22e40f5ed1f690eb2527a76d65f7afb1e64690d22776c734ceb29cf53cb58dcb

General

Target

1b01535ce052861c30df0ad33a137fcf.exe
Size

82KB
MD5

1b01535ce052861c30df0ad33a137fcf
SHA1

854a744e62f80537b1f137bb819b4f9fa44bd88f
SHA256

22e40f5ed1f690eb2527a76d65f7afb1e64690d22776c734ceb29cf53cb58dcb
SHA512

5f381d2f360bed2fd1cc522c30c6adcfb510fe1fe989e1385489c8e145c7f44e4ec28b1f916deeb32aba3f9a94fd290f74f65cf140bb658d1207b611f0f6cc45
SSDEEP

1536:PaHLtZfHy0O/JuSkZWeGkqbT3ckFqtLUNCdbbEToYJOWYlppiu0C5hbs:PaHzHY/JBOQksAkItZnETHOrlplhA

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4240 set thread context of 3468	4240	1b01535ce052861c30df0ad33a137fcf.exe	19

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main	1b01535ce052861c30df0ad33a137fcf.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\SearchScopes	1b01535ce052861c30df0ad33a137fcf.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadUpdates = "329728"	1b01535ce052861c30df0ad33a137fcf.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	1b01535ce052861c30df0ad33a137fcf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}"	1b01535ce052861c30df0ad33a137fcf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}"	1b01535ce052861c30df0ad33a137fcf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Google"	1b01535ce052861c30df0ad33a137fcf.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "file://localhost/C:/www.google.com.htm"	1b01535ce052861c30df0ad33a137fcf.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3468	1b01535ce052861c30df0ad33a137fcf.exe
3468	1b01535ce052861c30df0ad33a137fcf.exe
3468	1b01535ce052861c30df0ad33a137fcf.exe
3468	1b01535ce052861c30df0ad33a137fcf.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 3468	4240	1b01535ce052861c30df0ad33a137fcf.exe	19
PID 4240 wrote to memory of 3468	4240	1b01535ce052861c30df0ad33a137fcf.exe	19
PID 4240 wrote to memory of 3468	4240	1b01535ce052861c30df0ad33a137fcf.exe	19
PID 4240 wrote to memory of 3468	4240	1b01535ce052861c30df0ad33a137fcf.exe	19
PID 4240 wrote to memory of 3468	4240	1b01535ce052861c30df0ad33a137fcf.exe	19
PID 4240 wrote to memory of 3468	4240	1b01535ce052861c30df0ad33a137fcf.exe	19
PID 3468 wrote to memory of 3372	3468	1b01535ce052861c30df0ad33a137fcf.exe	48
PID 3468 wrote to memory of 3372	3468	1b01535ce052861c30df0ad33a137fcf.exe	48
PID 3468 wrote to memory of 3372	3468	1b01535ce052861c30df0ad33a137fcf.exe	48
PID 3468 wrote to memory of 3372	3468	1b01535ce052861c30df0ad33a137fcf.exe	48

C:\Users\Admin\AppData\Local\Temp\1b01535ce052861c30df0ad33a137fcf.exe
"C:\Users\Admin\AppData\Local\Temp\1b01535ce052861c30df0ad33a137fcf.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Local\Temp\1b01535ce052861c30df0ad33a137fcf.exe
  C:\Users\Admin\AppData\Local\Temp\1b01535ce052861c30df0ad33a137fcf.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3468

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3372-9-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3372-10-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3468-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3468-1-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/3468-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3468-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3468-7-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3468-15-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3468-14-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads