e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601

General

Target

479d30cd484920e686388641718edc53.exe
Size

120KB
MD5

479d30cd484920e686388641718edc53
SHA1

c7040a1893168c204c759280d9671b0b58890c8c
SHA256

e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601
SHA512

e499941a4f0f0764ab7493f3f7aa588473409881aa4564a9939cfd60232bd1de672ecfc099d6712fa1eb4da272855f92c95fdf610f688c81894a6258cd3dd51d
SSDEEP

1536:2Wzd3+6aUp+3aTvjgFnbF/nt6z9b1Caom02vrDxcHtcV/erWEUzny94BgJad:z3av3aTvjv9b1Ch30rDxcHtcV/SquI

Score

7^/10

collection discovery spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2596 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

479d30cd484920e686388641718edc53.exe479d30cd484920e686388641718edc53.exe

pid process

2672 479d30cd484920e686388641718edc53.exe
1100 479d30cd484920e686388641718edc53.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2596	cmd.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

479d30cd484920e686388641718edc53.exe479d30cd484920e686388641718edc53.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	479d30cd484920e686388641718edc53.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	479d30cd484920e686388641718edc53.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	479d30cd484920e686388641718edc53.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	479d30cd484920e686388641718edc53.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	479d30cd484920e686388641718edc53.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	479d30cd484920e686388641718edc53.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2116 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2500 timeout.exe

flow	ioc
5	ip-api.com

pid	process
2116	schtasks.exe

pid	process
2500	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

479d30cd484920e686388641718edc53.exe479d30cd484920e686388641718edc53.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	479d30cd484920e686388641718edc53.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	479d30cd484920e686388641718edc53.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	479d30cd484920e686388641718edc53.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	479d30cd484920e686388641718edc53.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	479d30cd484920e686388641718edc53.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

479d30cd484920e686388641718edc53.exe479d30cd484920e686388641718edc53.exe

pid	process
2672	479d30cd484920e686388641718edc53.exe
2672	479d30cd484920e686388641718edc53.exe
2672	479d30cd484920e686388641718edc53.exe
1100	479d30cd484920e686388641718edc53.exe
1100	479d30cd484920e686388641718edc53.exe
1100	479d30cd484920e686388641718edc53.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

479d30cd484920e686388641718edc53.exe479d30cd484920e686388641718edc53.exe479d30cd484920e686388641718edc53.exe

description	pid	process
Token: SeDebugPrivilege	2244	479d30cd484920e686388641718edc53.exe
Token: SeDebugPrivilege	2672	479d30cd484920e686388641718edc53.exe
Token: SeDebugPrivilege	1100	479d30cd484920e686388641718edc53.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

479d30cd484920e686388641718edc53.execmd.exe479d30cd484920e686388641718edc53.execmd.execmd.exetaskeng.exe479d30cd484920e686388641718edc53.execmd.execmd.exe

description	pid	process	target process
PID 2244 wrote to memory of 2596	2244	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 2244 wrote to memory of 2596	2244	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 2244 wrote to memory of 2596	2244	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 2596 wrote to memory of 2548	2596	cmd.exe	chcp.com
PID 2596 wrote to memory of 2548	2596	cmd.exe	chcp.com
PID 2596 wrote to memory of 2548	2596	cmd.exe	chcp.com
PID 2596 wrote to memory of 2500	2596	cmd.exe	timeout.exe
PID 2596 wrote to memory of 2500	2596	cmd.exe	timeout.exe
PID 2596 wrote to memory of 2500	2596	cmd.exe	timeout.exe
PID 2596 wrote to memory of 2116	2596	cmd.exe	schtasks.exe
PID 2596 wrote to memory of 2116	2596	cmd.exe	schtasks.exe
PID 2596 wrote to memory of 2116	2596	cmd.exe	schtasks.exe
PID 2596 wrote to memory of 2672	2596	cmd.exe	479d30cd484920e686388641718edc53.exe
PID 2596 wrote to memory of 2672	2596	cmd.exe	479d30cd484920e686388641718edc53.exe
PID 2596 wrote to memory of 2672	2596	cmd.exe	479d30cd484920e686388641718edc53.exe
PID 2672 wrote to memory of 2392	2672	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 2672 wrote to memory of 2392	2672	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 2672 wrote to memory of 2392	2672	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 2392 wrote to memory of 2472	2392	cmd.exe	chcp.com
PID 2392 wrote to memory of 2472	2392	cmd.exe	chcp.com
PID 2392 wrote to memory of 2472	2392	cmd.exe	chcp.com
PID 2392 wrote to memory of 2828	2392	cmd.exe	netsh.exe
PID 2392 wrote to memory of 2828	2392	cmd.exe	netsh.exe
PID 2392 wrote to memory of 2828	2392	cmd.exe	netsh.exe
PID 2392 wrote to memory of 2824	2392	cmd.exe	findstr.exe
PID 2392 wrote to memory of 2824	2392	cmd.exe	findstr.exe
PID 2392 wrote to memory of 2824	2392	cmd.exe	findstr.exe
PID 2672 wrote to memory of 2680	2672	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 2672 wrote to memory of 2680	2672	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 2672 wrote to memory of 2680	2672	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 2680 wrote to memory of 1628	2680	cmd.exe	chcp.com
PID 2680 wrote to memory of 1628	2680	cmd.exe	chcp.com
PID 2680 wrote to memory of 1628	2680	cmd.exe	chcp.com
PID 2680 wrote to memory of 1752	2680	cmd.exe	netsh.exe
PID 2680 wrote to memory of 1752	2680	cmd.exe	netsh.exe
PID 2680 wrote to memory of 1752	2680	cmd.exe	netsh.exe
PID 2680 wrote to memory of 2296	2680	cmd.exe	findstr.exe
PID 2680 wrote to memory of 2296	2680	cmd.exe	findstr.exe
PID 2680 wrote to memory of 2296	2680	cmd.exe	findstr.exe
PID 2984 wrote to memory of 1100	2984	taskeng.exe	479d30cd484920e686388641718edc53.exe
PID 2984 wrote to memory of 1100	2984	taskeng.exe	479d30cd484920e686388641718edc53.exe
PID 2984 wrote to memory of 1100	2984	taskeng.exe	479d30cd484920e686388641718edc53.exe
PID 1100 wrote to memory of 2608	1100	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 1100 wrote to memory of 2608	1100	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 1100 wrote to memory of 2608	1100	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 2608 wrote to memory of 2496	2608	cmd.exe	chcp.com
PID 2608 wrote to memory of 2496	2608	cmd.exe	chcp.com
PID 2608 wrote to memory of 2496	2608	cmd.exe	chcp.com
PID 2608 wrote to memory of 2380	2608	cmd.exe	netsh.exe
PID 2608 wrote to memory of 2380	2608	cmd.exe	netsh.exe
PID 2608 wrote to memory of 2380	2608	cmd.exe	netsh.exe
PID 2608 wrote to memory of 2440	2608	cmd.exe	findstr.exe
PID 2608 wrote to memory of 2440	2608	cmd.exe	findstr.exe
PID 2608 wrote to memory of 2440	2608	cmd.exe	findstr.exe
PID 1100 wrote to memory of 1696	1100	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 1100 wrote to memory of 1696	1100	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 1100 wrote to memory of 1696	1100	479d30cd484920e686388641718edc53.exe	cmd.exe
PID 1696 wrote to memory of 1752	1696	cmd.exe	chcp.com
PID 1696 wrote to memory of 1752	1696	cmd.exe	chcp.com
PID 1696 wrote to memory of 1752	1696	cmd.exe	chcp.com
PID 1696 wrote to memory of 2700	1696	cmd.exe	netsh.exe
PID 1696 wrote to memory of 2700	1696	cmd.exe	netsh.exe
PID 1696 wrote to memory of 2700	1696	cmd.exe	netsh.exe
PID 1696 wrote to memory of 2684	1696	cmd.exe	findstr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

479d30cd484920e686388641718edc53.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	479d30cd484920e686388641718edc53.exe

outlook_win_path 1 IoCs

Processes:

479d30cd484920e686388641718edc53.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	479d30cd484920e686388641718edc53.exe

C:\Users\Admin\AppData\Local\Temp\479d30cd484920e686388641718edc53.exe
"C:\Users\Admin\AppData\Local\Temp\479d30cd484920e686388641718edc53.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "479d30cd484920e686388641718edc53" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\479d30cd484920e686388641718edc53.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2548

C:\Windows\system32\timeout.exe
timeout /t 3
3⤵
- Delays execution with timeout.exe
PID:2500

C:\Windows\system32\schtasks.exe
schtasks /create /tn "479d30cd484920e686388641718edc53" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2116

C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe
"C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
4⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:2472

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:2828

C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
5⤵
PID:2824

C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
4⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:1628

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
5⤵
PID:1752

C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
5⤵
PID:2296

C:\Windows\system32\taskeng.exe
taskeng.exe {DB3FDC47-B7CB-4609-BEC6-14CD62D5CF60} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1100

C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
3⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2496

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:2380

C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
4⤵
PID:2440

C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
3⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1752

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
4⤵
PID:2700

C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
4⤵
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

1

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0d4d5320bcdc25fe0d263809834fd03

SHA1
0284f81b09c52ed1b8919197a597391ca87d2060

SHA256
c2b16778aaf201e16745a7eff82d0410fbd3d5907cc3ba3de206fb0f8d93109e

SHA512
cf3c226cf75bc4f7154b71371a8391a52ed1e54f8e64392a274ce4b08fbcf4a3dcc78e4be6aa7c9d56e3106a18bd258bd2e9bc876a4daf88593914d812149369

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
41021b32f9e569e62cdabd5af050aa4f

SHA1
1754e59308f3cacbb19ac5a3d4b34f45137ae840

SHA256
8d1160f5eb5a407ea109bfd0b420b6f928dcb79d6ebe0afc790ca3b40879d222

SHA512
e10eb2055c19d40c4826cf7d70aaa4adc68af0638a78bbda27ca777b321345314e02a6172e80833c8b0ffc4443f3269b90d5e46a203dd2316c53f526af13b5de

Download Submit
C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe

Filesize
120KB

MD5
479d30cd484920e686388641718edc53

SHA1
c7040a1893168c204c759280d9671b0b58890c8c

SHA256
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601

SHA512
e499941a4f0f0764ab7493f3f7aa588473409881aa4564a9939cfd60232bd1de672ecfc099d6712fa1eb4da272855f92c95fdf610f688c81894a6258cd3dd51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3C7B.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\lbdd1brp2p\p.dat

Filesize
4B

MD5
5487e79fa0ccd0b79e5d4a4c8ced005d

SHA1
9b167f20d855b3d33fa8877a17dea0898be590e1

SHA256
c30d2c58c630f9e4e5a303cfe36cf2d7fd66a1189a5e45daba5a62fc65902580

SHA512
ea090c610f876f7345081f8dd2265df7f5dfd185ada14f5560b259fe4a15302845fe9260044a86d1dabe9b932c1a0d352100650151250bc554f243f52a7774d2

Download Submit
memory/2244-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x0000000000E20000-0x0000000000E44000-memory.dmp

Filesize
144KB

Download
memory/2244-2-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-5-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2672-9-0x0000000000D00000-0x0000000000D24000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads