de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728

General

Target

de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
Size

3.5MB
MD5

b91097bff5f741a965eb80edfcc97b0b
SHA1

fdebe47b69442a312c1008c7a5ee71b3f41b4a68
SHA256

de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728
SHA512

21b96d15a463a5cdc7e2016a8a1e1cf636b1c4d13343f66fdcad24deecba56a29797600701ac3a382133ca585c89eb81fab085853991c19ccf245ff11de91514
SSDEEP

49152:JAdGB73ejP3+EMfRdASVaAvrC5Xh602+:JAgR3epMjASHch

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 4 IoCs

Processes:

de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe

Drops file in Program Files directory 64 IoCs

Processes:

de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195342.WMF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01238_.GIF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHDHM.POC	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\AXIS.ELM	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02158_.WMF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART5.BDR	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AU.XML	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\icon.png	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00224_.WMF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00256_.WMF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10289_.GIF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00693_.WMF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00712_.WMF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18213_.WMF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\PREVIEW.GIF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\RADAR.WAV	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageBlank.gif	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10358_.GIF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\MANIFEST.MF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_sun.png	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199609.WMF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.DLL	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\ir.idl	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART4.BDR	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107042.WMF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238927.WMF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00241_.WMF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21326_.GIF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\drag.png	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\THMBNAIL.PNG	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Paris	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00168_.WMF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME49.CSS	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_OFF.GIF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.INF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00014_.WMF	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME11.CSS	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guyana	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe

pid process

1664 de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2628 vssvc.exe
Token: SeRestorePrivilege 2628 vssvc.exe
Token: SeAuditPrivilege 2628 vssvc.exe
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

pid	process
1664	de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe

description	pid	process
Token: SeBackupPrivilege	2628	vssvc.exe
Token: SeRestorePrivilege	2628	vssvc.exe
Token: SeAuditPrivilege	2628	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe
"C:\Users\Admin\AppData\Local\Temp\de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads