233c8de9d082447c735555b4822bb49534df9f1b37cc170aaf168e50f4ed9edc

General

Target

abfbcecff800549cdc9e574cb505ecd1.exe
Size

1.7MB
MD5

abfbcecff800549cdc9e574cb505ecd1
SHA1

f438bc4ab16ac1d963157dc544037c6bb29d91d3
SHA256

233c8de9d082447c735555b4822bb49534df9f1b37cc170aaf168e50f4ed9edc
SHA512

3d6554ef25ddcd21031f8762d9b9d233ae65c25c77f69f89317f84bb861ef4ed3b43f5c3f5b8308d287d3eb305a65c8c95d44e0a3942e7f0bdbd06f29c273a16
SSDEEP

49152:VJJrmkyMRt8JIeyH68c2fed30So4WB4PDLI09I:Rwstwh26t2G3fo4Pb+

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2884	abfbcecff800549cdc9e574cb505ecd1.exe
2884	abfbcecff800549cdc9e574cb505ecd1.exe
2884	abfbcecff800549cdc9e574cb505ecd1.exe
2884	abfbcecff800549cdc9e574cb505ecd1.exe
2884	abfbcecff800549cdc9e574cb505ecd1.exe
2884	abfbcecff800549cdc9e574cb505ecd1.exe
2884	abfbcecff800549cdc9e574cb505ecd1.exe
2884	abfbcecff800549cdc9e574cb505ecd1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BearShare\log.log	abfbcecff800549cdc9e574cb505ecd1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	abfbcecff800549cdc9e574cb505ecd1.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\abfbcecff800549cdc9e574cb505ecd1.exe	abfbcecff800549cdc9e574cb505ecd1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\abfbcecff800549cdc9e574cb505ecd1.exe\IsHostApp	abfbcecff800549cdc9e574cb505ecd1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	abfbcecff800549cdc9e574cb505ecd1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2884	abfbcecff800549cdc9e574cb505ecd1.exe
2884	abfbcecff800549cdc9e574cb505ecd1.exe

C:\Users\Admin\AppData\Local\Temp\abfbcecff800549cdc9e574cb505ecd1.exe
"C:\Users\Admin\AppData\Local\Temp\abfbcecff800549cdc9e574cb505ecd1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst3DDC.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\nst3DDC.tmp\UAC.dll

Filesize
13KB

MD5
a88baad3461d2e9928a15753b1d93fd7

SHA1
bb826e35264968bbc3b981d8430ac55df1e6d4a6

SHA256
c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af

SHA512
5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

Download Submit
\Users\Admin\AppData\Local\Temp\nst3DDC.tmp\UserInfo.dll

Filesize
4KB

MD5
d16e06c5de8fb8213a0464568ed9852f

SHA1
d063690dc0d2c824f714acb5c4bcede3aa193f03

SHA256
728472ba312ae8af7f30d758ab473e0772477a68fcd1d2d547dafe6d8800d531

SHA512
60502bb65d91a1a895f38bd0f070738152af58ffa4ac80bac3954aa8aad9fda9666e773988cbd00ce4741d2454bf5f2e0474ce8ea18cfe863ec4c36d09d1e27a

Download Submit
\Users\Admin\AppData\Local\Temp\nst3DDC.tmp\apphelp.dll

Filesize
2.0MB

MD5
3f669af87b5e7e4e64b989ed173f132e

SHA1
309c10c90661b3370c1f2f17141b3c7a813bea53

SHA256
531ce92fd412ab0ffedef4a6dfe64a4d468da7975d336ba84eb56e9310bf2b57

SHA512
508c2772721bed13b5f01b7ae721d55b7ad638c30051f8c71d4084f67d2d2a04244dd05ecd713538130aef23d73bc33e405a3c935bc9f22a1cd443b8e30ad551

Download Submit
\Users\Admin\AppData\Local\Temp\nst3DDC.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
\Users\Admin\AppData\Local\Temp\nst3DDC.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
\Users\Admin\AppData\Local\Temp\nst3DDC.tmp\soffer.dll

Filesize
188KB

MD5
c942fb47af0a368042ae23b04400e93d

SHA1
6b6d8601acae3dfae58cae4db8d9455c261d4c20

SHA256
2b9cd80a584bd71ac39b4462aa51b1f26146ba2369dee63a4101d8e424c2092e

SHA512
b83ce832b4dfda22834410d112467348afb84949a6dd799ac15fcd1ba17acc83a9fa1a2dc7430dd0da6f366e18d3b437052707dfaebb2f62ab831afa2e80d252

Download Submit
memory/2884-40-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/2884-58-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing