e8fbdc7ffee5a0efa3959e1edb5a516d63395cb755a939b9d225ab96600f6e48

General

Target

e8fbdc7ffee5a0efa3959e1edb5a516d63395cb755a939b9d225ab96600f6e48.exe
Size

116KB
MD5

fb7108076d1f05c1329def47949c2244
SHA1

0b918aea3331ef68f16fd65e52b8b1e6b266b133
SHA256

e8fbdc7ffee5a0efa3959e1edb5a516d63395cb755a939b9d225ab96600f6e48
SHA512

65d3302a403db8c5a3ddb40bc7277bf6c95a24ab51e3bd87ae88c8101d0223c30eb658a20b2d269ec8ddc55e5cd305fe40ee73ee367ec192ce67f6599cef8f93
SSDEEP

1536:YdHRE46IU/k/Ps33emygycfBT2Qhs/cKur447WT+:YJmes335ygycfE3Er446S

Score

10^/10

discovery evasion persistence trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
iownulol

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows Update.exe"	Runescape.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	e8fbdc7ffee5a0efa3959e1edb5a516d63395cb755a939b9d225ab96600f6e48.exe

Executes dropped EXE 2 IoCs

pid	Process
4304	Runescape.exe
4200	Phish.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows Update.exe"	Runescape.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Runescape.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	checkip.dyndns.org

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3836	GameBarPresenceWriter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{89871C57-6017-4B04-AE3E-275B237969C9}	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	Runescape.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1520	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 4304	1152	e8fbdc7ffee5a0efa3959e1edb5a516d63395cb755a939b9d225ab96600f6e48.exe	82
PID 1152 wrote to memory of 4304	1152	e8fbdc7ffee5a0efa3959e1edb5a516d63395cb755a939b9d225ab96600f6e48.exe	82
PID 1152 wrote to memory of 4200	1152	e8fbdc7ffee5a0efa3959e1edb5a516d63395cb755a939b9d225ab96600f6e48.exe	83
PID 1152 wrote to memory of 4200	1152	e8fbdc7ffee5a0efa3959e1edb5a516d63395cb755a939b9d225ab96600f6e48.exe	83

C:\Users\Admin\AppData\Local\Temp\e8fbdc7ffee5a0efa3959e1edb5a516d63395cb755a939b9d225ab96600f6e48.exe
"C:\Users\Admin\AppData\Local\Temp\e8fbdc7ffee5a0efa3959e1edb5a516d63395cb755a939b9d225ab96600f6e48.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\Runescape.exe
  "C:\Users\Admin\AppData\Local\Temp\Runescape.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Users\Admin\AppData\Local\Temp\Phish.exe
  "C:\Users\Admin\AppData\Local\Temp\Phish.exe"
  2⤵
  - Executes dropped EXE
  PID:4200

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:3836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Phish.exe

Filesize
48KB

MD5
64018530e2a929b505cf0a89e6853ad2

SHA1
6f8d59180066d9f5a68ca3fb9fbcb40909b4ae08

SHA256
000b416307ff025c7eff7782ee56e4c8128ba66a492a6610455207d6dcae31d4

SHA512
99f7f8fef47b2b7ffb9091ed824396decc8410a1834b70226c3e9e15bd492e66b4bc9dfd78134dac5e62ef16f6c36c9eee07673c1288c70e36167101db45caa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runescape.exe

Filesize
24KB

MD5
5725fddc594fcc26a4b2040f7eb639d2

SHA1
1a6c09780cb1819c0c1630d55a6543eaced667c7

SHA256
e84fb1db0322b593cd960db8717db63ade23e3d9558cd1e93e717a20d08e9ab7

SHA512
ff2e6b84d0dfc89c7bec895bce69b9d53db918198d4bf167b80721ad54fdf68fb93f5b9437977ecb1a412990969818ba001d1df1a27ec13c99c8031b33c0491a

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/1152-28-0x00007FFB45150000-0x00007FFB45AF1000-memory.dmp

Filesize
9.6MB

Download
memory/1152-1-0x00007FFB45150000-0x00007FFB45AF1000-memory.dmp

Filesize
9.6MB

Download
memory/1152-2-0x000000001B9B0000-0x000000001BA56000-memory.dmp

Filesize
664KB

Download
memory/1152-0-0x00007FFB45405000-0x00007FFB45406000-memory.dmp

Filesize
4KB

Download
memory/4200-32-0x00007FFB45150000-0x00007FFB45AF1000-memory.dmp

Filesize
9.6MB

Download
memory/4200-29-0x000000001C150000-0x000000001C1EC000-memory.dmp

Filesize
624KB

Download
memory/4200-33-0x00000000011A0000-0x00000000011A8000-memory.dmp

Filesize
32KB

Download
memory/4200-35-0x00007FFB45150000-0x00007FFB45AF1000-memory.dmp

Filesize
9.6MB

Download
memory/4200-34-0x000000001C3B0000-0x000000001C3FC000-memory.dmp

Filesize
304KB

Download
memory/4200-36-0x00007FFB45150000-0x00007FFB45AF1000-memory.dmp

Filesize
9.6MB

Download
memory/4200-53-0x00007FFB45150000-0x00007FFB45AF1000-memory.dmp

Filesize
9.6MB

Download
memory/4304-30-0x00007FFB45150000-0x00007FFB45AF1000-memory.dmp

Filesize
9.6MB

Download
memory/4304-31-0x00007FFB45150000-0x00007FFB45AF1000-memory.dmp

Filesize
9.6MB

Download
memory/4304-26-0x000000001BC30000-0x000000001C0FE000-memory.dmp

Filesize
4.8MB

Download
memory/4304-27-0x00007FFB45150000-0x00007FFB45AF1000-memory.dmp

Filesize
9.6MB

Download
memory/4304-52-0x00007FFB45150000-0x00007FFB45AF1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads