fc524bf0e12c4e0384455fe43c1866aa916a0be71e6589175fa55dab371c9d2e

General

Target

server.exe
Size

264KB
MD5

f5174421d2d447e83e559968296bdc9d
SHA1

11f85e5fd530506997baa7f0bfe2821d79d028d0
SHA256

fc524bf0e12c4e0384455fe43c1866aa916a0be71e6589175fa55dab371c9d2e
SHA512

ffdc4673e0e116530dae6d268ce6df488cf1cd2f28121149daf537173f0212d1cb6d0e3a46d45bf1ea6c164a443c3cd1121bce845877ded99fab5841c5f8be38
SSDEEP

3072:q6hSrbZO8RnLIDbNu3cNkipXlL6zslKWveIiHPhgh8a+VPhgh8a+rHmY:qqyZOOnLqM3c6wVL62KtXghcghMr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	server.exe

Loads dropped DLL 1 IoCs

pid	Process
2740	server.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\server.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\server.exe = "C:\\Users\\Admin\\AppData\\Roaming\\server\\server.exe"	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2644	server.exe
2644	server.exe
2644	server.exe
2644	server.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	server.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2740	server.exe
2644	server.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2740	server.exe
2644	server.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2644	2740	server.exe	28
PID 2740 wrote to memory of 2644	2740	server.exe	28
PID 2740 wrote to memory of 2644	2740	server.exe	28
PID 2740 wrote to memory of 2644	2740	server.exe	28

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Roaming\server\server.exe
  "C:\Users\Admin\AppData\Roaming\server\server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
44B

MD5
298802dff6aa26d4fb941c7ccf5c0849

SHA1
11e518ca3409f1863ebc2d3f1be9fb701bad52c0

SHA256
df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d

SHA512
0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

Download Submit
C:\Users\Admin\AppData\Roaming\server\server.exe

Filesize
264KB

MD5
f5174421d2d447e83e559968296bdc9d

SHA1
11f85e5fd530506997baa7f0bfe2821d79d028d0

SHA256
fc524bf0e12c4e0384455fe43c1866aa916a0be71e6589175fa55dab371c9d2e

SHA512
ffdc4673e0e116530dae6d268ce6df488cf1cd2f28121149daf537173f0212d1cb6d0e3a46d45bf1ea6c164a443c3cd1121bce845877ded99fab5841c5f8be38

Download Submit
memory/2644-16-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-14-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-13-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-17-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-18-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-19-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-20-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-5-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-12-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-0-0x0000000074CB1000-0x0000000074CB2000-memory.dmp

Filesize
4KB

Download
memory/2740-2-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-1-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads