bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb

General

Target

bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb.exe
Size

126KB
MD5

5f3c137a22cfa683c791e8b0cc2283c4
SHA1

874dd301d52fbc6bf170c561b396691c99c0479d
SHA256

bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb
SHA512

1ce56739e3514850808928134c8a7221f29d530737b50bd4c4bc6126d49a5c18e1bbf13af6a8bf2be98dea4b3e58d5e4a288bef4930e3770c6a82f7b58442e03
SSDEEP

3072:z8ra+p+6/mf21inVtQ1OUpdkT+clARIw06c:Jcq21YQ1gCi

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2236 netsh.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1608 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

2228 ipconfig.exe
2596 NETSTAT.EXE
1388 NETSTAT.EXE
2832 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2164 systeminfo.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tasklist.exe

pid process

1608 tasklist.exe
1608 tasklist.exe

pid	process
2236	netsh.exe

pid	process
1608	tasklist.exe

pid	process
2228	ipconfig.exe
2596	NETSTAT.EXE
1388	NETSTAT.EXE
2832	ipconfig.exe

pid	process
2164	systeminfo.exe

pid	process
1608	tasklist.exe
1608	tasklist.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeSecurityPrivilege	2628	msiexec.exe
Token: SeIncreaseQuotaPrivilege	468	WMIC.exe
Token: SeSecurityPrivilege	468	WMIC.exe
Token: SeTakeOwnershipPrivilege	468	WMIC.exe
Token: SeLoadDriverPrivilege	468	WMIC.exe
Token: SeSystemProfilePrivilege	468	WMIC.exe
Token: SeSystemtimePrivilege	468	WMIC.exe
Token: SeProfSingleProcessPrivilege	468	WMIC.exe
Token: SeIncBasePriorityPrivilege	468	WMIC.exe
Token: SeCreatePagefilePrivilege	468	WMIC.exe
Token: SeBackupPrivilege	468	WMIC.exe
Token: SeRestorePrivilege	468	WMIC.exe
Token: SeShutdownPrivilege	468	WMIC.exe
Token: SeDebugPrivilege	468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	468	WMIC.exe
Token: SeRemoteShutdownPrivilege	468	WMIC.exe
Token: SeUndockPrivilege	468	WMIC.exe
Token: SeManageVolumePrivilege	468	WMIC.exe
Token: 33	468	WMIC.exe
Token: 34	468	WMIC.exe
Token: 35	468	WMIC.exe
Token: SeIncreaseQuotaPrivilege	468	WMIC.exe
Token: SeSecurityPrivilege	468	WMIC.exe
Token: SeTakeOwnershipPrivilege	468	WMIC.exe
Token: SeLoadDriverPrivilege	468	WMIC.exe
Token: SeSystemProfilePrivilege	468	WMIC.exe
Token: SeSystemtimePrivilege	468	WMIC.exe
Token: SeProfSingleProcessPrivilege	468	WMIC.exe
Token: SeIncBasePriorityPrivilege	468	WMIC.exe
Token: SeCreatePagefilePrivilege	468	WMIC.exe
Token: SeBackupPrivilege	468	WMIC.exe
Token: SeRestorePrivilege	468	WMIC.exe
Token: SeShutdownPrivilege	468	WMIC.exe
Token: SeDebugPrivilege	468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	468	WMIC.exe
Token: SeRemoteShutdownPrivilege	468	WMIC.exe
Token: SeUndockPrivilege	468	WMIC.exe
Token: SeManageVolumePrivilege	468	WMIC.exe
Token: 33	468	WMIC.exe
Token: 34	468	WMIC.exe
Token: 35	468	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2476	WMIC.exe
Token: SeSecurityPrivilege	2476	WMIC.exe
Token: SeTakeOwnershipPrivilege	2476	WMIC.exe
Token: SeLoadDriverPrivilege	2476	WMIC.exe
Token: SeSystemProfilePrivilege	2476	WMIC.exe
Token: SeSystemtimePrivilege	2476	WMIC.exe
Token: SeProfSingleProcessPrivilege	2476	WMIC.exe
Token: SeIncBasePriorityPrivilege	2476	WMIC.exe
Token: SeCreatePagefilePrivilege	2476	WMIC.exe
Token: SeBackupPrivilege	2476	WMIC.exe
Token: SeRestorePrivilege	2476	WMIC.exe
Token: SeShutdownPrivilege	2476	WMIC.exe
Token: SeDebugPrivilege	2476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2476	WMIC.exe
Token: SeRemoteShutdownPrivilege	2476	WMIC.exe
Token: SeUndockPrivilege	2476	WMIC.exe
Token: SeManageVolumePrivilege	2476	WMIC.exe
Token: 33	2476	WMIC.exe
Token: 34	2476	WMIC.exe
Token: 35	2476	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2476	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb.execmd.exenet.exe

description	pid	process	target process
PID 3016 wrote to memory of 1996	3016	bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb.exe	cmd.exe
PID 3016 wrote to memory of 1996	3016	bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb.exe	cmd.exe
PID 3016 wrote to memory of 1996	3016	bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb.exe	cmd.exe
PID 1996 wrote to memory of 468	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 468	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 468	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2476	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2476	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2476	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1808	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1808	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1808	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 544	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 544	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 544	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2768	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2768	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2768	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2496	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2496	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2496	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 684	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 684	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 684	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2224	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2224	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2224	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1064	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1064	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1064	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1592	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1592	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1592	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1352	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1352	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1352	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2356	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2356	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2356	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1652	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1652	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1652	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1028	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1028	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1028	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 2228	1996	cmd.exe	ipconfig.exe
PID 1996 wrote to memory of 2228	1996	cmd.exe	ipconfig.exe
PID 1996 wrote to memory of 2228	1996	cmd.exe	ipconfig.exe
PID 1996 wrote to memory of 844	1996	cmd.exe	ROUTE.EXE
PID 1996 wrote to memory of 844	1996	cmd.exe	ROUTE.EXE
PID 1996 wrote to memory of 844	1996	cmd.exe	ROUTE.EXE
PID 1996 wrote to memory of 2236	1996	cmd.exe	netsh.exe
PID 1996 wrote to memory of 2236	1996	cmd.exe	netsh.exe
PID 1996 wrote to memory of 2236	1996	cmd.exe	netsh.exe
PID 1996 wrote to memory of 2164	1996	cmd.exe	systeminfo.exe
PID 1996 wrote to memory of 2164	1996	cmd.exe	systeminfo.exe
PID 1996 wrote to memory of 2164	1996	cmd.exe	systeminfo.exe
PID 1996 wrote to memory of 1608	1996	cmd.exe	tasklist.exe
PID 1996 wrote to memory of 1608	1996	cmd.exe	tasklist.exe
PID 1996 wrote to memory of 1608	1996	cmd.exe	tasklist.exe
PID 1996 wrote to memory of 2676	1996	cmd.exe	net.exe
PID 1996 wrote to memory of 2676	1996	cmd.exe	net.exe
PID 1996 wrote to memory of 2676	1996	cmd.exe	net.exe
PID 2676 wrote to memory of 2648	2676	net.exe	net1.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb.exe
"C:\Users\Admin\AppData\Local\Temp\bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\system32\cmd.exe
cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
3⤵
PID:1808

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
3⤵
PID:544

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
3⤵
PID:2768

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
3⤵
PID:2496

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
3⤵
PID:684

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
3⤵
PID:2224

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
3⤵
PID:1064

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
3⤵
PID:1592

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
3⤵
PID:1352

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
3⤵
PID:2356

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
3⤵
PID:1652

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
3⤵
PID:1028

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
3⤵
- Gathers network information
PID:2228

C:\Windows\system32\ROUTE.EXE
route print
3⤵
PID:844

C:\Windows\system32\netsh.exe
netsh firewall show state
3⤵
- Modifies Windows Firewall
PID:2236

C:\Windows\system32\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:2164

C:\Windows\system32\tasklist.exe
tasklist /v /fo csv
3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
PID:1608

C:\Windows\system32\net.exe
net accounts /domain
3⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
4⤵
PID:2648

C:\Windows\system32\net.exe
net share
3⤵
PID:2792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
4⤵
PID:2532

C:\Windows\system32\net.exe
net user
3⤵
PID:1724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
4⤵
PID:2948

C:\Windows\system32\net.exe
net user /domain
3⤵
PID:2784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
4⤵
PID:2612

C:\Windows\system32\net.exe
net use
3⤵
PID:2660

C:\Windows\system32\net.exe
net group
3⤵
PID:2636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
4⤵
PID:2524

C:\Windows\system32\net.exe
net localgroup
3⤵
PID:2520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
4⤵
PID:2540

C:\Windows\system32\NETSTAT.EXE
netstat -r
3⤵
- Gathers network information
PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
4⤵
PID:3028

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
5⤵
PID:2600

C:\Windows\system32\NETSTAT.EXE
netstat -nao
3⤵
- Gathers network information
PID:1388

C:\Windows\system32\schtasks.exe
schtasks /query /fo LIST
3⤵
PID:3040

C:\Windows\system32\net.exe
net start
3⤵
PID:2240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start
4⤵
PID:1992

C:\Windows\system32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:2832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3016 -s 680
2⤵
PID:2888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

1

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing