de8e6d4b87735db9251283f7ed6e8eb67f2e441f4232c32688194089207bfe01

General

Target

7272c8337cd8e1c24bbedc711d5c8c63.exe
Size

7.6MB
MD5

7272c8337cd8e1c24bbedc711d5c8c63
SHA1

5a8fe1dfa771cc0aca1dea34aea6bbbaac2bc57e
SHA256

de8e6d4b87735db9251283f7ed6e8eb67f2e441f4232c32688194089207bfe01
SHA512

816a0a3d09b5745c542dcaef598b4d6f8a06c0052858ed24b6749353aabcb23dbac34366f260807d014b0b2b93e628762b53be211fd050e4287bf830463f4960
SSDEEP

196608:Bbu8/8sQIZqTExhb3N1K2BJuEfjsLIlb6oF5owm5Ndfv:BDzQghbdA4BsE6oF3m35

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2356	servbrow.exe
2092	servbrow.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\navcancl[1]	servbrow.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\background_gradient[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\bullet[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ErrorPageTemplate[1]	servbrow.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	servbrow.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\bullet[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\background_gradient[1]	servbrow.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\navcancl[1]	servbrow.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ErrorPageTemplate[1]	servbrow.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\info_48[1]	servbrow.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\info_48[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT	servbrow.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Ws2Help.dll	7272c8337cd8e1c24bbedc711d5c8c63.exe
File opened for modification	C:\Program Files\7-Zip\Ws2Help.dll	7272c8337cd8e1c24bbedc711d5c8c63.exe
File created	C:\Program Files\VideoLAN\VLC\Ws2Help.dll	7272c8337cd8e1c24bbedc711d5c8c63.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Ws2Help.dll	7272c8337cd8e1c24bbedc711d5c8c63.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Ws2Help.dll	7272c8337cd8e1c24bbedc711d5c8c63.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Ws2Help.dll	7272c8337cd8e1c24bbedc711d5c8c63.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\servbrow.exe	7272c8337cd8e1c24bbedc711d5c8c63.exe

Modifies data under HKEY_USERS 25 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-1b-74-16-08-d7\WpadDecision = "0"	servbrow.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	servbrow.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{015653D1-EF28-481E-A84B-9FD7EAD49A42}\f2-1b-74-16-08-d7	servbrow.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-1b-74-16-08-d7\WpadDecisionReason = "1"	servbrow.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-1b-74-16-08-d7\WpadDecisionTime = e0f609b1cf4eda01	servbrow.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	servbrow.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-1b-74-16-08-d7	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	servbrow.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	servbrow.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{015653D1-EF28-481E-A84B-9FD7EAD49A42}\WpadDecisionTime = e0f609b1cf4eda01	servbrow.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{015653D1-EF28-481E-A84B-9FD7EAD49A42}	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	servbrow.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	servbrow.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{015653D1-EF28-481E-A84B-9FD7EAD49A42}\WpadDecision = "0"	servbrow.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{015653D1-EF28-481E-A84B-9FD7EAD49A42}\WpadNetworkName = "Network 3"	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	servbrow.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	servbrow.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0027000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	servbrow.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{015653D1-EF28-481E-A84B-9FD7EAD49A42}\WpadDecisionReason = "1"	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	servbrow.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTcbPrivilege	2356	servbrow.exe
Token: SeChangeNotifyPrivilege	2356	servbrow.exe
Token: SeIncreaseQuotaPrivilege	2356	servbrow.exe
Token: SeAssignPrimaryTokenPrivilege	2356	servbrow.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2188	7272c8337cd8e1c24bbedc711d5c8c63.exe
2356	servbrow.exe
2092	servbrow.exe
2092	servbrow.exe
2092	servbrow.exe
2092	servbrow.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2092	2356	servbrow.exe	31
PID 2356 wrote to memory of 2092	2356	servbrow.exe	31
PID 2356 wrote to memory of 2092	2356	servbrow.exe	31
PID 2356 wrote to memory of 2092	2356	servbrow.exe	31

C:\Users\Admin\AppData\Local\Temp\7272c8337cd8e1c24bbedc711d5c8c63.exe
"C:\Users\Admin\AppData\Local\Temp\7272c8337cd8e1c24bbedc711d5c8c63.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Windows\servbrow.exe
"C:\Windows\servbrow.exe" /Service
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\servbrow.exe
  "C:\Windows\servbrow.exe" /Popup
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\Ws2Help.dll

Filesize
647KB

MD5
c089da2006f0255ee7f604f8338e9a63

SHA1
f9135088c47fd4666d4c24672ef989e6e7b9494a

SHA256
01d5bd79d084a08e31abd67d2df559ce69ac3929216db1f7846ea1a9db73cac3

SHA512
ac4854ffc1253bb2fff6aecfe9a1dca15ce6801d47e8c295d715e3e8386cde354e499a9f32f0f6e57223a799759f4dcba658457666650ff40b20f68481bdc611

Download Submit
C:\Windows\servbrow.exe

Filesize
4.3MB

MD5
635866bdd400dba27b720cca4a5a4d41

SHA1
34d775f2f1d870f8db96c58c330bc622c23275dc

SHA256
e5c2a4b236b2ace2fa334ae8da639bc60dee34706f6850afd49428f209c4b612

SHA512
393658036dfcd8874c7ebf0fcea5f823f066348d683b6cc3bbc96def82b66b2bd04841e1cee92371b4f96a186d1c7f4a0f9828978e8561a6892f32a664c5d50d

Download Submit
C:\Windows\servbrow.exe

Filesize
3.9MB

MD5
714dc38da5f28a0b97883d92cbc1405d

SHA1
175cd4e77b834cd62e878b7a9962687d8d46262e

SHA256
b20ea0d736adda8ab5c90d397f205424d171f92da55e0597ac7e0a423b6d5177

SHA512
5b195efe8a0848c8bf366101792e73c6e2e9b4c6226d201974171c2aa18176f4df41820ae61df712c3a035b260e6b480684491afb15492d818ddeacf37168cd3

Download Submit
C:\Windows\servbrow.exe

Filesize
5.1MB

MD5
5cbdc6ff36a1a405a816084b868e49b2

SHA1
6256dddd0d9dc4c3e4f4fe699e9a704140f208d1

SHA256
2f479fe037cd9a1f6f1bbe56b0167d770587b23959e77907560dc699a00bb9e9

SHA512
251652a67641b0f168f7251f3a292d6d35d024999c1fc00387daa57949e223afa4b9fafbb26d8d612f5983743a25c476b6231f51cc29b41c58026f416ef65105

Download Submit

Analysis

Sharing