138be3a5769af371a332cf9404cca591cd78d594d6a072fa8047e222ac92770e

General

Target

WebStealer Resou‮nls..scr
Size

362KB
MD5

7c031479dedab585b453098453a09f35
SHA1

401ec0bf7ce170a67c0317150c2b83885e8abc54
SHA256

138be3a5769af371a332cf9404cca591cd78d594d6a072fa8047e222ac92770e
SHA512

17160d0c966c6ea6f8ac182ccd361baf2900dbfbf92ae59804861a404ba5a77a37e499ae0ac2588d46fcd26ce08d29a02e66b09894e4319212fb9f0d23a9643f
SSDEEP

6144:rBx7iw0qvLJXnlUGujCtjno6itQl+REw6FMG/UHQS8PUHIRA8yVYtFmCaxHU0bM:rTkqjVnl36ud0zR/6CtQ9PUHIG8Dn

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 raw.githubusercontent.com
5 raw.githubusercontent.com
10 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
10	raw.githubusercontent.com

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.sln	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\sln_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\sln_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\sln_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.sln\ = "sln_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\sln_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\sln_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\sln_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

WebStealer Resou‮nls..scr

pid process

1232 WebStealer Resou‮nls..scr
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

3004 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WebStealer Resou‮nls..scr

description pid process

Token: SeDebugPrivilege 1232 WebStealer Resou‮nls..scr
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

3004 AcroRd32.exe
3004 AcroRd32.exe

pid	process
1232	WebStealer Resou‮nls..scr

pid	process
3004	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	1232	WebStealer Resou‮nls..scr

pid	process
3004	AcroRd32.exe
3004	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WebStealer Resou‮nls..scrrundll32.exe

description	pid	process	target process
PID 1232 wrote to memory of 2600	1232	WebStealer Resou‮nls..scr	rundll32.exe
PID 1232 wrote to memory of 2600	1232	WebStealer Resou‮nls..scr	rundll32.exe
PID 1232 wrote to memory of 2600	1232	WebStealer Resou‮nls..scr	rundll32.exe
PID 1232 wrote to memory of 2600	1232	WebStealer Resou‮nls..scr	rundll32.exe
PID 1232 wrote to memory of 2600	1232	WebStealer Resou‮nls..scr	rundll32.exe
PID 1232 wrote to memory of 2600	1232	WebStealer Resou‮nls..scr	rundll32.exe
PID 1232 wrote to memory of 2600	1232	WebStealer Resou‮nls..scr	rundll32.exe
PID 2600 wrote to memory of 3004	2600	rundll32.exe	AcroRd32.exe
PID 2600 wrote to memory of 3004	2600	rundll32.exe	AcroRd32.exe
PID 2600 wrote to memory of 3004	2600	rundll32.exe	AcroRd32.exe
PID 2600 wrote to memory of 3004	2600	rundll32.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\WebStealer Resou‮nls..scr
"C:\Users\Admin\AppData\Local\Temp\WebStealer Resou‮nls..scr" /S
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\1reji4zw.itv.sln
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1reji4zw.itv.sln"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1reji4zw.itv.sln

Filesize
1KB

MD5
3fb112d052dedc474fb9bd48b985bfef

SHA1
56f3c1a7329adef3234f5fe78140072d522ae79e

SHA256
61aab92da76c8919a2d029b4cdd3223f853802b5f799b1859cf5b96e6ae22ca2

SHA512
a828361344edd4aa9be090bbc701aa9f1245a9aee3c83b7724d8df18735f82e54f06f5cf3e5379108a9c978b3c42ec4062ac66d95b08b830577d70f4531bc821

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1C49.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1C5C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2598a0f921ce90d5befbd41c47b2e1a9

SHA1
007968565f2631dfdc8930cc4c93f5e952990d35

SHA256
65851b83bdec172bdf314594c918e5ba7ab434563c4d4b9d3d949685accf0ad4

SHA512
0ec1fa5c24bd3b4ef5cd14b79634205aaca1102e58d3bbfa8c67b31f59c0404b03ae5cf19f147abf55427fb4442363c4925c7acc985eb6db2f631e21332ba121

Download Submit
memory/1232-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/1232-1-0x00000000012B0000-0x000000000130C000-memory.dmp

Filesize
368KB

Download
memory/1232-2-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/1232-58-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing