0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4

General

Target

0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe
Size

209KB
MD5

5960ea71489b43b5e418523d5ebd7fa2
SHA1

8b98aa0bd6fec4e87a32e37b976497ee561b0a3a
SHA256

0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4
SHA512

111cc28e28d63850878e756257ae156ab7a33ad3e953841ae83cde490c6bdbc68b5c65f7ffe4e760abfb5bb4f584cc432f2cfa7993e7f7c93aba2598390bd7e4
SSDEEP

6144:6kk2HAZ94N1qqZ4foYzyr0j8rvVYC/Iwgd:vk2HAZaN1qqiAYz98rNU

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Urgent System Check = "C:\\Windows\\system32\\winsrv32.exe"	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

Processes:

0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe

description	ioc	process
File created	C:\Windows\SysWOW64\winsrv32.exe	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe
File opened for modification	C:\Windows\SysWOW64\winsrv32.exe	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe

pid	process
4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe
4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe
4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe
4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe
4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe
4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe

description	pid	process
Token: SeDebugPrivilege	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe
Token: SeShutdownPrivilege	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe

description	pid	process	target process
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe
PID 4916 wrote to memory of 796	4916	0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe	svchost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:796

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe
"C:\Users\Admin\AppData\Local\Temp\0498bd5aa82ef8b9ca4f26eeeceb9fa9aec2a10cf84c7813b17ec7d68c7764f4.exe"
2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0498BD~1.EXE >> NUL
3⤵
PID:4752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/796-2-0x0000000003420000-0x0000000003433000-memory.dmp

Filesize
76KB

Download
memory/3440-3-0x00000000038F0000-0x0000000003903000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads