b2b1f374822e760b574cff680d989d0f229bdaf9029acacb2449162b92bbc16b

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FFA.exe
Size

652KB
MD5

7589fe75123045e6f30eab511e55bc3a
SHA1

34e473bb2385e923feccb4aa5375a56924893a31
SHA256

747f15512f3b04420d0bc2264192fb1f8a4cdf81993afb191ae835d86b650cd8
SHA512

fba1f53b6c2e8954e906ba2343e2b1a9f0f88ae69df0eab567af3ece4bc93d6b5291cc55e0aaf2b3d7e7d4e5457ac95eaacbd027425e3fff9df467e28627adcf
SSDEEP

12288:sRvnERMs3azRIMbcr6ZwchpZJmdhBPrx4PkAd5EBgv5gBjl:s5nm3fe5bMprx4c05EBgxgb

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	gabberoneshay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	spoolsv.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2040	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
2396	gabberoneshay.exe
2704	server.exe
2496	spoolsv.exe

Loads dropped DLL 6 IoCs

pid	Process
816	FFA.exe
816	FFA.exe
816	FFA.exe
816	FFA.exe
2396	gabberoneshay.exe
2396	gabberoneshay.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	gabberoneshay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	gabberoneshay.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	gabberoneshay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	gabberoneshay.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	gabberoneshay.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	gabberoneshay.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2396	gabberoneshay.exe
2496	spoolsv.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2396	816	FFA.exe	29
PID 816 wrote to memory of 2396	816	FFA.exe	29
PID 816 wrote to memory of 2396	816	FFA.exe	29
PID 816 wrote to memory of 2396	816	FFA.exe	29
PID 816 wrote to memory of 2704	816	FFA.exe	28
PID 816 wrote to memory of 2704	816	FFA.exe	28
PID 816 wrote to memory of 2704	816	FFA.exe	28
PID 816 wrote to memory of 2704	816	FFA.exe	28
PID 2396 wrote to memory of 2040	2396	gabberoneshay.exe	33
PID 2396 wrote to memory of 2040	2396	gabberoneshay.exe	33
PID 2396 wrote to memory of 2040	2396	gabberoneshay.exe	33
PID 2396 wrote to memory of 2040	2396	gabberoneshay.exe	33
PID 2396 wrote to memory of 2496	2396	gabberoneshay.exe	32
PID 2396 wrote to memory of 2496	2396	gabberoneshay.exe	32
PID 2396 wrote to memory of 2496	2396	gabberoneshay.exe	32
PID 2396 wrote to memory of 2496	2396	gabberoneshay.exe	32

C:\Users\Admin\AppData\Local\Temp\FFA.exe
"C:\Users\Admin\AppData\Local\Temp\FFA.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\gabberoneshay.exe
  "C:\Users\Admin\AppData\Local\Temp\gabberoneshay.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Roaming\spoolsv.exe
    /d C:\Users\Admin\AppData\Local\Temp\gabberoneshay.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:2496
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\spoolsv.exe" CityScape Enable
    3⤵
    - Modifies Windows Firewall
    PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab8078.tmp

Filesize
37KB

MD5
5b6df124f30caf50951d465a5dd43fc8

SHA1
5973d702420fa7a7328498d476196ab1c7098e04

SHA256
79e9dc6803c215a596c36ef87d477e425acc32fc7f349caaaef27dedeca3462e

SHA512
b14cc786dbc21e7da989f31b606a5139159db4da9cfa4a0153166744a946f81574a85f7dbf6ce0bceb083c12b07e3383d8ba2a9ee03e68de052895d296e77c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8461.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\gabberoneshay.exe

Filesize
128KB

MD5
97e2a8f8e9aeb0950920153850085e9f

SHA1
6402208c962e88e9e9add63b1004bf8515a6687a

SHA256
15f46847a01e76351a568ea818a66a4bb8b145ec563bf9f5d8ee877616444c5d

SHA512
9a930f3d651e7fbd398f05eb53a954fe19a48f1a81f20dcf357a7b8416a46e4e6aa6c160678b90f5fff9a99ac57c9888d1c603ea5448b3d7a0f9b9c6a74a614b

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
344KB

MD5
5ff197df8b9b3b25a63440705323ebfe

SHA1
be2120df9666b757f90d65ff209db7cd6f8c14be

SHA256
1c1281bf1638710e90a7d37002c27a65e24069ae1cdd52f7bab1067854fefd54

SHA512
e96f3f437a149fec07961f38ad92b3a3689841fb6925c1f78d572764cf6e3c2225951d4e496ff8b043c7de735ca84d95099708215db3589a712ff448f74e0b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
280KB

MD5
1f006a972d333219c766815d1f9aad3e

SHA1
c135c382d3df93188a4989e51b06dbbe7675be16

SHA256
77740959a2fb328411ac35b14390a0a6afce35f89155aaea1ea98cb960c8a1ca

SHA512
f07483ac2f15445de0939b9b0f58e36b07c127586f73491e83ae59b3a5c1c931e7ff5596329198b3dc1c423c8465e49c9a872e3e4dc69c1574f36598d2e7e613

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
212KB

MD5
2103a4c7cbab712b7bc7bab6351a2600

SHA1
294ad8b9d248d9fcdb7b63ed9fd68098cb1cedae

SHA256
e23906084613cfab11494b3a7f9eab46b394f83d7539ca28d14e7ae314143b30

SHA512
4868f2967a02b8b9e721b23365096e0297ed7c2cdf4a19b4c685970363b6bf71ce7b9308913a84f8b53b53d933f5d7c232a6efbeeae23f79709064d69d7b7306

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
233KB

MD5
c90eb651a6b448471e69c5a115241276

SHA1
9cb40aaf3fa80f1ca62f20e4575f5281d0d81507

SHA256
8a6bc39395b42e74f30ae5c1fdbecfde23df6586945c687d9c4f393da414f442

SHA512
ee11974af2f2cb67d9f049a6876a024dfc37dbc6d96a2252030ee48dce133722a752a9183a8ca0125dfbba5c614d970095773ec386e8d5aea818e46e91106ecd

Download Submit
\Users\Admin\AppData\Roaming\spoolsv.exe

Filesize
128KB

MD5
9565b3b763601164d276ec2011c90b38

SHA1
6b9428b9874657d199c83b497411035f4943495d

SHA256
671f261902715279b9e3143c01d5e5c73fd32ba9366d648992144d6d3c5439c4

SHA512
bb7d24ca4643ba3ab9a0ac646f4ea35a5f7ee8ae417bdd9c7ca3620c3c7a22e97399b87b245bee1a616fcab8d411231a14b7d1b38c7fde3513a6fd0504aeecb9

Download Submit
memory/816-0-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/816-2-0x0000000000B80000-0x0000000000BC0000-memory.dmp

Filesize
256KB

Download
memory/816-1-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/816-23-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads