aabc266802f04d1eeea56deddf0bc38f4e14d5c67685fd9c4a7c6d98efa7b31d

General

Target

66F26F04628F10BA6A66A759977F01F9.exe
Size

19.3MB
MD5

66f26f04628f10ba6a66a759977f01f9
SHA1

b78d1c56fcda9a1bb8b0b6ecaf4d406960048922
SHA256

aabc266802f04d1eeea56deddf0bc38f4e14d5c67685fd9c4a7c6d98efa7b31d
SHA512

0c5bc4b933a7e5dff076e81020ec78b512fb05fb217a49d1469445c2e77d57dfb9280ac6d439f84499ec3c4450cf369bfcf219e7f4d9389fbd39e66d6afee25d
SSDEEP

49152:BD95ju4gEp9ywkJa3REQPN69LcLPigAFLhRlqagBM9UOZmX/TQjE:BD9FgE6VJaBEQ9rigAF1qaEkUCmk

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

66F26F04628F10BA6A66A759977F01F9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	66F26F04628F10BA6A66A759977F01F9.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

4332 csrss.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 ipinfo.io
26 ipinfo.io
66 ipinfo.io
67 ipinfo.io

pid	process
4332	csrss.exe

flow	ioc
25	ipinfo.io
26	ipinfo.io
66	ipinfo.io
67	ipinfo.io

Drops file in Windows directory 2 IoCs

Processes:

66F26F04628F10BA6A66A759977F01F9.exe

description	ioc	process
File created	C:\Windows\Cursors\sysmon.exe	66F26F04628F10BA6A66A759977F01F9.exe
File created	C:\Windows\Cursors\121e5b5079f7c0	66F26F04628F10BA6A66A759977F01F9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

66F26F04628F10BA6A66A759977F01F9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	66F26F04628F10BA6A66A759977F01F9.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

868 PING.EXE

pid	process
868	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

66F26F04628F10BA6A66A759977F01F9.exe

pid	process
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe
3604	66F26F04628F10BA6A66A759977F01F9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

66F26F04628F10BA6A66A759977F01F9.execsrss.exe

description pid process

Token: SeDebugPrivilege 3604 66F26F04628F10BA6A66A759977F01F9.exe
Token: SeDebugPrivilege 4332 csrss.exe

description	pid	process
Token: SeDebugPrivilege	3604	66F26F04628F10BA6A66A759977F01F9.exe
Token: SeDebugPrivilege	4332	csrss.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

66F26F04628F10BA6A66A759977F01F9.execmd.exe

description	pid	process	target process
PID 3604 wrote to memory of 2740	3604	66F26F04628F10BA6A66A759977F01F9.exe	cmd.exe
PID 3604 wrote to memory of 2740	3604	66F26F04628F10BA6A66A759977F01F9.exe	cmd.exe
PID 2740 wrote to memory of 636	2740	cmd.exe	chcp.com
PID 2740 wrote to memory of 636	2740	cmd.exe	chcp.com
PID 2740 wrote to memory of 868	2740	cmd.exe	PING.EXE
PID 2740 wrote to memory of 868	2740	cmd.exe	PING.EXE
PID 2740 wrote to memory of 4332	2740	cmd.exe	csrss.exe
PID 2740 wrote to memory of 4332	2740	cmd.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\66F26F04628F10BA6A66A759977F01F9.exe
"C:\Users\Admin\AppData\Local\Temp\66F26F04628F10BA6A66A759977F01F9.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ituFHVgQTM.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:636

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:868

C:\Users\Default User\csrss.exe
"C:\Users\Default User\csrss.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:2964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ituFHVgQTM.bat
Filesize
159B

MD5
07895d1f79aded8e170fa288268499b3

SHA1
2695eb04cf0c228167be9612168da90815badc7d

SHA256
3f1ecbb9952b3cbf58d8f210e5009f0dafa48b0da79466338ead615af5215b3b

SHA512
bfc690b8bf30758549ffb7ed84caf94773664c1196c8c802a90d79ee98ea2a26a35caa61f22ae1416abaec786090a9674c807667b001b175adb205e7bb9a52f8

Download Submit
C:\Users\Default\csrss.exe
Filesize
19.3MB

MD5
66f26f04628f10ba6a66a759977f01f9

SHA1
b78d1c56fcda9a1bb8b0b6ecaf4d406960048922

SHA256
aabc266802f04d1eeea56deddf0bc38f4e14d5c67685fd9c4a7c6d98efa7b31d

SHA512
0c5bc4b933a7e5dff076e81020ec78b512fb05fb217a49d1469445c2e77d57dfb9280ac6d439f84499ec3c4450cf369bfcf219e7f4d9389fbd39e66d6afee25d

Download Submit
memory/3604-0-0x00007FFE94223000-0x00007FFE94225000-memory.dmp

Filesize
8KB

Download
memory/3604-1-0x00000000004B0000-0x0000000000868000-memory.dmp

Filesize
3.7MB

Download
memory/3604-2-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-3-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-4-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-5-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-7-0x0000000002AB0000-0x0000000002AD6000-memory.dmp

Filesize
152KB

Download
memory/3604-8-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-9-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-10-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-12-0x00000000011C0000-0x00000000011CE000-memory.dmp

Filesize
56KB

Download
memory/3604-13-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-15-0x0000000002AE0000-0x0000000002AFC000-memory.dmp

Filesize
112KB

Download
memory/3604-16-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-17-0x0000000002C90000-0x0000000002CE0000-memory.dmp

Filesize
320KB

Download
memory/3604-18-0x00007FFE94223000-0x00007FFE94225000-memory.dmp

Filesize
8KB

Download
memory/3604-20-0x00000000011D0000-0x00000000011E0000-memory.dmp

Filesize
64KB

Download
memory/3604-21-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-23-0x0000000002B00000-0x0000000002B18000-memory.dmp

Filesize
96KB

Download
memory/3604-25-0x00000000011E0000-0x00000000011F0000-memory.dmp

Filesize
64KB

Download
memory/3604-28-0x00000000011F0000-0x0000000001200000-memory.dmp

Filesize
64KB

Download
memory/3604-26-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-30-0x0000000002B20000-0x0000000002B2E000-memory.dmp

Filesize
56KB

Download
memory/3604-31-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-33-0x0000000002B30000-0x0000000002B3E000-memory.dmp

Filesize
56KB

Download
memory/3604-35-0x0000000002B40000-0x0000000002B4C000-memory.dmp

Filesize
48KB

Download
memory/3604-37-0x0000000002B50000-0x0000000002B5E000-memory.dmp

Filesize
56KB

Download
memory/3604-39-0x0000000002D00000-0x0000000002D12000-memory.dmp

Filesize
72KB

Download
memory/3604-41-0x0000000002B60000-0x0000000002B70000-memory.dmp

Filesize
64KB

Download
memory/3604-43-0x0000000002D20000-0x0000000002D36000-memory.dmp

Filesize
88KB

Download
memory/3604-45-0x000000001B510000-0x000000001B522000-memory.dmp

Filesize
72KB

Download
memory/3604-46-0x000000001CEC0000-0x000000001D3E8000-memory.dmp

Filesize
5.2MB

Download
memory/3604-48-0x0000000002CE0000-0x0000000002CEE000-memory.dmp

Filesize
56KB

Download
memory/3604-50-0x0000000002CF0000-0x0000000002CFC000-memory.dmp

Filesize
48KB

Download
memory/3604-52-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/3604-54-0x000000001B540000-0x000000001B550000-memory.dmp

Filesize
64KB

Download
memory/3604-56-0x000000001C990000-0x000000001C9EA000-memory.dmp

Filesize
360KB

Download
memory/3604-58-0x000000001B550000-0x000000001B55E000-memory.dmp

Filesize
56KB

Download
memory/3604-60-0x000000001B560000-0x000000001B570000-memory.dmp

Filesize
64KB

Download
memory/3604-62-0x000000001B570000-0x000000001B57E000-memory.dmp

Filesize
56KB

Download
memory/3604-64-0x000000001B580000-0x000000001B588000-memory.dmp

Filesize
32KB

Download
memory/3604-66-0x000000001B5B0000-0x000000001B5C8000-memory.dmp

Filesize
96KB

Download
memory/3604-68-0x000000001B590000-0x000000001B59C000-memory.dmp

Filesize
48KB

Download
memory/3604-70-0x000000001CC40000-0x000000001CC8E000-memory.dmp

Filesize
312KB

Download
memory/3604-77-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-82-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-83-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-84-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-88-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-92-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4332-123-0x000000001DD00000-0x000000001DEA9000-memory.dmp

Filesize
1.7MB

Download
memory/4332-126-0x000000001DD00000-0x000000001DEA9000-memory.dmp

Filesize
1.7MB

Download
memory/4332-157-0x000000001DD00000-0x000000001DEA9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads