d86923504cf20d32c7cb99490c3b37000777d71f932f685f6be22e4bbafbf857

General

Target

ExeFile (359).exe
Size

85KB
MD5

e1e788e36729db3bd1c754a160340021
SHA1

fbf1072e91554603dbf86599ad2571a513b2c6db
SHA256

d86923504cf20d32c7cb99490c3b37000777d71f932f685f6be22e4bbafbf857
SHA512

7a442471d5d5451f2fb6005ae368bb6eba299b73dd37711b4136049fc53c067786b4cbe2a038a76a5458d068508dc2c34c3b14e106940e6f718a2f60a61f7535
SSDEEP

1536:bWmBAmo4YsUvAMbRxQx+3KuKkcUoTfTH+k6dwymR:bHoOUvAMbRNKEo3HnpD

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Drops startup file 1 IoCs

Processes:

ExeFile (359).exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MxWeb32.exe ExeFile (359).exe
Executes dropped EXE 1 IoCs

Processes:

MxWeb32.exe

pid process

3000 MxWeb32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ExeFile (359).exe

pid process

1988 ExeFile (359).exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MxWeb32.exe	ExeFile (359).exe

pid	process
3000	MxWeb32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ExeFile (359).exeMxWeb32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExeFile (359).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MxWeb32.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

ExeFile (359).exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	ExeFile (359).exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133686368578563977"	ExeFile (359).exe

Modifies system certificate store 2 TTPs 1 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ExeFile (359).exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\SystemCertificates\REQUEST	ExeFile (359).exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

ExeFile (359).exeMxWeb32.exe

pid	process
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
1988	ExeFile (359).exe
3000	MxWeb32.exe
3000	MxWeb32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

MxWeb32.exe

pid process

3000 MxWeb32.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

MxWeb32.exe

pid process

3000 MxWeb32.exe

pid	process
3000	MxWeb32.exe

pid	process
3000	MxWeb32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ExeFile (359).exe

description	pid	process	target process
PID 1988 wrote to memory of 3000	1988	ExeFile (359).exe	MxWeb32.exe
PID 1988 wrote to memory of 3000	1988	ExeFile (359).exe	MxWeb32.exe
PID 1988 wrote to memory of 3000	1988	ExeFile (359).exe	MxWeb32.exe

C:\Users\Admin\AppData\Local\Temp\ExeFile (359).exe
"C:\Users\Admin\AppData\Local\Temp\ExeFile (359).exe"
1⤵
- Drops startup file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MxWeb32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MxWeb32.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MxWeb32.exe

Filesize
1.5MB

MD5
cb3696dc44680137c5e84838b3db3495

SHA1
9b14db1e4a9aea7779fa0af246ddfa96be418a55

SHA256
4e7315adeb47ff58e6dc86a73cfa11027c48e32f7a26fcf1e0460a9aed8c4583

SHA512
c57e6833bc2e12709b2e4225970de39acabca538ebb4f9a75a4570295d0115368b306da2616ed3cee3b73a26af8f5b3e3dc2eb4f03874ba924f99cfec87aca4e

Download Submit
memory/1988-0-0x0000000000AB0000-0x0000000000AE9000-memory.dmp

Filesize
228KB

Download
memory/1988-1-0x0000000000F50000-0x0000000000F54000-memory.dmp

Filesize
16KB

Download
memory/1988-8-0x0000000000AB0000-0x0000000000AE9000-memory.dmp

Filesize
228KB

Download
memory/1988-9-0x0000000000F50000-0x0000000000F54000-memory.dmp

Filesize
16KB

Download
memory/1988-12-0x0000000000AB0000-0x0000000000AE9000-memory.dmp

Filesize
228KB

Download
memory/1988-22-0x0000000000AB0000-0x0000000000AE9000-memory.dmp

Filesize
228KB

Download
memory/1988-27-0x0000000000AB0000-0x0000000000AE9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads