c18328409dbffaf6825e65ec6a41091c7baa59c779f9dfa37647f98bd5000329

General

Target

712af955d45e4cb10d26b4e27d58de3c.exe
Size

324KB
MD5

712af955d45e4cb10d26b4e27d58de3c
SHA1

94eaaf79d768c90de818e04ca68d7da627138333
SHA256

c18328409dbffaf6825e65ec6a41091c7baa59c779f9dfa37647f98bd5000329
SHA512

a6a9f261d1f0e10d87a2f5fdd6f14f708a5cbc7347206b01b0bc2f9bce840471370a92c048193080b0a49687b3a8cdea4c222925201c911487983d0f4fd05c92
SSDEEP

6144:FqzanIDYbcdsx+GmlWzB+P+VZGrIorLaHo9b1q7kN8+Q:F5Z+GmlGhIIoKHoBBu+Q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4384	StartUp.exe
940	ctfmon.exe
3596	Ad32.exe

Loads dropped DLL 2 IoCs

pid	Process
940	ctfmon.exe
3596	Ad32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	712af955d45e4cb10d26b4e27d58de3c.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	StartUp.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\nAdin.com	StartUp.exe
File created	C:\Windows\inf\Ad32.exe	StartUp.exe
File opened for modification	C:\Windows\inf\MyEgg.exe	StartUp.exe
File opened for modification	C:\Windows\inf\msvbvm60.dll	712af955d45e4cb10d26b4e27d58de3c.exe
File created	C:\Windows\inf\MyEgg.exe	StartUp.exe
File opened for modification	C:\Windows\inf\Ad32.exe	StartUp.exe
File created	C:\Windows\Drive XP.exe	Ad32.exe
File opened for modification	C:\Windows\Drive XP.exe	Ad32.exe
File created	C:\Windows\SYSTEM\msvbvm60.dll	712af955d45e4cb10d26b4e27d58de3c.exe
File created	C:\Windows\inf\ctfmon.exe	StartUp.exe
File opened for modification	C:\Windows\inf\ctfmon.exe	StartUp.exe
File created	C:\Windows\ntpad.cmd	ctfmon.exe
File opened for modification	C:\Windows\ntpad.cmd	ctfmon.exe
File opened for modification	C:\Windows\SYSTEM\msvbvm60.dll	712af955d45e4cb10d26b4e27d58de3c.exe
File opened for modification	C:\Windows\inf	StartUp.exe
File opened for modification	C:\Windows\nAdin.com	StartUp.exe
File opened for modification	C:\Windows\inf\ctfmon.exe	ctfmon.exe
File created	C:\Windows\inf\msvbvm60.dll	712af955d45e4cb10d26b4e27d58de3c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4340	940	WerFault.exe	87
3436	3596	WerFault.exe	100

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3736	712af955d45e4cb10d26b4e27d58de3c.exe
3736	712af955d45e4cb10d26b4e27d58de3c.exe
4384	StartUp.exe
4384	StartUp.exe
940	ctfmon.exe
940	ctfmon.exe
3596	Ad32.exe
3596	Ad32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 4384	3736	712af955d45e4cb10d26b4e27d58de3c.exe	90
PID 3736 wrote to memory of 4384	3736	712af955d45e4cb10d26b4e27d58de3c.exe	90
PID 3736 wrote to memory of 4384	3736	712af955d45e4cb10d26b4e27d58de3c.exe	90
PID 4384 wrote to memory of 940	4384	StartUp.exe	87
PID 4384 wrote to memory of 940	4384	StartUp.exe	87
PID 4384 wrote to memory of 940	4384	StartUp.exe	87
PID 4384 wrote to memory of 3596	4384	StartUp.exe	100
PID 4384 wrote to memory of 3596	4384	StartUp.exe	100
PID 4384 wrote to memory of 3596	4384	StartUp.exe	100

C:\Users\Admin\AppData\Local\Temp\712af955d45e4cb10d26b4e27d58de3c.exe
"C:\Users\Admin\AppData\Local\Temp\712af955d45e4cb10d26b4e27d58de3c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\StartUp.exe
  "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\StartUp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\inf\Ad32.exe
    C:\Windows\inf\Ad32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 608
      4⤵
      Program crash
      PID:3436

C:\Windows\inf\ctfmon.exe
C:\Windows\inf\ctfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 620
  2⤵
  - Program crash
  PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 940 -ip 940
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3596 -ip 3596
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\StartUp.exe

Filesize
324KB

MD5
37d54ca882c376ac626700fba4f7437c

SHA1
ca7e2a291134523f4980c1a4dbd288a8604b14d5

SHA256
def9ae26b61793810710d47038bae67c2c4343ef16c5d3679d9fcd9285b26e55

SHA512
6b24860601b87628d5b1ea2acf6552e0e9f907b2e2c3123328b790a6dd69deb49eaed2833e7a0de4633bdf126150b3ea68b2602d63c0240b36601ad0da7dc592

Download Submit
C:\Windows\INF\Ad32.exe

Filesize
324KB

MD5
9982072af2bdda63ee372fa7e36b368a

SHA1
cfb97dcfdcde2fc2522f9f37e92f9aee5a5a8f26

SHA256
ccd392d28d6b5351d8464fcf57a36bdd286baeefab7c80a28b3255a5663ddf5e

SHA512
a2ac37727cf244453c97d71abb163ca873a1918da2caf473601ab041785342884400ea5eb333100bf9fdf69ff5ce5a644d6f5f67d32313bf7c53babeccecbbf8

Download Submit
C:\Windows\INF\msvbvm60.dll

Filesize
1024KB

MD5
399879f366a7e915592aa89c21a0b677

SHA1
8e7b3a116b04765aeeae56f87b8267dd6b444378

SHA256
353a63b8940719e836c15a41d25d89e2b5f1b0e140a8baecbc49638503a21d7b

SHA512
0b92e3da154bd45073cb702c51c36f1df2b9d3be5ba990747ea3a8dd8dabc5314cbd797b33c685d406ef848f78fabd6ddbcba75e58bcc30b304ae3d94b6df3fa

Download Submit
memory/940-39-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/940-72-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3596-84-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3596-73-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3736-80-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3736-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3736-66-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4384-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4384-81-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4384-67-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing