bb5a9d6418509a04633788d4c9afdb3b3e78f23907565bcdf80e65dd79c1fe79

General

Target

14c87d8e079bba8933dd6daa4b118803.exe
Size

1018KB
MD5

14c87d8e079bba8933dd6daa4b118803
SHA1

6efc80e872ece113a011fb2f7dab2e4cc272fd7c
SHA256

bb5a9d6418509a04633788d4c9afdb3b3e78f23907565bcdf80e65dd79c1fe79
SHA512

2f4473dfefa9e351c69e76688448079b5b02bdf53ad45b881450686b43d8d913ced9309117e1ca36262716608d218a7b30b326d50bc238869c033d6923df227e
SSDEEP

24576:An0TX1hQfJuu5x8/elO3gs8ZG8aljjAFF:u0TX1efJug8OO388jAr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	tmppack.exe

Loads dropped DLL 2 IoCs

pid	Process
2468	14c87d8e079bba8933dd6daa4b118803.exe
2468	14c87d8e079bba8933dd6daa4b118803.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	14c87d8e079bba8933dd6daa4b118803.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	14c87d8e079bba8933dd6daa4b118803.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	14c87d8e079bba8933dd6daa4b118803.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2468	14c87d8e079bba8933dd6daa4b118803.exe
2468	14c87d8e079bba8933dd6daa4b118803.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2672	2468	14c87d8e079bba8933dd6daa4b118803.exe	28
PID 2468 wrote to memory of 2672	2468	14c87d8e079bba8933dd6daa4b118803.exe	28
PID 2468 wrote to memory of 2672	2468	14c87d8e079bba8933dd6daa4b118803.exe	28
PID 2468 wrote to memory of 2672	2468	14c87d8e079bba8933dd6daa4b118803.exe	28

C:\Users\Admin\AppData\Local\Temp\14c87d8e079bba8933dd6daa4b118803.exe
"C:\Users\Admin\AppData\Local\Temp\14c87d8e079bba8933dd6daa4b118803.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\OJRMBMAWGQUCOBRBAAU\tmppack.exe
  -y
  2⤵
  - Executes dropped EXE
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OJRMBMAWGQUCOBRBAAU\installer.pak

Filesize
1.3MB

MD5
9161de0c745a2467e8b1efa7fe828986

SHA1
85ae7bf18c3f0cc68a8489363d883594ace964ca

SHA256
fb46408ed5b0aca2c7ad9f33916f09b212c720473ec3222eadd7b66383b4bc21

SHA512
46b211ad8164ff11a4a48c5ad64478c148defe001cf9896354a0b002f9e1936ca251382a1f0ecf78e5a965557ad44716fd73c0456aae57543cb6d180e76ffd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbw8b58l\gui\MainProduct.html

Filesize
3KB

MD5
bbccaf41a1428f1a33357a10bc094edb

SHA1
612281956e1b9d895bbc078c271846f881e4c264

SHA256
50fdf1d3cd943aea15616a56391e6f388ea42be11ea3c269412af5b09ef9fbaf

SHA512
af6a25948746cfcdc0421ac1a96d2efa3fceaf9093c3931d25087d9c12258f06a410e7f7d5260d17d6dbdc00dde74df5b25cfda0260ac531a07b7a200ec41bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbw8b58l\gui\events\cav.xml

Filesize
981B

MD5
8a5e1aad7303d8174cf3ba5e3591624c

SHA1
5bc119db938869e24dc18f9f70a5039cefaa9b19

SHA256
a3dc8aa222cb5edb0d18f4526a0b0859647b48b4bdc52a5c9431c4ec6779f538

SHA512
3c5c491234024226e6486f7426ab941a38701e33a0d1c70012cd64080904c2ee3f4f792ed992e3e605357471bc4da30c661b843b6b2501c4bed4041c4a6bc390

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbw8b58l\wizard.xml

Filesize
6KB

MD5
e2c54bb281c55017eacf719a0ed4473a

SHA1
2420a30e15d34f59debca05fcac70e2777b57cf5

SHA256
69291dad810c2d34f56b98548139df41622793d0cd68391ce36a811a346e20e0

SHA512
01f32dde661627e7253d5c0a1a51b7234dc2ccfda8689f0cd7b6464a4752d55c33f8661429c6e67782790ca6224ce6da28835a8346cae551712512c9812eb3e7

Download Submit
\Users\Admin\AppData\Local\Temp\OJRMBMAWGQUCOBRBAAU\tmppack.exe

Filesize
561KB

MD5
191daa51ab8e3dbe928711f001dc3adb

SHA1
84d307554c31dd13b5789109505b7394f34c7836

SHA256
a39c78f61f42f22bfb40cfe9f56239bb15d7ea6ca153a5ded61c36997a61fa45

SHA512
1b10db82956d2092bee5b0a3f954b47bbfe669193d04fb586545a8a8167d84dc1a6f8aab8bd0d1695145830c733e0fa3b2505223bd50495a65bae32b04837a51

Download Submit
memory/2468-12-0x00000000022F0000-0x0000000002439000-memory.dmp

Filesize
1.3MB

Download
memory/2468-78-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2468-144-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing