4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d

General

Target

4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d.exe
Size

126KB
MD5

6182f0d38783485a9ead962a6869327a
SHA1

965a5be418baa9372688838aa4052a20e5ab4631
SHA256

4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d
SHA512

04235000d610d189ed73b36e9cfd2a359e9885335e96ffa0276b1a0babd001f8a653e80c0f37b6fc428d97110b19cb2b19149b45eb02193e8b8e0b317e8279c4
SSDEEP

3072:Z8ra+p+6/mf21inVtQ1OUpdkT+clARIw06c:bcq21YQ1gCi

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2288 netsh.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2552 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

1752 ipconfig.exe
2212 NETSTAT.EXE
2300 NETSTAT.EXE
1628 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2224 systeminfo.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tasklist.exe

pid process

2552 tasklist.exe
2552 tasklist.exe

pid	process
2288	netsh.exe

pid	process
2552	tasklist.exe

pid	process
1752	ipconfig.exe
2212	NETSTAT.EXE
2300	NETSTAT.EXE
1628	ipconfig.exe

pid	process
2224	systeminfo.exe

pid	process
2552	tasklist.exe
2552	tasklist.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeRestorePrivilege	2752	msiexec.exe
Token: SeTakeOwnershipPrivilege	2752	msiexec.exe
Token: SeSecurityPrivilege	2752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2172	WMIC.exe
Token: SeSecurityPrivilege	2172	WMIC.exe
Token: SeTakeOwnershipPrivilege	2172	WMIC.exe
Token: SeLoadDriverPrivilege	2172	WMIC.exe
Token: SeSystemProfilePrivilege	2172	WMIC.exe
Token: SeSystemtimePrivilege	2172	WMIC.exe
Token: SeProfSingleProcessPrivilege	2172	WMIC.exe
Token: SeIncBasePriorityPrivilege	2172	WMIC.exe
Token: SeCreatePagefilePrivilege	2172	WMIC.exe
Token: SeBackupPrivilege	2172	WMIC.exe
Token: SeRestorePrivilege	2172	WMIC.exe
Token: SeShutdownPrivilege	2172	WMIC.exe
Token: SeDebugPrivilege	2172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2172	WMIC.exe
Token: SeRemoteShutdownPrivilege	2172	WMIC.exe
Token: SeUndockPrivilege	2172	WMIC.exe
Token: SeManageVolumePrivilege	2172	WMIC.exe
Token: 33	2172	WMIC.exe
Token: 34	2172	WMIC.exe
Token: 35	2172	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2172	WMIC.exe
Token: SeSecurityPrivilege	2172	WMIC.exe
Token: SeTakeOwnershipPrivilege	2172	WMIC.exe
Token: SeLoadDriverPrivilege	2172	WMIC.exe
Token: SeSystemProfilePrivilege	2172	WMIC.exe
Token: SeSystemtimePrivilege	2172	WMIC.exe
Token: SeProfSingleProcessPrivilege	2172	WMIC.exe
Token: SeIncBasePriorityPrivilege	2172	WMIC.exe
Token: SeCreatePagefilePrivilege	2172	WMIC.exe
Token: SeBackupPrivilege	2172	WMIC.exe
Token: SeRestorePrivilege	2172	WMIC.exe
Token: SeShutdownPrivilege	2172	WMIC.exe
Token: SeDebugPrivilege	2172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2172	WMIC.exe
Token: SeRemoteShutdownPrivilege	2172	WMIC.exe
Token: SeUndockPrivilege	2172	WMIC.exe
Token: SeManageVolumePrivilege	2172	WMIC.exe
Token: 33	2172	WMIC.exe
Token: 34	2172	WMIC.exe
Token: 35	2172	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2180	WMIC.exe
Token: SeSecurityPrivilege	2180	WMIC.exe
Token: SeTakeOwnershipPrivilege	2180	WMIC.exe
Token: SeLoadDriverPrivilege	2180	WMIC.exe
Token: SeSystemProfilePrivilege	2180	WMIC.exe
Token: SeSystemtimePrivilege	2180	WMIC.exe
Token: SeProfSingleProcessPrivilege	2180	WMIC.exe
Token: SeIncBasePriorityPrivilege	2180	WMIC.exe
Token: SeCreatePagefilePrivilege	2180	WMIC.exe
Token: SeBackupPrivilege	2180	WMIC.exe
Token: SeRestorePrivilege	2180	WMIC.exe
Token: SeShutdownPrivilege	2180	WMIC.exe
Token: SeDebugPrivilege	2180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2180	WMIC.exe
Token: SeRemoteShutdownPrivilege	2180	WMIC.exe
Token: SeUndockPrivilege	2180	WMIC.exe
Token: SeManageVolumePrivilege	2180	WMIC.exe
Token: 33	2180	WMIC.exe
Token: 34	2180	WMIC.exe
Token: 35	2180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2180	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d.execmd.exenet.exe

description	pid	process	target process
PID 2856 wrote to memory of 1272	2856	4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d.exe	cmd.exe
PID 2856 wrote to memory of 1272	2856	4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d.exe	cmd.exe
PID 2856 wrote to memory of 1272	2856	4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d.exe	cmd.exe
PID 1272 wrote to memory of 2172	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 2172	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 2172	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 2180	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 2180	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 2180	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 1584	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 1584	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 1584	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 1576	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 1576	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 1576	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 2040	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 2040	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 2040	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 444	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 444	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 444	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 3012	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 3012	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 3012	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 1296	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 1296	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 1296	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 1712	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 1712	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 1712	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 108	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 108	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 108	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 544	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 544	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 544	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 932	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 932	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 932	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 2104	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 2104	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 2104	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 2216	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 2216	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 2216	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 1752	1272	cmd.exe	ipconfig.exe
PID 1272 wrote to memory of 1752	1272	cmd.exe	ipconfig.exe
PID 1272 wrote to memory of 1752	1272	cmd.exe	ipconfig.exe
PID 1272 wrote to memory of 1952	1272	cmd.exe	ROUTE.EXE
PID 1272 wrote to memory of 1952	1272	cmd.exe	ROUTE.EXE
PID 1272 wrote to memory of 1952	1272	cmd.exe	ROUTE.EXE
PID 1272 wrote to memory of 2288	1272	cmd.exe	netsh.exe
PID 1272 wrote to memory of 2288	1272	cmd.exe	netsh.exe
PID 1272 wrote to memory of 2288	1272	cmd.exe	netsh.exe
PID 1272 wrote to memory of 2224	1272	cmd.exe	systeminfo.exe
PID 1272 wrote to memory of 2224	1272	cmd.exe	systeminfo.exe
PID 1272 wrote to memory of 2224	1272	cmd.exe	systeminfo.exe
PID 1272 wrote to memory of 2552	1272	cmd.exe	tasklist.exe
PID 1272 wrote to memory of 2552	1272	cmd.exe	tasklist.exe
PID 1272 wrote to memory of 2552	1272	cmd.exe	tasklist.exe
PID 1272 wrote to memory of 2536	1272	cmd.exe	net.exe
PID 1272 wrote to memory of 2536	1272	cmd.exe	net.exe
PID 1272 wrote to memory of 2536	1272	cmd.exe	net.exe
PID 2536 wrote to memory of 1972	2536	net.exe	net1.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d.exe
"C:\Users\Admin\AppData\Local\Temp\4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\system32\cmd.exe
cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
3⤵
PID:1584

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
3⤵
PID:1576

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
3⤵
PID:2040

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
3⤵
PID:444

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
3⤵
PID:3012

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
3⤵
PID:1296

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
3⤵
PID:1712

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
3⤵
PID:108

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
3⤵
PID:544

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
3⤵
PID:932

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
3⤵
PID:2104

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
3⤵
PID:2216

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
3⤵
- Gathers network information
PID:1752

C:\Windows\system32\ROUTE.EXE
route print
3⤵
PID:1952

C:\Windows\system32\netsh.exe
netsh firewall show state
3⤵
- Modifies Windows Firewall
PID:2288

C:\Windows\system32\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:2224

C:\Windows\system32\tasklist.exe
tasklist /v /fo csv
3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Windows\system32\net.exe
net accounts /domain
3⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
4⤵
PID:1972

C:\Windows\system32\net.exe
net share
3⤵
PID:2596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
4⤵
PID:2440

C:\Windows\system32\net.exe
net user
3⤵
PID:2584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
4⤵
PID:2284

C:\Windows\system32\net.exe
net user /domain
3⤵
PID:2532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
4⤵
PID:2416

C:\Windows\system32\net.exe
net use
3⤵
PID:2492

C:\Windows\system32\net.exe
net group
3⤵
PID:2480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
4⤵
PID:2816

C:\Windows\system32\net.exe
net localgroup
3⤵
PID:2812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
4⤵
PID:3024

C:\Windows\system32\NETSTAT.EXE
netstat -r
3⤵
- Gathers network information
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
4⤵
PID:1788

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
5⤵
PID:2144

C:\Windows\system32\NETSTAT.EXE
netstat -nao
3⤵
- Gathers network information
PID:2300

C:\Windows\system32\schtasks.exe
schtasks /query /fo LIST
3⤵
PID:1868

C:\Windows\system32\net.exe
net start
3⤵
PID:1332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start
4⤵
PID:1180

C:\Windows\system32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:1628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2856 -s 680
2⤵
PID:2340

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

1

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing