76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c

General

Target

as_driver.exe
Size

5.7MB
MD5

bd424a7fd1d0dbb18047473d25acf79d
SHA1

c663dcda2f85b9e43cb2160e8e6387657091e666
SHA256

76db9e74e9f0384c822b933a464cbc1f63b4c9a0a0b064774f09d8ee946d800c
SHA512

f7bd8928aa9b088a088897c14e6cbf87f6b36d024217fca360487ca8a3e8fe0c37080c3efe31f9502ba76aeffefdb5af66d51ca3ab4b986387bbccda53ee354f
SSDEEP

12288:OmOcdB+QGf79+kXqfDRjagi+Ug/NqTRxGrXnlJHmjEMnsL4pYZynND:nBcgAnRinrmb

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

QP.exe

pid process

2700 QP.exe
Loads dropped DLL 5 IoCs

Processes:

as_driver.exeWerFault.exe

pid process

2428 as_driver.exe
2428 as_driver.exe
1060 WerFault.exe
1060 WerFault.exe
1060 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1060 2700 WerFault.exe QP.exe

pid	process
2700	QP.exe

pid	process
2428	as_driver.exe
2428	as_driver.exe
1060	WerFault.exe
1060	WerFault.exe
1060	WerFault.exe

pid	pid_target	process	target process
1060	2700	WerFault.exe	QP.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

as_driver.exeQP.exe

description	pid	process	target process
PID 2428 wrote to memory of 2700	2428	as_driver.exe	QP.exe
PID 2428 wrote to memory of 2700	2428	as_driver.exe	QP.exe
PID 2428 wrote to memory of 2700	2428	as_driver.exe	QP.exe
PID 2428 wrote to memory of 2700	2428	as_driver.exe	QP.exe
PID 2700 wrote to memory of 1060	2700	QP.exe	WerFault.exe
PID 2700 wrote to memory of 1060	2700	QP.exe	WerFault.exe
PID 2700 wrote to memory of 1060	2700	QP.exe	WerFault.exe
PID 2700 wrote to memory of 1060	2700	QP.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\as_driver.exe
"C:\Users\Admin\AppData\Local\Temp\as_driver.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Roaming\Adobe\QP.exe
"C:\Users\Admin\AppData\Roaming\Adobe\QP.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 812
3⤵
- Loads dropped DLL
- Program crash
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\QP.exe
Filesize
5KB

MD5
857e877260b629b84e79fdbf9bb40fd7

SHA1
f97f95b83c08994fb011754d6e58258f435d13a9

SHA256
96f38f7816f991cac63353f2a1ed8a2a2fcd9a2d3670baa017dd2bbd132fea56

SHA512
67e3df33bff27a9706cbe4178570e7b55d7e31bf712bbdcf0647792d1c16a8842d0cab463f54308369cf6a514a23aca1575568aa009250de12bd37baaea9c26a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\QP.exe
Filesize
159KB

MD5
b1d6d66282771bdaee20f0295991140a

SHA1
f65c534725a4aa947285ecbb2acf3f5083803152

SHA256
9697901177242e9a450aae820687ddbbd13196b5876ec77cdcb663cfbadb0053

SHA512
af0bd80c0fdb1c336268c1bcdb8b0a05a588a1ded511669f6974b10e19752bed5305fda870a9a1e61be30db14228194f84ec8da74e9836eec3506d0629fe0900

Download Submit
\Users\Admin\AppData\Roaming\Adobe\QP.exe
Filesize
1KB

MD5
98f9230dc65e24709fd2c52b602bec1e

SHA1
5b609c31c1e46a4a5c24a9afbca933f08fd547ed

SHA256
72dbf70c6eb90d25a26c77bab8f79db96dcc4158722f7a1f042a8c207bf97b52

SHA512
ba2f10e1664b4847ab393c13b79807ce2e0c83442a000a1f96da6dc76b62932cb32135abf737c076e6df228514b9b7324e51e83ae142312c1d3e3dcb8f0fc982

Download Submit
\Users\Admin\AppData\Roaming\Adobe\QP.exe
Filesize
9KB

MD5
75e84dc211242babc2dae7824c059ca6

SHA1
5af39e45091002a28cff741395d67167d0c63706

SHA256
d1de2a22467266958a1f5523db2dc3401289162ff29af0cecf76152634698078

SHA512
1fa6980fb0884822f02eca23db038f3d98ffb201b3011b55e20be327acbb7b16abd957407880fce57ba0d4a23a67651384ee20f3d61c2e278ae9e5e45539bd6f

Download Submit
\Users\Admin\AppData\Roaming\Adobe\QP.exe
Filesize
136KB

MD5
b2f88f3f2477cb248a2bbdba8fd408b0

SHA1
94a7311b4d847f399da8785df3a1e157367f217e

SHA256
c6bb4119d28387ba96d8f721a5134cca03c623e9f514769e4cf6b5f7c3f2291d

SHA512
a0bd24bcaf6b41a28ba817aa42a7c9a92c6274112133494d4e2ac1422e0a556c8f8b7376273ffb152a610fe55b4b6b42e91b222d61572b02db6b0a72aaec9f05

Download Submit
\Users\Admin\AppData\Roaming\Adobe\QP.exe
Filesize
61KB

MD5
1c0e585e9e7a20be439b92ae66d8a9c7

SHA1
ee55776ba1d8bae625abc2728b1ed4e443631050

SHA256
059ab835820a1a952e9c8e5a8148dc64fc6607f3a8952eb91fb15fddd10357fb

SHA512
3f368e84e900ee77916e176c66bdc2fc82f3571e8578c5b9c14b811fc9769cf07d28708d04f22c02c4e18e538257f873bd01bd64b3cef2606bd211466282f59c

Download Submit
memory/2428-1-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-0-0x00000000003C0000-0x0000000000432000-memory.dmp

Filesize
456KB

Download
memory/2428-10-0x0000000001F40000-0x0000000001F7D000-memory.dmp

Filesize
244KB

Download
memory/2428-13-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-12-0x0000000001F40000-0x0000000001F7D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing