8aebe8d232ed1854d9adf18e60134f5fb100b26bacf25f90ee543bbd6256596c

General

Target

4ba118c27cdeb3d36527e6393ab1c7f1.exe
Size

7.1MB
MD5

4ba118c27cdeb3d36527e6393ab1c7f1
SHA1

4945412ca69f6198758bb828ee721839a3690140
SHA256

8aebe8d232ed1854d9adf18e60134f5fb100b26bacf25f90ee543bbd6256596c
SHA512

8f4032269a9a77962fc265c8213f71f992b5b903af29641fd130d8741107e1f07c273cf817285307412e844535cb291d8d13d0c36433e57af476ec6222846a9b
SSDEEP

196608:sn3cfs6ucnb4mlsXiTFRzkpE/URsAvkHjI+ScoQsKoBmNYaNEp3YrrO5:0kNnb4mPTFhk7JvkHjI+SSsmesK3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2888	Driver_Genius_9_Professional_US_Full.EXE
3000	Driver_Genius_9_Professional_US_Full.tmp

Loads dropped DLL 4 IoCs

pid	Process
2824	4ba118c27cdeb3d36527e6393ab1c7f1.exe
2888	Driver_Genius_9_Professional_US_Full.EXE
3000	Driver_Genius_9_Professional_US_Full.tmp
3000	Driver_Genius_9_Professional_US_Full.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3000	Driver_Genius_9_Professional_US_Full.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2888	2824	4ba118c27cdeb3d36527e6393ab1c7f1.exe	28
PID 2824 wrote to memory of 2888	2824	4ba118c27cdeb3d36527e6393ab1c7f1.exe	28
PID 2824 wrote to memory of 2888	2824	4ba118c27cdeb3d36527e6393ab1c7f1.exe	28
PID 2824 wrote to memory of 2888	2824	4ba118c27cdeb3d36527e6393ab1c7f1.exe	28
PID 2824 wrote to memory of 2888	2824	4ba118c27cdeb3d36527e6393ab1c7f1.exe	28
PID 2824 wrote to memory of 2888	2824	4ba118c27cdeb3d36527e6393ab1c7f1.exe	28
PID 2824 wrote to memory of 2888	2824	4ba118c27cdeb3d36527e6393ab1c7f1.exe	28
PID 2888 wrote to memory of 3000	2888	Driver_Genius_9_Professional_US_Full.EXE	29
PID 2888 wrote to memory of 3000	2888	Driver_Genius_9_Professional_US_Full.EXE	29
PID 2888 wrote to memory of 3000	2888	Driver_Genius_9_Professional_US_Full.EXE	29
PID 2888 wrote to memory of 3000	2888	Driver_Genius_9_Professional_US_Full.EXE	29
PID 2888 wrote to memory of 3000	2888	Driver_Genius_9_Professional_US_Full.EXE	29
PID 2888 wrote to memory of 3000	2888	Driver_Genius_9_Professional_US_Full.EXE	29
PID 2888 wrote to memory of 3000	2888	Driver_Genius_9_Professional_US_Full.EXE	29

C:\Users\Admin\AppData\Local\Temp\4ba118c27cdeb3d36527e6393ab1c7f1.exe
"C:\Users\Admin\AppData\Local\Temp\4ba118c27cdeb3d36527e6393ab1c7f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\Driver_Genius_9_Professional_US_Full.EXE
  "C:\Users\Admin\AppData\Local\Temp\Driver_Genius_9_Professional_US_Full.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\is-2VEUC.tmp\Driver_Genius_9_Professional_US_Full.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-2VEUC.tmp\Driver_Genius_9_Professional_US_Full.tmp" /SL5="$500F4,7076809,100864,C:\Users\Admin\AppData\Local\Temp\Driver_Genius_9_Professional_US_Full.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Driver_Genius_9_Professional_US_Full.EXE

Filesize
1.4MB

MD5
704678efe4825b54ebf32b64ac5e0832

SHA1
0b17fd44abc93553e58b0452c939b71164761b0c

SHA256
b5919f4e8c1a168e6710cbe342f7c0f943c06f1b5627c871ecff43a57e54b382

SHA512
fba6b4a7b7e74fafc461d29e33abc586066ff7ee4a1a2343606891370d5edf7e4b0446ba8a6809094c689cbc434935537b5a174d5d1ed4626a3c0e4eaa22bd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Driver_Genius_9_Professional_US_Full.EXE

Filesize
385KB

MD5
b0e7041b6dba8448fb22f8cbe443af9f

SHA1
f9c6131bee7c1546433025396e9ea4aed5ae63f8

SHA256
cc4b21fe5580950183c31eabc633e650b1efdf0ba8ec9f3757fa514f08c94599

SHA512
5ceb73e54df537ed5b52f71bcc9d4f9a1e7b2ca479f30cbface7ea546af47fcf21b23ba5190ca9e03f2dae62f008c14602a6082638e1a5847991db24ff0f30ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2VEUC.tmp\Driver_Genius_9_Professional_US_Full.tmp

Filesize
382KB

MD5
4c35bdd55be812ed17849509ffb37309

SHA1
ed3cc308917235dd4e43c75d9eff00693c2b61f9

SHA256
f04ece6e31d2dba64285c8765d5397102a3fbcdc425d6ff2bfdd1add32cae755

SHA512
7369d4b6ac91f7e85c095b25418fc9b0dc071d8ae082f45e9fbfb8bd31d73d1f37b4305bd77159aed07f90b5b3f09d0ba17c0c80be57f8d159675753ccb4d88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2VEUC.tmp\Driver_Genius_9_Professional_US_Full.tmp

Filesize
381KB

MD5
18d5197269ae29575795032279fabe73

SHA1
a8fc30f800477144d9cd947cccf8b9c3d72b3524

SHA256
1b281a54975e831f6115c8494e8fddbfc62c291c9b6dcf0eee464962e0442ef1

SHA512
f69f4de3f5669b14d0e06f25a16f15c919709bb15a55466afe0d85a9b7292f9a5fdb7a83ee0d2251599382445773917f0f7c9df54537441148beeb9c2137bb6e

Download Submit
\Users\Admin\AppData\Local\Temp\Driver_Genius_9_Professional_US_Full.EXE

Filesize
2.1MB

MD5
d94d70e8bb4701f66fd5b79fd2fcb504

SHA1
218c88b7f9d0d26b0816ae962e0830fd2bbc1ef3

SHA256
51519bdc7a623d70ab2c013214aa36c6ccf99a5b110463a7cb6d4267f2170c2b

SHA512
e6c3d0cf84952b9ee3d8b71b73796caaa93a2edb78df77da334b03251a43f08f1aa5104d68b8b79915b1565c202b581132113253f665fed9caa3e9ad273bcbf0

Download Submit
\Users\Admin\AppData\Local\Temp\is-17MTV.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2888-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2888-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2888-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3000-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3000-25-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3000-28-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing