f2d1db4027dce2f6e586b298bed90b21c587d0e20d3f210dbed116442392f7fa

General

Target

8731b66d1be95f290dc3bcd94b8c1a96.exe
Size

7.6MB
MD5

8731b66d1be95f290dc3bcd94b8c1a96
SHA1

0aab9d684dc67e4a77176f062ae9a244c25bdfe4
SHA256

f2d1db4027dce2f6e586b298bed90b21c587d0e20d3f210dbed116442392f7fa
SHA512

798c8e31228afa3e674f2d0dca83fc424ce0e7eb03415fbaf487c7dbb06ee8d1d80b3edb1d13b445f91bc3afca4752ea96562eff4c8d39959f56bfe9389d8394
SSDEEP

196608:n3RQzh0JnP1EYNLGwSzqJ4dUEEyFKKYA/YeVI:nhMGJP1Ecwn5ElURVI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2372	servbrow.exe
2488	servbrow.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\navcancl[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ErrorPageTemplate[1]	servbrow.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	servbrow.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\bullet[1]	servbrow.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\info_48[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT	servbrow.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\bullet[1]	servbrow.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\background_gradient[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\navcancl[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\info_48[1]	servbrow.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ErrorPageTemplate[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	servbrow.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\background_gradient[1]	servbrow.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Ws2Help.dll	8731b66d1be95f290dc3bcd94b8c1a96.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Ws2Help.dll	8731b66d1be95f290dc3bcd94b8c1a96.exe
File created	C:\Program Files\7-Zip\Ws2Help.dll	8731b66d1be95f290dc3bcd94b8c1a96.exe
File opened for modification	C:\Program Files\7-Zip\Ws2Help.dll	8731b66d1be95f290dc3bcd94b8c1a96.exe
File created	C:\Program Files\VideoLAN\VLC\Ws2Help.dll	8731b66d1be95f290dc3bcd94b8c1a96.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Ws2Help.dll	8731b66d1be95f290dc3bcd94b8c1a96.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\servbrow.exe	8731b66d1be95f290dc3bcd94b8c1a96.exe

Modifies data under HKEY_USERS 25 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0091000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	servbrow.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0F5C60F0-9576-4B94-BC1B-18CCAC806855}\WpadNetworkName = "Network 3"	servbrow.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	servbrow.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	servbrow.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	servbrow.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-b2-1f-fb-6c-38\WpadDecisionReason = "1"	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	servbrow.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	servbrow.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	servbrow.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0F5C60F0-9576-4B94-BC1B-18CCAC806855}\WpadDecisionTime = 503328992055da01	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0F5C60F0-9576-4B94-BC1B-18CCAC806855}\da-b2-1f-fb-6c-38	servbrow.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-b2-1f-fb-6c-38\WpadDecisionTime = 503328992055da01	servbrow.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-b2-1f-fb-6c-38\WpadDecision = "0"	servbrow.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0F5C60F0-9576-4B94-BC1B-18CCAC806855}	servbrow.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	servbrow.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	servbrow.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0F5C60F0-9576-4B94-BC1B-18CCAC806855}\WpadDecisionReason = "1"	servbrow.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-b2-1f-fb-6c-38	servbrow.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0F5C60F0-9576-4B94-BC1B-18CCAC806855}\WpadDecision = "0"	servbrow.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTcbPrivilege	2372	servbrow.exe
Token: SeChangeNotifyPrivilege	2372	servbrow.exe
Token: SeIncreaseQuotaPrivilege	2372	servbrow.exe
Token: SeAssignPrimaryTokenPrivilege	2372	servbrow.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1708	8731b66d1be95f290dc3bcd94b8c1a96.exe
2372	servbrow.exe
2488	servbrow.exe
2488	servbrow.exe
2488	servbrow.exe
2488	servbrow.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2488	2372	servbrow.exe	31
PID 2372 wrote to memory of 2488	2372	servbrow.exe	31
PID 2372 wrote to memory of 2488	2372	servbrow.exe	31
PID 2372 wrote to memory of 2488	2372	servbrow.exe	31

C:\Users\Admin\AppData\Local\Temp\8731b66d1be95f290dc3bcd94b8c1a96.exe
"C:\Users\Admin\AppData\Local\Temp\8731b66d1be95f290dc3bcd94b8c1a96.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Windows\servbrow.exe
"C:\Windows\servbrow.exe" /Service
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\servbrow.exe
  "C:\Windows\servbrow.exe" /Popup
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\Ws2Help.dll

Filesize
1.9MB

MD5
a836943a55bf9f004ed5e9e9e0ae6148

SHA1
90c8c404e8f41db2ee193417ecee7f8167eb658b

SHA256
b429a3c706b3d31af1a0ead417d4ef95caf6de61fdb1a7ce9a2552e0b1bf48cc

SHA512
51fd2462fb30661d1e640cd40fa4339f2440d489ef39a6512f08c07ab83690ccdc6c2e0c8f3b770df173fa834700fc249cec46bbcea2dec6a8355dc2e451235d

Download Submit
C:\Windows\servbrow.exe

Filesize
3.3MB

MD5
a4210b8834408341b9795f63970ed05d

SHA1
1e12c6f65d90eabf2e8cfee9cf2e72bfad7d0a1a

SHA256
de0ece2496a5b62a0a6be929c775b6804ee1626183f42bbc7cda8f0fa6126978

SHA512
a5a97bd4084d5be406f2b3890721abc8479a05535359748acb97001576211c8a7bd421703395e1e237ea7cc0a6ed1b898f9e0c7288690152b6a4e7ea04615169

Download Submit
C:\Windows\servbrow.exe

Filesize
2.7MB

MD5
28754c71d192423deae53852292d62aa

SHA1
97a9077d81ddb251a8e23e30a56a0ae36faca800

SHA256
a2cfa338503a81caaf83c370c05ab68b21100bfd67395351139724ee4560f35b

SHA512
cb015392af3c5435092b53ab7fefdf592ddd815003f4ac3c902279af122430e905920b7ff80baa48e38c37e4541f6ff1eae7eb2df9d94d91735c285f5405ddd8

Download Submit
C:\Windows\servbrow.exe

Filesize
7.6MB

MD5
47699e83eccea33ec941ef335050bcc5

SHA1
73e320e0dabec59fd390ad8801290787bbcb7197

SHA256
3b41facc7289a84a22dc868959c49475f14786838125fb963de578f1efcb5bdb

SHA512
eaf692f33ed4a132d5b3e1a2c06ad87fb74c5a762b267250ff4994cbb993a776b607f41424f75ee7c55e69c7d7e870f2bd9dca202e8128a3b2d2f5abccd75843

Download Submit

Analysis

Sharing