233c8de9d082447c735555b4822bb49534df9f1b37cc170aaf168e50f4ed9edc

General

Target

abfbcecff800549cdc9e574cb505ecd1.exe
Size

1.7MB
MD5

abfbcecff800549cdc9e574cb505ecd1
SHA1

f438bc4ab16ac1d963157dc544037c6bb29d91d3
SHA256

233c8de9d082447c735555b4822bb49534df9f1b37cc170aaf168e50f4ed9edc
SHA512

3d6554ef25ddcd21031f8762d9b9d233ae65c25c77f69f89317f84bb861ef4ed3b43f5c3f5b8308d287d3eb305a65c8c95d44e0a3942e7f0bdbd06f29c273a16
SSDEEP

49152:VJJrmkyMRt8JIeyH68c2fed30So4WB4PDLI09I:Rwstwh26t2G3fo4Pb+

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 12 IoCs

pid	Process
3312	abfbcecff800549cdc9e574cb505ecd1.exe
3312	abfbcecff800549cdc9e574cb505ecd1.exe
3312	abfbcecff800549cdc9e574cb505ecd1.exe
3312	abfbcecff800549cdc9e574cb505ecd1.exe
3312	abfbcecff800549cdc9e574cb505ecd1.exe
3312	abfbcecff800549cdc9e574cb505ecd1.exe
3312	abfbcecff800549cdc9e574cb505ecd1.exe
3312	abfbcecff800549cdc9e574cb505ecd1.exe
3312	abfbcecff800549cdc9e574cb505ecd1.exe
3312	abfbcecff800549cdc9e574cb505ecd1.exe
3312	abfbcecff800549cdc9e574cb505ecd1.exe
3312	abfbcecff800549cdc9e574cb505ecd1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BearShare\log.log	abfbcecff800549cdc9e574cb505ecd1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\abfbcecff800549cdc9e574cb505ecd1.exe	abfbcecff800549cdc9e574cb505ecd1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\abfbcecff800549cdc9e574cb505ecd1.exe\IsHostApp	abfbcecff800549cdc9e574cb505ecd1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3312	abfbcecff800549cdc9e574cb505ecd1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3312	abfbcecff800549cdc9e574cb505ecd1.exe
3312	abfbcecff800549cdc9e574cb505ecd1.exe

C:\Users\Admin\AppData\Local\Temp\abfbcecff800549cdc9e574cb505ecd1.exe
"C:\Users\Admin\AppData\Local\Temp\abfbcecff800549cdc9e574cb505ecd1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsv882C.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv882C.tmp\UAC.dll

Filesize
13KB

MD5
a88baad3461d2e9928a15753b1d93fd7

SHA1
bb826e35264968bbc3b981d8430ac55df1e6d4a6

SHA256
c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af

SHA512
5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv882C.tmp\UserInfo.dll

Filesize
4KB

MD5
d16e06c5de8fb8213a0464568ed9852f

SHA1
d063690dc0d2c824f714acb5c4bcede3aa193f03

SHA256
728472ba312ae8af7f30d758ab473e0772477a68fcd1d2d547dafe6d8800d531

SHA512
60502bb65d91a1a895f38bd0f070738152af58ffa4ac80bac3954aa8aad9fda9666e773988cbd00ce4741d2454bf5f2e0474ce8ea18cfe863ec4c36d09d1e27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv882C.tmp\apphelp.dll

Filesize
2.0MB

MD5
3f669af87b5e7e4e64b989ed173f132e

SHA1
309c10c90661b3370c1f2f17141b3c7a813bea53

SHA256
531ce92fd412ab0ffedef4a6dfe64a4d468da7975d336ba84eb56e9310bf2b57

SHA512
508c2772721bed13b5f01b7ae721d55b7ad638c30051f8c71d4084f67d2d2a04244dd05ecd713538130aef23d73bc33e405a3c935bc9f22a1cd443b8e30ad551

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv882C.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv882C.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv882C.tmp\soffer.dll

Filesize
188KB

MD5
c942fb47af0a368042ae23b04400e93d

SHA1
6b6d8601acae3dfae58cae4db8d9455c261d4c20

SHA256
2b9cd80a584bd71ac39b4462aa51b1f26146ba2369dee63a4101d8e424c2092e

SHA512
b83ce832b4dfda22834410d112467348afb84949a6dd799ac15fcd1ba17acc83a9fa1a2dc7430dd0da6f366e18d3b437052707dfaebb2f62ab831afa2e80d252

Download Submit
memory/3312-53-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/3312-62-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing