123a2f45b582c82b36c29c054f378f7559cb346a9090de9caf0ebe577f8a1664

General

Target

02c03f3d2982ecdd7dde16212b7533bf.exe
Size

1.2MB
MD5

02c03f3d2982ecdd7dde16212b7533bf
SHA1

9e6f922920775f9a8b36177489a5de3c59c9d21f
SHA256

123a2f45b582c82b36c29c054f378f7559cb346a9090de9caf0ebe577f8a1664
SHA512

9a843f985e217147b273edc1a06bef58976645a0f7c8ea23609196deb8d3e94e66af09cb7c151dbf9d8e4ec4253f6bb9f7b69a3c1b8fa17fe199c56cbb2291f5
SSDEEP

24576:vjQqIWuXi6kgaINVZdkQaAUuEgYdBO+hkmDZs82kOUF4+mfM2neKvYV58QGOjbvo:souXiTcNLefAUvVb3ZLOU+PeKvYV9DmZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2324	tmppack.exe

Loads dropped DLL 2 IoCs

pid	Process
2260	02c03f3d2982ecdd7dde16212b7533bf.exe
2260	02c03f3d2982ecdd7dde16212b7533bf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	02c03f3d2982ecdd7dde16212b7533bf.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	02c03f3d2982ecdd7dde16212b7533bf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	02c03f3d2982ecdd7dde16212b7533bf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2260	02c03f3d2982ecdd7dde16212b7533bf.exe
2260	02c03f3d2982ecdd7dde16212b7533bf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2324	2260	02c03f3d2982ecdd7dde16212b7533bf.exe	27
PID 2260 wrote to memory of 2324	2260	02c03f3d2982ecdd7dde16212b7533bf.exe	27
PID 2260 wrote to memory of 2324	2260	02c03f3d2982ecdd7dde16212b7533bf.exe	27
PID 2260 wrote to memory of 2324	2260	02c03f3d2982ecdd7dde16212b7533bf.exe	27

C:\Users\Admin\AppData\Local\Temp\02c03f3d2982ecdd7dde16212b7533bf.exe
"C:\Users\Admin\AppData\Local\Temp\02c03f3d2982ecdd7dde16212b7533bf.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\GJKTGAOC\tmppack.exe
  -y
  2⤵
  - Executes dropped EXE
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GJKTGAOC\installer.pak

Filesize
1.6MB

MD5
332cf36bd3c1e80356b16b6052b564ff

SHA1
56b707f838ebf2f3889777cc099d3a972ed11a53

SHA256
2604cc35b1558b957320b8e2e051e66cf0e5bc314ccdb742f138644f4681ea1f

SHA512
8980e51ca8df5823e647b20b59c4469967460653459d10fce5ef431912a67300b94111219e0361f72b9cbbf6588577ed21b8c860b5f8f079db9b30e32e6bb9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vj22405f\gui\4177.html

Filesize
33KB

MD5
3aa2a8bfde57694bee67bff298b902a5

SHA1
2e60c52c10cd4624cc7ec7543ff0a4c2ceb8d49c

SHA256
6cfca5d00f00053df28566b64081a669084f297aca4cfde020edaa181e0ec63a

SHA512
4977c2fb91e2baf5e062f878fda431ee1476ad6fddbba69696afe3eae389085923190e1bf586348f8e81c947b0eab657a5bfe017c95b35fe4850d93daadef5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vj22405f\gui\page_4183_attr_3.png

Filesize
10KB

MD5
cf6451e42fc3d5cacaab23dfb286e9dd

SHA1
320cb0371ed48b15dfd4839d0c2d0a1a1be60e38

SHA256
4b25cde8520cb7cdc9b6a50e95b95746ab9233b5c956ff24cdd74a0150eaefc7

SHA512
aa40b291a4c40767e802952f892f67304b13199aef27267ab130f9842306dea47d3bde986c5fe7abc67847b89bc937066b79c2a097f7dedd7be6423dbe0d8565

Download Submit
C:\Users\Admin\AppData\Local\Temp\vj22405f\gui\page_4183_attr_46.bmp

Filesize
41KB

MD5
19cafe521085d306aa66d256bce120c6

SHA1
a41ae63f80dc451fb68a34f64aa86867f2cdbd6e

SHA256
ce22b3fa0bb7ad842657737c51a287caea2623019fcefbea4906462f49e31894

SHA512
936e0ca8f2accfaba11dc190e89ae3d19e2ba0963824e87c24ab7e1cc006cc7232163c90924a1e93abe7d602b64b4b5543544e114d9059ea56b6f28535c8527d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vj22405f\wizard.xml

Filesize
7KB

MD5
668db86f85ca867db6c1171b3c2830e5

SHA1
45f1459e83c6d1aad99f03f724e4086b51e08e13

SHA256
4be63b1a3b61ce143740eb0f1adbe44cda00b8a7a76a068e933fbaf40e91e5b0

SHA512
9c290624368c68d31bd2e80a28ecdb7e048a34bb20d2b1d05c7ab8f9179b61ba4a66ba6d43e1833b16a3fea807fb9c3a39659e67ea538a938e612109fcb4e45a

Download Submit
\Users\Admin\AppData\Local\Temp\GJKTGAOC\tmppack.exe

Filesize
710KB

MD5
10daa2e4f1e882a5713842f2b2bf6603

SHA1
b30ba835703e3a995cb78e47a83086f31572c887

SHA256
a01124f401eca585e76f2f6224b3e46004093eb93525a91477622a79f5889efa

SHA512
146ba429cccd41aaf2d65686f0463545735b7b610a634a9367b0be3d731d6836f4fb5e886a8bff6875b657b8d97e3c8472260b571debcedd56432a55aac47071

Download Submit
memory/2260-92-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2260-12-0x0000000002C30000-0x0000000002DC7000-memory.dmp

Filesize
1.6MB

Download
memory/2260-137-0x000000000BC00000-0x000000000BC20000-memory.dmp

Filesize
128KB

Download
memory/2260-142-0x000000000BC00000-0x000000000BC20000-memory.dmp

Filesize
128KB

Download
memory/2260-143-0x000000000BC00000-0x000000000BC20000-memory.dmp

Filesize
128KB

Download
memory/2260-165-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2260-166-0x000000000BC00000-0x000000000BC20000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing