d5feaa594c1402ac14cf911dbe520b2d5670b732d8203c3fd035d96483c605fa

General

Target

System.scr
Size

183KB
MD5

7d17713fc862d6a8e99d21886724b326
SHA1

ecc9378bfe46d03d4c9cfe3ca5e064e93712644c
SHA256

d5feaa594c1402ac14cf911dbe520b2d5670b732d8203c3fd035d96483c605fa
SHA512

8953fec9e3d1248fd8fade518de35c17233ebbdab2f9d2b899203c54a92db76f9aef62a209342fbec00667179105ffbbcae00aee35020119609bceb451bcfef2
SSDEEP

3072:SurlxKc8HZde2vBVQF4EWjFRA229YvepcCBKX/p6:hrl8deAVQF4EWx92iepcCBKv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3492	System.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System.scr"	System.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\System.exe"	System.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	System.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3492	System.exe
3492	System.exe
3492	System.exe
3492	System.exe
3492	System.exe
3492	System.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3492	System.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3492	System.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3592	System.scr
3492	System.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3592	System.scr
3492	System.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 3492	3592	System.scr	82
PID 3592 wrote to memory of 3492	3592	System.scr	82

C:\Users\Admin\AppData\Local\Temp\System.scr
"C:\Users\Admin\AppData\Local\Temp\System.scr" /S
1⤵
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Roaming\Windows\System.exe
  "C:\Users\Admin\AppData\Roaming\Windows\System.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
44B

MD5
f6cc26c8de4d73281a6648d65560678e

SHA1
90220c982ff30ab822bfa0cc790b4e74604d9dd1

SHA256
2ecdc7857187ed701cd6166d5a81c05a1e1ed2f585cf89d3319a9a9bd90ee886

SHA512
ed90074aa7674585558335015aeaa504420e1c4c2a5708634c31497fcc44aa8eb4270cc00207fd7672e34ea3263adc43461c9f9a705cc9161db7b7d8538df969

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\System.exe

Filesize
183KB

MD5
7d17713fc862d6a8e99d21886724b326

SHA1
ecc9378bfe46d03d4c9cfe3ca5e064e93712644c

SHA256
d5feaa594c1402ac14cf911dbe520b2d5670b732d8203c3fd035d96483c605fa

SHA512
8953fec9e3d1248fd8fade518de35c17233ebbdab2f9d2b899203c54a92db76f9aef62a209342fbec00667179105ffbbcae00aee35020119609bceb451bcfef2

Download Submit
memory/3492-28-0x00007FF9FE8F0000-0x00007FF9FF291000-memory.dmp

Filesize
9.6MB

Download
memory/3492-24-0x00007FF9FE8F0000-0x00007FF9FF291000-memory.dmp

Filesize
9.6MB

Download
memory/3492-33-0x00007FF9FE8F0000-0x00007FF9FF291000-memory.dmp

Filesize
9.6MB

Download
memory/3492-32-0x00007FF9FE8F0000-0x00007FF9FF291000-memory.dmp

Filesize
9.6MB

Download
memory/3492-31-0x00007FF9FE8F0000-0x00007FF9FF291000-memory.dmp

Filesize
9.6MB

Download
memory/3492-30-0x00007FF9FE8F0000-0x00007FF9FF291000-memory.dmp

Filesize
9.6MB

Download
memory/3492-29-0x000000001E8F0000-0x000000001E952000-memory.dmp

Filesize
392KB

Download
memory/3492-26-0x00007FF9FE8F0000-0x00007FF9FF291000-memory.dmp

Filesize
9.6MB

Download
memory/3492-25-0x00007FF9FE8F0000-0x00007FF9FF291000-memory.dmp

Filesize
9.6MB

Download
memory/3592-23-0x00007FF9FE8F0000-0x00007FF9FF291000-memory.dmp

Filesize
9.6MB

Download
memory/3592-2-0x00007FF9FE8F0000-0x00007FF9FF291000-memory.dmp

Filesize
9.6MB

Download
memory/3592-3-0x000000001BB30000-0x000000001BFFE000-memory.dmp

Filesize
4.8MB

Download
memory/3592-9-0x00007FF9FE8F0000-0x00007FF9FF291000-memory.dmp

Filesize
9.6MB

Download
memory/3592-0-0x00007FF9FEBA5000-0x00007FF9FEBA6000-memory.dmp

Filesize
4KB

Download
memory/3592-1-0x000000001B560000-0x000000001B606000-memory.dmp

Filesize
664KB

Download
memory/3592-8-0x000000001E480000-0x000000001E790000-memory.dmp

Filesize
3.1MB

Download
memory/3592-7-0x000000001C340000-0x000000001C38C000-memory.dmp

Filesize
304KB

Download
memory/3592-6-0x0000000000F20000-0x0000000000F28000-memory.dmp

Filesize
32KB

Download
memory/3592-5-0x00007FF9FE8F0000-0x00007FF9FF291000-memory.dmp

Filesize
9.6MB

Download
memory/3592-4-0x000000001C0A0000-0x000000001C13C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads