847f0f5e71d536638fbd6c3141b0508c9f3ae1e1e4e9619ebc4e65b627a7c5d4

General

Target

0125adef6e9eed738ebac6e35c21c5ea.exe
Size

482KB
MD5

0125adef6e9eed738ebac6e35c21c5ea
SHA1

ea37d0d7f4b5f9d8577ade5c1a2f9c6558c2ca2d
SHA256

847f0f5e71d536638fbd6c3141b0508c9f3ae1e1e4e9619ebc4e65b627a7c5d4
SHA512

49e6134cf459de8c9a778a511b03bd514b222c9c98849ffb1dffd315911eb095677ae4787132ec32a7cdaafffb68d44696ee2db55348c3c106b90a5a507549f7
SSDEEP

6144:STz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZBAXccrnT4:STlrYw1RUh3NFn+N5WfIQIjbs/ZBsT4

Score

9^/10

collection credential_access discovery spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 9 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2936-8-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2860-16-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2208-15-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2860-14-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2936-10-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2208-9-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2860-18-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2936-23-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2208-27-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2208-15-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2208-9-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2208-27-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2936-8-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2936-10-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2936-23-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	0125adef6e9eed738ebac6e35c21c5ea.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 588 set thread context of 2936	588	0125adef6e9eed738ebac6e35c21c5ea.exe	30
PID 588 set thread context of 2208	588	0125adef6e9eed738ebac6e35c21c5ea.exe	31
PID 588 set thread context of 2860	588	0125adef6e9eed738ebac6e35c21c5ea.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0125adef6e9eed738ebac6e35c21c5ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0125adef6e9eed738ebac6e35c21c5ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0125adef6e9eed738ebac6e35c21c5ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0125adef6e9eed738ebac6e35c21c5ea.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2936	0125adef6e9eed738ebac6e35c21c5ea.exe
2936	0125adef6e9eed738ebac6e35c21c5ea.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
588	0125adef6e9eed738ebac6e35c21c5ea.exe
588	0125adef6e9eed738ebac6e35c21c5ea.exe
588	0125adef6e9eed738ebac6e35c21c5ea.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	0125adef6e9eed738ebac6e35c21c5ea.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
588	0125adef6e9eed738ebac6e35c21c5ea.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 2936	588	0125adef6e9eed738ebac6e35c21c5ea.exe	30
PID 588 wrote to memory of 2936	588	0125adef6e9eed738ebac6e35c21c5ea.exe	30
PID 588 wrote to memory of 2936	588	0125adef6e9eed738ebac6e35c21c5ea.exe	30
PID 588 wrote to memory of 2936	588	0125adef6e9eed738ebac6e35c21c5ea.exe	30
PID 588 wrote to memory of 2208	588	0125adef6e9eed738ebac6e35c21c5ea.exe	31
PID 588 wrote to memory of 2208	588	0125adef6e9eed738ebac6e35c21c5ea.exe	31
PID 588 wrote to memory of 2208	588	0125adef6e9eed738ebac6e35c21c5ea.exe	31
PID 588 wrote to memory of 2208	588	0125adef6e9eed738ebac6e35c21c5ea.exe	31
PID 588 wrote to memory of 2860	588	0125adef6e9eed738ebac6e35c21c5ea.exe	32
PID 588 wrote to memory of 2860	588	0125adef6e9eed738ebac6e35c21c5ea.exe	32
PID 588 wrote to memory of 2860	588	0125adef6e9eed738ebac6e35c21c5ea.exe	32
PID 588 wrote to memory of 2860	588	0125adef6e9eed738ebac6e35c21c5ea.exe	32

C:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exe
"C:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:588
- C:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exe
  C:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exe /stext "C:\Users\Admin\AppData\Local\Temp\wpkljyyetk"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exe
  C:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exe /stext "C:\Users\Admin\AppData\Local\Temp\yjpdjrighsnaxj"
  2⤵
  - Accesses Microsoft Outlook accounts
  - System Location Discovery: System Language Discovery
  PID:2208
- C:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exe
  C:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exe /stext "C:\Users\Admin\AppData\Local\Temp\jmuokjtzvaffhprtl"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\media\logs.dat

Filesize
144B

MD5
82a6aa4eb2ec491327a384c3c754c02c

SHA1
2bea54e2b208fb18d4189570d2b6e100426ab19a

SHA256
c579b9d5ca1798ff428d77d480e6be25deac3b60b8885ab7acb7cf043beb93ac

SHA512
6f6d6572575ecec8adc01d3e3f7122b0ffe4c01316469cbac4cd972406289cc21a21b0fad4364285fd4d2865e9375604929098807b726c4c12ae3ef59ea2d022

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpkljyyetk

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/588-33-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/588-32-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/588-29-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2208-7-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2208-6-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2208-15-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2208-27-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2208-9-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2860-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2860-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2860-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2860-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2860-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2936-4-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-1-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-23-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-10-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-3-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-8-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing