441e25c74a8c10b804e0c7f2ffa803b1055c8cddec79e7d70270efb4857e18eb

General

Target

svchost.exe
Size

749KB
MD5

a6479dae68115fad0a37c5fb33becf99
SHA1

398663b27c9297a884c800aa64916c976638a036
SHA256

441e25c74a8c10b804e0c7f2ffa803b1055c8cddec79e7d70270efb4857e18eb
SHA512

aa3dc1b98aa53708a2b9834fb3dc0585ae5deffa168fe65d2aff3d80f4b0849c41d3cbd37e306ac6bfbfe5689e8c625828c93453fd21d5f7ecc0b16ad85f7452
SSDEEP

12288:Cv2E2CrJF9srANfrX8QoN2e9YxzKapgg3e8SIa+9j8CfL6qd8kAXDbvDYD:jE2CrJdNfjrfJ+aX3e8DaOj8wL6e

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sppsvc.exe

pid process

2488 sppsvc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2488	sppsvc.exe

Drops file in Program Files directory 5 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files\Windows Journal\explorer.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\explorer.exe	svchost.exe
File created	C:\Program Files\Windows Journal\7a0fd90576e088	svchost.exe
File created	C:\Program Files\Microsoft Games\lsass.exe	svchost.exe
File created	C:\Program Files\Microsoft Games\6203df4a6bafc7	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2596 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

sppsvc.exe

pid process

2488 sppsvc.exe

pid	process
2596	PING.EXE

pid	process
2488	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sppsvc.exe

pid process

2488 sppsvc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exesppsvc.exe

description pid process

Token: SeDebugPrivilege 2904 svchost.exe
Token: SeDebugPrivilege 2488 sppsvc.exe

pid	process
2488	sppsvc.exe

description	pid	process
Token: SeDebugPrivilege	2904	svchost.exe
Token: SeDebugPrivilege	2488	sppsvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

svchost.execmd.exe

description	pid	process	target process
PID 2904 wrote to memory of 2708	2904	svchost.exe	cmd.exe
PID 2904 wrote to memory of 2708	2904	svchost.exe	cmd.exe
PID 2904 wrote to memory of 2708	2904	svchost.exe	cmd.exe
PID 2708 wrote to memory of 2608	2708	cmd.exe	chcp.com
PID 2708 wrote to memory of 2608	2708	cmd.exe	chcp.com
PID 2708 wrote to memory of 2608	2708	cmd.exe	chcp.com
PID 2708 wrote to memory of 2596	2708	cmd.exe	PING.EXE
PID 2708 wrote to memory of 2596	2708	cmd.exe	PING.EXE
PID 2708 wrote to memory of 2596	2708	cmd.exe	PING.EXE
PID 2708 wrote to memory of 2488	2708	cmd.exe	sppsvc.exe
PID 2708 wrote to memory of 2488	2708	cmd.exe	sppsvc.exe
PID 2708 wrote to memory of 2488	2708	cmd.exe	sppsvc.exe
PID 2708 wrote to memory of 2488	2708	cmd.exe	sppsvc.exe
PID 2708 wrote to memory of 2488	2708	cmd.exe	sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BqNUrJv5SW.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2608

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:2596

C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\sppsvc.exe
"C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\sppsvc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\System.exe
Filesize
749KB

MD5
a6479dae68115fad0a37c5fb33becf99

SHA1
398663b27c9297a884c800aa64916c976638a036

SHA256
441e25c74a8c10b804e0c7f2ffa803b1055c8cddec79e7d70270efb4857e18eb

SHA512
aa3dc1b98aa53708a2b9834fb3dc0585ae5deffa168fe65d2aff3d80f4b0849c41d3cbd37e306ac6bfbfe5689e8c625828c93453fd21d5f7ecc0b16ad85f7452

Download Submit
C:\Users\Admin\AppData\Local\Temp\BqNUrJv5SW.bat
Filesize
187B

MD5
d4f1308767cfc85fa5f58f564f80d41c

SHA1
f0d8edc935cce0e650fe1d37bf262ecf23808791

SHA256
fc22d71b3f5a6db72bb42c9d3b05c605dfbe384deed94789c38191019927de88

SHA512
e2bc17666ce349bac453e000a6cd9e8e79da1bc5a8bfc55bea3e66890f95dd8fcc82441b93051b5405d3ac86dbde1541fd5ae67f7f3153c191694f427ffb9acf

Download Submit
memory/2488-35-0x0000000000EC0000-0x0000000000F82000-memory.dmp

Filesize
776KB

Download
memory/2904-4-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/2904-0-0x0000000000090000-0x0000000000152000-memory.dmp

Filesize
776KB

Download
memory/2904-6-0x00000000775B0000-0x00000000775B1000-memory.dmp

Filesize
4KB

Download
memory/2904-7-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/2904-8-0x00000000775A0000-0x00000000775A1000-memory.dmp

Filesize
4KB

Download
memory/2904-10-0x0000000000310000-0x000000000032C000-memory.dmp

Filesize
112KB

Download
memory/2904-12-0x00000000005B0000-0x00000000005C8000-memory.dmp

Filesize
96KB

Download
memory/2904-13-0x0000000077590000-0x0000000077591000-memory.dmp

Filesize
4KB

Download
memory/2904-2-0x0000000000620000-0x00000000006DE000-memory.dmp

Filesize
760KB

Download
memory/2904-3-0x00000000777E0000-0x0000000077989000-memory.dmp

Filesize
1.7MB

Download
memory/2904-30-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/2904-31-0x00000000777E0000-0x0000000077989000-memory.dmp

Filesize
1.7MB

Download
memory/2904-1-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads