB

Download
memory/2112-86-0x0000000000750000-0x0000000000890000-memory.dmp

Filesize
1.2MB

Download
memory/2112-87-0x0000000000750000-0x0000000000890000-memory.dmp

Filesize
1.2MB

Download
memory/2112-78-0x0000000000290000-0x00000000004C1000-memory.dmp

Filesize
2.2MB

Download
memory/2112-50-0x0000000000230000-0x000000000024A000-memory.dmp

Filesize
104KB

Download
memory/2112-95-0x00000000021B0000-0x00000000023F2000-memory.dmp

Filesize
2.3MB

Download
memory/2412-25-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-0-0x0000000002820000-0x0000000002BF8000-memory.dmp

Filesize
3.8MB

Download
memory/2412-30-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-32-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-33-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-34-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-35-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-36-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-37-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-38-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-39-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-40-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-41-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2412-42-0x0000000002210000-0x0000000002350000-memory.dmp

Filesize
1.2MB

Download
memory/2412-45-0x0000000002210000-0x0000000002350000-memory.dmp

Filesize
1.2MB

Download
memory/2412-46-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-48-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-49-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-28-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-27-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-51-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-31-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-24-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-81-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/2412-80-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-83-0x0000000002210000-0x0000000002350000-memory.dmp

Filesize
1.2MB

Download
memory/2412-82-0x0000000002210000-0x0000000002350000-memory.dmp

Filesize
1.2MB

Download
memory/2412-79-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-23-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-22-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-21-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-84-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-20-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-89-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-19-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-18-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-17-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-16-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-15-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-14-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-13-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download
memory/2412-5-0x0000000002C00000-0x0000000002FDF000-memory.dmp

Filesize
3.9MB

Download
memory/2412-2-0x0000000002440000-0x0000000002816000-memory.dmp

Filesize
3.8MB

Download
memory/2412-104-0x0000000003270000-0x0000000003A7A000-memory.dmp

Filesize
8.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads