f2167589cc58e0bbb31100da792d13a9bcb8e98e511aa2405e896223a11ddabd

General

Target

student.exe
Size

5.1MB
MD5

8748891eb1584c4502a15577d3075d41
SHA1

e0304bd87d1e7516ca6f49d8896fa8498b830ab5
SHA256

f2167589cc58e0bbb31100da792d13a9bcb8e98e511aa2405e896223a11ddabd
SHA512

a2c46761b31050f319f55d6e2de35ee59f22d427e9edf2f7a7061922aeafde44b56cdc6165e0523d01f21dacf20013d6eb10ce1b4627134b6d8e866de9169024
SSDEEP

98304:Rx9iA5FR7kozLG5k4iugdOsmX6Xpcvy3r3MKpeGVxG06Puy+1M:Rx935FJfzLjunX6XpmGVwyy+G

Score

10^/10

evasion spyware stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	student.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	student.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	student.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	student.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2908	NETSH.EXE
3516	NETSH.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\Control Panel\International\Geo\Nation	student.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	student.exe
File opened (read-only)	\??\R:	student.exe
File opened (read-only)	\??\Q:	student.exe
File opened (read-only)	\??\N:	student.exe
File opened (read-only)	\??\G:	student.exe
File opened (read-only)	\??\W:	student.exe
File opened (read-only)	\??\P:	student.exe
File opened (read-only)	\??\O:	student.exe
File opened (read-only)	\??\L:	student.exe
File opened (read-only)	\??\I:	student.exe
File opened (read-only)	\??\T:	student.exe
File opened (read-only)	\??\S:	student.exe
File opened (read-only)	\??\K:	student.exe
File opened (read-only)	\??\J:	student.exe
File opened (read-only)	\??\H:	student.exe
File opened (read-only)	\??\Z:	student.exe
File opened (read-only)	\??\Y:	student.exe
File opened (read-only)	\??\X:	student.exe
File opened (read-only)	\??\U:	student.exe
File opened (read-only)	\??\M:	student.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Internet Explorer\Main\AssociationActivationMode = "2"	student.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "yes"	student.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	student.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Internet Explorer\Main\ApplicationTileImmersiveActivation = "0"	student.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5080	student.exe
5080	student.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeTcbPrivilege	5080	student.exe
Token: SeDebugPrivilege	5080	student.exe
Token: SeTcbPrivilege	5080	student.exe
Token: SeTcbPrivilege	5080	student.exe
Token: SeBackupPrivilege	5080	student.exe
Token: SeTcbPrivilege	5080	student.exe
Token: SeTcbPrivilege	5080	student.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5080	student.exe
5080	student.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
5080	student.exe
5080	student.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5080	student.exe
5080	student.exe
5080	student.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 2908	5080	student.exe	89
PID 5080 wrote to memory of 2908	5080	student.exe	89
PID 5080 wrote to memory of 2908	5080	student.exe	89
PID 5080 wrote to memory of 3516	5080	student.exe	92
PID 5080 wrote to memory of 3516	5080	student.exe	92
PID 5080 wrote to memory of 3516	5080	student.exe	92

C:\Users\Admin\AppData\Local\Temp\student.exe
"C:\Users\Admin\AppData\Local\Temp\student.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\NETSH.EXE
  "C:\Windows\SYSTEM32\NETSH.EXE" advfirewall firewall delete rule name="LanSchool Student"
  2⤵
  - Modifies Windows Firewall
  PID:2908
- C:\Windows\SysWOW64\NETSH.EXE
  "C:\Windows\SYSTEM32\NETSH.EXE" advfirewall firewall add rule name="LanSchool Student" dir=in program="C:\Users\Admin\AppData\Local\Temp\student.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  PID:3516