cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe

General

Target

cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe
Size

272KB
MD5

fcddcc6103abdc8512e6aef6a41944a0
SHA1

102acf317f50f0d45dc93f804e20ec8c7ab3a151
SHA256

cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe
SHA512

709786c78d44ea9e71d93beb8c09ca3d6225eac03434d5642bb42864f1d366056429806b6aae5f65e4766710cfaed5dafdfa8ee9fe2ed487738db44d7fc55e1c
SSDEEP

6144:ijOZOz0jOZ+ghfu3WujOZsfRYDjbvKT8N5XaMLPOgRv+qR:ijOZOz0jOZ+g1umujOZsCq8NNPl9+q

Score

7^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	server.exe

Executes dropped EXE 4 IoCs

pid	Process
2988	Install Lightroom 2.4.exe
4120	server.exe
2040	Install Lightroom 2.4.exe
4600	server.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2988 set thread context of 2040	2988	Install Lightroom 2.4.exe	87
PID 4120 set thread context of 4600	4120	server.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install Lightroom 2.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1288	timeout.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2988	1612	cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe	85
PID 1612 wrote to memory of 2988	1612	cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe	85
PID 1612 wrote to memory of 2988	1612	cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe	85
PID 1612 wrote to memory of 4120	1612	cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe	86
PID 1612 wrote to memory of 4120	1612	cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe	86
PID 1612 wrote to memory of 4120	1612	cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe	86
PID 2988 wrote to memory of 2040	2988	Install Lightroom 2.4.exe	87
PID 2988 wrote to memory of 2040	2988	Install Lightroom 2.4.exe	87
PID 2988 wrote to memory of 2040	2988	Install Lightroom 2.4.exe	87
PID 2988 wrote to memory of 2040	2988	Install Lightroom 2.4.exe	87
PID 2988 wrote to memory of 2040	2988	Install Lightroom 2.4.exe	87
PID 4120 wrote to memory of 4600	4120	server.exe	88
PID 4120 wrote to memory of 4600	4120	server.exe	88
PID 4120 wrote to memory of 4600	4120	server.exe	88
PID 4120 wrote to memory of 4600	4120	server.exe	88
PID 4120 wrote to memory of 4600	4120	server.exe	88
PID 4600 wrote to memory of 4060	4600	server.exe	96
PID 4600 wrote to memory of 4060	4600	server.exe	96
PID 4600 wrote to memory of 4060	4600	server.exe	96
PID 4060 wrote to memory of 1288	4060	cmd.exe	98
PID 4060 wrote to memory of 1288	4060	cmd.exe	98
PID 4060 wrote to memory of 1288	4060	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe
"C:\Users\Admin\AppData\Local\Temp\cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\Install Lightroom 2.4.exe
  "C:\Users\Admin\AppData\Local\Temp\Install Lightroom 2.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\Install Lightroom 2.4.exe
    "C:\Users\Admin\AppData\Local\Temp\Install Lightroom 2.4.exe"
    3⤵
    - Executes dropped EXE
    PID:2040
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\server.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Install Lightroom 2.4.exe

Filesize
98KB

MD5
a60ca61e6d68432e67df805e3993acab

SHA1
9329198e5fac53f8c23af8c740d02fb3be1c8c89

SHA256
8f260601b2f89584dd665f91ac3222dd99fa9ce7d7ba912288a5a96f6474193e

SHA512
095e3e3153224508172d87a32d7e8b679a04abbbfd6c5f3244989d484a786e22f502440707a928d26816fd2ec616ac669ea5e0ec0416aefe36c9ea23fe5db87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
138KB

MD5
49b46e6f0e2d9aea8dd2ad7d635fbb1d

SHA1
7820e7d24e0f51f3b0bcf67a1d2a7cbfd81d9e9e

SHA256
6777656fef03083dad8c649997df0db87bd0f4250a144edb28c5938e474b5c9b

SHA512
c4a9ff64b6e20bee7b3fe8bb6bb05ea8cd90147d45f04d486ddf27d6f1176d5f0b45799c37212bd3d14589867ed25639e0e84d33734e819c722b47e8552033d9

Download Submit
memory/2040-17-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2040-23-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2040-22-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4600-19-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4600-24-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing