bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb

General

Target

bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb.exe
Size

126KB
MD5

5f3c137a22cfa683c791e8b0cc2283c4
SHA1

874dd301d52fbc6bf170c561b396691c99c0479d
SHA256

bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb
SHA512

1ce56739e3514850808928134c8a7221f29d530737b50bd4c4bc6126d49a5c18e1bbf13af6a8bf2be98dea4b3e58d5e4a288bef4930e3770c6a82f7b58442e03
SSDEEP

3072:z8ra+p+6/mf21inVtQ1OUpdkT+clARIw06c:Jcq21YQ1gCi

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2416 netsh.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1908 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXEipconfig.exeipconfig.exeNETSTAT.EXE

pid process

4412 NETSTAT.EXE
1544 ipconfig.exe
2028 ipconfig.exe
4588 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3488 systeminfo.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tasklist.exe

pid process

1908 tasklist.exe
1908 tasklist.exe

pid	process
2416	netsh.exe

pid	process
1908	tasklist.exe

pid	process
4412	NETSTAT.EXE
1544	ipconfig.exe
2028	ipconfig.exe
4588	NETSTAT.EXE

pid	process
3488	systeminfo.exe

pid	process
1908	tasklist.exe
1908	tasklist.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeSecurityPrivilege	4564	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3024	WMIC.exe
Token: SeSecurityPrivilege	3024	WMIC.exe
Token: SeTakeOwnershipPrivilege	3024	WMIC.exe
Token: SeLoadDriverPrivilege	3024	WMIC.exe
Token: SeSystemProfilePrivilege	3024	WMIC.exe
Token: SeSystemtimePrivilege	3024	WMIC.exe
Token: SeProfSingleProcessPrivilege	3024	WMIC.exe
Token: SeIncBasePriorityPrivilege	3024	WMIC.exe
Token: SeCreatePagefilePrivilege	3024	WMIC.exe
Token: SeBackupPrivilege	3024	WMIC.exe
Token: SeRestorePrivilege	3024	WMIC.exe
Token: SeShutdownPrivilege	3024	WMIC.exe
Token: SeDebugPrivilege	3024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3024	WMIC.exe
Token: SeRemoteShutdownPrivilege	3024	WMIC.exe
Token: SeUndockPrivilege	3024	WMIC.exe
Token: SeManageVolumePrivilege	3024	WMIC.exe
Token: 33	3024	WMIC.exe
Token: 34	3024	WMIC.exe
Token: 35	3024	WMIC.exe
Token: 36	3024	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3024	WMIC.exe
Token: SeSecurityPrivilege	3024	WMIC.exe
Token: SeTakeOwnershipPrivilege	3024	WMIC.exe
Token: SeLoadDriverPrivilege	3024	WMIC.exe
Token: SeSystemProfilePrivilege	3024	WMIC.exe
Token: SeSystemtimePrivilege	3024	WMIC.exe
Token: SeProfSingleProcessPrivilege	3024	WMIC.exe
Token: SeIncBasePriorityPrivilege	3024	WMIC.exe
Token: SeCreatePagefilePrivilege	3024	WMIC.exe
Token: SeBackupPrivilege	3024	WMIC.exe
Token: SeRestorePrivilege	3024	WMIC.exe
Token: SeShutdownPrivilege	3024	WMIC.exe
Token: SeDebugPrivilege	3024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3024	WMIC.exe
Token: SeRemoteShutdownPrivilege	3024	WMIC.exe
Token: SeUndockPrivilege	3024	WMIC.exe
Token: SeManageVolumePrivilege	3024	WMIC.exe
Token: 33	3024	WMIC.exe
Token: 34	3024	WMIC.exe
Token: 35	3024	WMIC.exe
Token: 36	3024	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3436	WMIC.exe
Token: SeSecurityPrivilege	3436	WMIC.exe
Token: SeTakeOwnershipPrivilege	3436	WMIC.exe
Token: SeLoadDriverPrivilege	3436	WMIC.exe
Token: SeSystemProfilePrivilege	3436	WMIC.exe
Token: SeSystemtimePrivilege	3436	WMIC.exe
Token: SeProfSingleProcessPrivilege	3436	WMIC.exe
Token: SeIncBasePriorityPrivilege	3436	WMIC.exe
Token: SeCreatePagefilePrivilege	3436	WMIC.exe
Token: SeBackupPrivilege	3436	WMIC.exe
Token: SeRestorePrivilege	3436	WMIC.exe
Token: SeShutdownPrivilege	3436	WMIC.exe
Token: SeDebugPrivilege	3436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3436	WMIC.exe
Token: SeRemoteShutdownPrivilege	3436	WMIC.exe
Token: SeUndockPrivilege	3436	WMIC.exe
Token: SeManageVolumePrivilege	3436	WMIC.exe
Token: 33	3436	WMIC.exe
Token: 34	3436	WMIC.exe
Token: 35	3436	WMIC.exe
Token: 36	3436	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb.execmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 4524 wrote to memory of 4788	4524	bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb.exe	cmd.exe
PID 4524 wrote to memory of 4788	4524	bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb.exe	cmd.exe
PID 4788 wrote to memory of 3024	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 3024	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 3436	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 3436	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 3120	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 3120	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 4276	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 4276	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 5016	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 5016	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 2516	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 2516	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 4832	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 4832	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 880	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 880	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 2548	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 2548	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 4652	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 4652	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 1072	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 1072	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 3088	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 3088	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 3472	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 3472	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 4968	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 4968	4788	cmd.exe	WMIC.exe
PID 4788 wrote to memory of 2028	4788	cmd.exe	ipconfig.exe
PID 4788 wrote to memory of 2028	4788	cmd.exe	ipconfig.exe
PID 4788 wrote to memory of 4452	4788	cmd.exe	ROUTE.EXE
PID 4788 wrote to memory of 4452	4788	cmd.exe	ROUTE.EXE
PID 4788 wrote to memory of 2416	4788	cmd.exe	netsh.exe
PID 4788 wrote to memory of 2416	4788	cmd.exe	netsh.exe
PID 4788 wrote to memory of 3488	4788	cmd.exe	systeminfo.exe
PID 4788 wrote to memory of 3488	4788	cmd.exe	systeminfo.exe
PID 4788 wrote to memory of 1908	4788	cmd.exe	tasklist.exe
PID 4788 wrote to memory of 1908	4788	cmd.exe	tasklist.exe
PID 4788 wrote to memory of 4456	4788	cmd.exe	net.exe
PID 4788 wrote to memory of 4456	4788	cmd.exe	net.exe
PID 4456 wrote to memory of 4896	4456	net.exe	net1.exe
PID 4456 wrote to memory of 4896	4456	net.exe	net1.exe
PID 4788 wrote to memory of 532	4788	cmd.exe	net.exe
PID 4788 wrote to memory of 532	4788	cmd.exe	net.exe
PID 532 wrote to memory of 4516	532	net.exe	net1.exe
PID 532 wrote to memory of 4516	532	net.exe	net1.exe
PID 4788 wrote to memory of 4248	4788	cmd.exe	net.exe
PID 4788 wrote to memory of 4248	4788	cmd.exe	net.exe
PID 4248 wrote to memory of 552	4248	net.exe	net1.exe
PID 4248 wrote to memory of 552	4248	net.exe	net1.exe
PID 4788 wrote to memory of 3936	4788	cmd.exe	net.exe
PID 4788 wrote to memory of 3936	4788	cmd.exe	net.exe
PID 3936 wrote to memory of 896	3936	net.exe	net1.exe
PID 3936 wrote to memory of 896	3936	net.exe	net1.exe
PID 4788 wrote to memory of 5036	4788	cmd.exe	net.exe
PID 4788 wrote to memory of 5036	4788	cmd.exe	net.exe
PID 4788 wrote to memory of 3848	4788	cmd.exe	net.exe
PID 4788 wrote to memory of 3848	4788	cmd.exe	net.exe
PID 3848 wrote to memory of 4120	3848	net.exe	net1.exe
PID 3848 wrote to memory of 4120	3848	net.exe	net1.exe
PID 4788 wrote to memory of 3044	4788	cmd.exe	net.exe
PID 4788 wrote to memory of 3044	4788	cmd.exe	net.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb.exe
"C:\Users\Admin\AppData\Local\Temp\bce98fb5fb2b993925218e9fef94616868a40ebf2f5ebdf1ba58a201ca2cd6bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SYSTEM32\cmd.exe
cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
3⤵
PID:3120

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
3⤵
PID:4276

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
3⤵
PID:5016

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
3⤵
PID:2516

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
3⤵
PID:4832

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
3⤵
PID:880

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
3⤵
PID:2548

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
3⤵
PID:4652

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
3⤵
PID:1072

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
3⤵
PID:3088

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
3⤵
PID:3472

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
3⤵
PID:4968

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
3⤵
- Gathers network information
PID:2028

C:\Windows\system32\ROUTE.EXE
route print
3⤵
PID:4452

C:\Windows\system32\netsh.exe
netsh firewall show state
3⤵
- Modifies Windows Firewall
PID:2416

C:\Windows\system32\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:3488

C:\Windows\system32\tasklist.exe
tasklist /v /fo csv
3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\Windows\system32\net.exe
net accounts /domain
3⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
4⤵
PID:4896

C:\Windows\system32\net.exe
net share
3⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
4⤵
PID:4516

C:\Windows\system32\net.exe
net user
3⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
4⤵
PID:552

C:\Windows\system32\net.exe
net user /domain
3⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
4⤵
PID:896

C:\Windows\system32\net.exe
net use
3⤵
PID:5036

C:\Windows\system32\net.exe
net group
3⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
4⤵
PID:4120

C:\Windows\system32\net.exe
net localgroup
3⤵
PID:3044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
4⤵
PID:1440

C:\Windows\system32\NETSTAT.EXE
netstat -r
3⤵
- Gathers network information
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
4⤵
PID:412

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
5⤵
PID:5016

C:\Windows\system32\NETSTAT.EXE
netstat -nao
3⤵
- Gathers network information
PID:4412

C:\Windows\system32\schtasks.exe
schtasks /query /fo LIST
3⤵
PID:4004

C:\Windows\system32\net.exe
net start
3⤵
PID:624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start
4⤵
PID:208

C:\Windows\system32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:1544

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

1

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing