c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf

General

Target

c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
Size

471KB
MD5

7fdc6d283bcbd3b6957117bcf029121b
SHA1

98a235ee6312fa0554dcf0d3ef900f3c6407de63
SHA256

c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf
SHA512

50147a5b22a6c5997dcb07c93f781ee9b35ca19666ee37671970917d2c204c7c0f15b7da69ee00c5473d4f79420537b1985e27e56ba54cde08afb61e0a82e711
SSDEEP

6144:okjPhTiT3Iockv78XqKK6Woijzy8vk/yj7pqYDm7RRbZGky847ecW:X0Iov8ejzB2o7EYebkky17ec

Score

9^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe

pid	process
4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe

description	pid	process
Token: SeDebugPrivilege	4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
Token: SeBackupPrivilege	4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
Token: SeSecurityPrivilege	4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
Token: SeSecurityPrivilege	4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
Token: SeSecurityPrivilege	4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
Token: SeSecurityPrivilege	4880	c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe

C:\Users\Admin\AppData\Local\Temp\c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe
"C:\Users\Admin\AppData\Local\Temp\c973e384fd5a93315635c41262e5616e7a602ffa79d18bb600ad10fba480fbbf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:8
1⤵
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4880-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/4880-1-0x0000000000070000-0x00000000000EA000-memory.dmp

Filesize
488KB

Download
memory/4880-2-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/4880-3-0x0000000004B40000-0x0000000004BD2000-memory.dmp

Filesize
584KB

Download
memory/4880-4-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4880-5-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4880-6-0x0000000004BE0000-0x0000000004BEA000-memory.dmp

Filesize
40KB

Download
memory/4880-7-0x0000000007FE0000-0x00000000085F8000-memory.dmp

Filesize
6.1MB

Download
memory/4880-8-0x00000000076D0000-0x00000000076E2000-memory.dmp

Filesize
72KB

Download
memory/4880-9-0x0000000007AD0000-0x0000000007BDA000-memory.dmp

Filesize
1.0MB

Download
memory/4880-10-0x00000000079C0000-0x00000000079FC000-memory.dmp

Filesize
240KB

Download
memory/4880-11-0x0000000007700000-0x000000000774C000-memory.dmp

Filesize
304KB

Download
memory/4880-12-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4880-15-0x0000000008B40000-0x0000000008BA6000-memory.dmp

Filesize
408KB

Download
memory/4880-16-0x0000000008E30000-0x0000000008EA6000-memory.dmp

Filesize
472KB

Download
memory/4880-17-0x0000000008DB0000-0x0000000008DCE000-memory.dmp

Filesize
120KB

Download
memory/4880-18-0x0000000009F20000-0x000000000A0E2000-memory.dmp

Filesize
1.8MB

Download
memory/4880-19-0x000000000A620000-0x000000000AB4C000-memory.dmp

Filesize
5.2MB

Download
memory/4880-20-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/4880-21-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4880-23-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads