4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d

General

Target

4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d.exe
Size

126KB
MD5

6182f0d38783485a9ead962a6869327a
SHA1

965a5be418baa9372688838aa4052a20e5ab4631
SHA256

4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d
SHA512

04235000d610d189ed73b36e9cfd2a359e9885335e96ffa0276b1a0babd001f8a653e80c0f37b6fc428d97110b19cb2b19149b45eb02193e8b8e0b317e8279c4
SSDEEP

3072:Z8ra+p+6/mf21inVtQ1OUpdkT+clARIw06c:bcq21YQ1gCi

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4656 netsh.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3344 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXENETSTAT.EXEipconfig.exeipconfig.exe

pid process

2292 NETSTAT.EXE
4496 NETSTAT.EXE
2684 ipconfig.exe
4612 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

224 systeminfo.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tasklist.exe

pid process

3344 tasklist.exe
3344 tasklist.exe

pid	process
4656	netsh.exe

pid	process
3344	tasklist.exe

pid	process
2292	NETSTAT.EXE
4496	NETSTAT.EXE
2684	ipconfig.exe
4612	ipconfig.exe

pid	process
224	systeminfo.exe

pid	process
3344	tasklist.exe
3344	tasklist.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeSecurityPrivilege	412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4588	WMIC.exe
Token: SeSecurityPrivilege	4588	WMIC.exe
Token: SeTakeOwnershipPrivilege	4588	WMIC.exe
Token: SeLoadDriverPrivilege	4588	WMIC.exe
Token: SeSystemProfilePrivilege	4588	WMIC.exe
Token: SeSystemtimePrivilege	4588	WMIC.exe
Token: SeProfSingleProcessPrivilege	4588	WMIC.exe
Token: SeIncBasePriorityPrivilege	4588	WMIC.exe
Token: SeCreatePagefilePrivilege	4588	WMIC.exe
Token: SeBackupPrivilege	4588	WMIC.exe
Token: SeRestorePrivilege	4588	WMIC.exe
Token: SeShutdownPrivilege	4588	WMIC.exe
Token: SeDebugPrivilege	4588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4588	WMIC.exe
Token: SeRemoteShutdownPrivilege	4588	WMIC.exe
Token: SeUndockPrivilege	4588	WMIC.exe
Token: SeManageVolumePrivilege	4588	WMIC.exe
Token: 33	4588	WMIC.exe
Token: 34	4588	WMIC.exe
Token: 35	4588	WMIC.exe
Token: 36	4588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4588	WMIC.exe
Token: SeSecurityPrivilege	4588	WMIC.exe
Token: SeTakeOwnershipPrivilege	4588	WMIC.exe
Token: SeLoadDriverPrivilege	4588	WMIC.exe
Token: SeSystemProfilePrivilege	4588	WMIC.exe
Token: SeSystemtimePrivilege	4588	WMIC.exe
Token: SeProfSingleProcessPrivilege	4588	WMIC.exe
Token: SeIncBasePriorityPrivilege	4588	WMIC.exe
Token: SeCreatePagefilePrivilege	4588	WMIC.exe
Token: SeBackupPrivilege	4588	WMIC.exe
Token: SeRestorePrivilege	4588	WMIC.exe
Token: SeShutdownPrivilege	4588	WMIC.exe
Token: SeDebugPrivilege	4588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4588	WMIC.exe
Token: SeRemoteShutdownPrivilege	4588	WMIC.exe
Token: SeUndockPrivilege	4588	WMIC.exe
Token: SeManageVolumePrivilege	4588	WMIC.exe
Token: 33	4588	WMIC.exe
Token: 34	4588	WMIC.exe
Token: 35	4588	WMIC.exe
Token: 36	4588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4116	WMIC.exe
Token: SeSecurityPrivilege	4116	WMIC.exe
Token: SeTakeOwnershipPrivilege	4116	WMIC.exe
Token: SeLoadDriverPrivilege	4116	WMIC.exe
Token: SeSystemProfilePrivilege	4116	WMIC.exe
Token: SeSystemtimePrivilege	4116	WMIC.exe
Token: SeProfSingleProcessPrivilege	4116	WMIC.exe
Token: SeIncBasePriorityPrivilege	4116	WMIC.exe
Token: SeCreatePagefilePrivilege	4116	WMIC.exe
Token: SeBackupPrivilege	4116	WMIC.exe
Token: SeRestorePrivilege	4116	WMIC.exe
Token: SeShutdownPrivilege	4116	WMIC.exe
Token: SeDebugPrivilege	4116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4116	WMIC.exe
Token: SeRemoteShutdownPrivilege	4116	WMIC.exe
Token: SeUndockPrivilege	4116	WMIC.exe
Token: SeManageVolumePrivilege	4116	WMIC.exe
Token: 33	4116	WMIC.exe
Token: 34	4116	WMIC.exe
Token: 35	4116	WMIC.exe
Token: 36	4116	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d.execmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2460 wrote to memory of 2176	2460	4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d.exe	cmd.exe
PID 2460 wrote to memory of 2176	2460	4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d.exe	cmd.exe
PID 2176 wrote to memory of 4588	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 4588	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 4116	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 4116	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 3632	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 3632	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 1076	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 1076	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 2300	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 2300	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 5108	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 5108	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 2568	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 2568	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 3792	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 3792	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 4116	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 4116	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 4776	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 4776	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 2456	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 2456	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 4920	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 4920	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 1332	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 1332	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 644	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 644	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 4612	2176	cmd.exe	ipconfig.exe
PID 2176 wrote to memory of 4612	2176	cmd.exe	ipconfig.exe
PID 2176 wrote to memory of 3784	2176	cmd.exe	ROUTE.EXE
PID 2176 wrote to memory of 3784	2176	cmd.exe	ROUTE.EXE
PID 2176 wrote to memory of 4656	2176	cmd.exe	netsh.exe
PID 2176 wrote to memory of 4656	2176	cmd.exe	netsh.exe
PID 2176 wrote to memory of 224	2176	cmd.exe	systeminfo.exe
PID 2176 wrote to memory of 224	2176	cmd.exe	systeminfo.exe
PID 2176 wrote to memory of 3344	2176	cmd.exe	tasklist.exe
PID 2176 wrote to memory of 3344	2176	cmd.exe	tasklist.exe
PID 2176 wrote to memory of 1136	2176	cmd.exe	net.exe
PID 2176 wrote to memory of 1136	2176	cmd.exe	net.exe
PID 1136 wrote to memory of 1040	1136	net.exe	net1.exe
PID 1136 wrote to memory of 1040	1136	net.exe	net1.exe
PID 2176 wrote to memory of 3676	2176	cmd.exe	net.exe
PID 2176 wrote to memory of 3676	2176	cmd.exe	net.exe
PID 3676 wrote to memory of 4280	3676	net.exe	net1.exe
PID 3676 wrote to memory of 4280	3676	net.exe	net1.exe
PID 2176 wrote to memory of 4516	2176	cmd.exe	net.exe
PID 2176 wrote to memory of 4516	2176	cmd.exe	net.exe
PID 4516 wrote to memory of 3532	4516	net.exe	net1.exe
PID 4516 wrote to memory of 3532	4516	net.exe	net1.exe
PID 2176 wrote to memory of 4900	2176	cmd.exe	net.exe
PID 2176 wrote to memory of 4900	2176	cmd.exe	net.exe
PID 4900 wrote to memory of 784	4900	net.exe	net1.exe
PID 4900 wrote to memory of 784	4900	net.exe	net1.exe
PID 2176 wrote to memory of 2944	2176	cmd.exe	net.exe
PID 2176 wrote to memory of 2944	2176	cmd.exe	net.exe
PID 2176 wrote to memory of 2820	2176	cmd.exe	net.exe
PID 2176 wrote to memory of 2820	2176	cmd.exe	net.exe
PID 2820 wrote to memory of 4296	2820	net.exe	net1.exe
PID 2820 wrote to memory of 4296	2820	net.exe	net1.exe
PID 2176 wrote to memory of 1600	2176	cmd.exe	net.exe
PID 2176 wrote to memory of 1600	2176	cmd.exe	net.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d.exe
"C:\Users\Admin\AppData\Local\Temp\4ab39abb36148d3ff921833c0d03ed1c7a8116c1a8993210bcfe1565f558107d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SYSTEM32\cmd.exe
cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
3⤵
PID:3632

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
3⤵
PID:1076

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
3⤵
PID:2300

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
3⤵
PID:5108

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
3⤵
PID:2568

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
3⤵
PID:3792

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
3⤵
PID:4116

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
3⤵
PID:4776

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
3⤵
PID:2456

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
3⤵
PID:4920

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
3⤵
PID:1332

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
3⤵
PID:644

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
3⤵
- Gathers network information
PID:4612

C:\Windows\system32\ROUTE.EXE
route print
3⤵
PID:3784

C:\Windows\system32\netsh.exe
netsh firewall show state
3⤵
- Modifies Windows Firewall
PID:4656

C:\Windows\system32\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:224

C:\Windows\system32\tasklist.exe
tasklist /v /fo csv
3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
PID:3344

C:\Windows\system32\net.exe
net accounts /domain
3⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
4⤵
PID:1040

C:\Windows\system32\net.exe
net share
3⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
4⤵
PID:4280

C:\Windows\system32\net.exe
net user
3⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
4⤵
PID:3532

C:\Windows\system32\net.exe
net user /domain
3⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
4⤵
PID:784

C:\Windows\system32\net.exe
net use
3⤵
PID:2944

C:\Windows\system32\net.exe
net group
3⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
4⤵
PID:4296

C:\Windows\system32\net.exe
net localgroup
3⤵
PID:1600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
4⤵
PID:2196

C:\Windows\system32\NETSTAT.EXE
netstat -r
3⤵
- Gathers network information
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
4⤵
PID:2552

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
5⤵
PID:3000

C:\Windows\system32\NETSTAT.EXE
netstat -nao
3⤵
- Gathers network information
PID:4496

C:\Windows\system32\schtasks.exe
schtasks /query /fo LIST
3⤵
PID:4688

C:\Windows\system32\net.exe
net start
3⤵
PID:3784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start
4⤵
PID:5092

C:\Windows\system32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:2684

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8
1⤵
PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

1

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing