ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5

General

Target

ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe
Size

545KB
MD5

a115478a0b50daa5f7769fdac306c4f9
SHA1

ccf4c3fb97e766825731b758a004b315ae984a85
SHA256

ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5
SHA512

f849f4aa57637f48de6ee9eb1afa5f27f423222fef3e432a1e67c517211ad28619c9e8e7ed0bc26d09683c55c4685413196e9a7d6a66078662f087886307986f
SSDEEP

12288:G9vE+VF9mOx9ukEv3g6drKcXrCf/QOKx/KjWFY:+vE+V3mOGk+dddCf3klY

Score

9^/10

collection discovery spyware stealer

Malware Config

Signatures

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/files/0x000a000000012255-16.dat	Nirsoft
behavioral1/files/0x000b000000012255-25.dat	Nirsoft
behavioral1/files/0x0006000000017444-37.dat	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/files/0x0006000000017444-37.dat	MailPassView

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe

Executes dropped EXE 4 IoCs

pid	Process
2760	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe
2488	passwordfox.exe
3000	iepv.exe
1656	mailpv.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	mailpv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	passwordfox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iepv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mailpv.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3000	iepv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	iepv.exe
Token: SeRestorePrivilege	3000	iepv.exe
Token: SeBackupPrivilege	3000	iepv.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 1832	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	30
PID 2908 wrote to memory of 1832	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	30
PID 2908 wrote to memory of 1832	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	30
PID 2908 wrote to memory of 1832	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	30
PID 2908 wrote to memory of 2760	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	32
PID 2908 wrote to memory of 2760	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	32
PID 2908 wrote to memory of 2760	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	32
PID 2908 wrote to memory of 2488	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	35
PID 2908 wrote to memory of 2488	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	35
PID 2908 wrote to memory of 2488	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	35
PID 2908 wrote to memory of 2488	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	35
PID 2908 wrote to memory of 3000	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	36
PID 2908 wrote to memory of 3000	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	36
PID 2908 wrote to memory of 3000	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	36
PID 2908 wrote to memory of 3000	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	36
PID 2908 wrote to memory of 1656	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	37
PID 2908 wrote to memory of 1656	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	37
PID 2908 wrote to memory of 1656	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	37
PID 2908 wrote to memory of 1656	2908	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	37

C:\Users\Admin\AppData\Local\Temp\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe
"C:\Users\Admin\AppData\Local\Temp\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe "C:\Users\Admin\AppData\Roaming\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.il"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1832
- C:\Users\Admin\AppData\Roaming\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe
  C:\Users\Admin\AppData\Roaming\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\passwordfox.exe
  C:\Users\Admin\AppData\Local\Temp\passwordfox.exe /stext C:\Users\Admin\AppData\Local\Temp\firefox.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\iepv.exe
  C:\Users\Admin\AppData\Local\Temp\iepv.exe /stext C:\Users\Admin\AppData\Local\Temp\ie.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Users\Admin\AppData\Local\Temp\mailpv.exe
  C:\Users\Admin\AppData\Local\Temp\mailpv.exe /stext C:\Users\Admin\AppData\Local\Temp\mail.txt
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook accounts
  - System Location Discovery: System Language Discovery
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\firefox.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\iepv.exe

Filesize
88KB

MD5
96eaf707a7f5e252e0ef640a9f9a41e9

SHA1
1db028b8e2dad98ab25abfa498ffd0e344b8178c

SHA256
9bf3183768ab8133f686e9d59adf9ac7f157a6442026d00fcd49c177deca6de2

SHA512
12f7a815f141c125a50941bace6256de41eb6459f5dae49def6a5d150b816b48b054efa3ef0370d87b546098edb4f6ad2e1d6ebea835eb233bd98f7d225d13c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mailpv.exe

Filesize
96KB

MD5
3f5aca02abb16dbf86748596e4fa0258

SHA1
1588bfd4e090d3d194879899c02dcc207d5ca257

SHA256
10f703168cc43f60bfd54c69242d3db63d2d60e1114de74956a2439b8a8b3ed0

SHA512
bb96706ec69bee65e94fd5cc5a112e3e50f12d6895444144f7c5190e298960b02a2c922ac249deb2e3fd5f3d23e52b95058cf6262e5599823b576f849fe4b420

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwordfox.exe

Filesize
88KB

MD5
09b98d668124d3894814f57e84da1b25

SHA1
13e3ede7c513d7e6853f99309b83ca01a1de41fd

SHA256
432a3ec81735e216dc8a1d637b92158f261b841155960c621c9c149875de4512

SHA512
2f028fe6333a2a7604d919b11172960623f11acccc03626fb85888cf5c5b3e6eb69850baa1e8088ef2d29b4cef9334d2f6496290946e3309f9b1c0b9e1075615

Download Submit
C:\Users\Admin\AppData\Roaming\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe

Filesize
2KB

MD5
235003102866316314ba41bbb33ab99f

SHA1
b5c95a3cf3681cdc85215d58d27c8718c6d0f90b

SHA256
28db0a552ac6558c8cd6050453655c4cb9d63b85822a998bc07f1c888aa959ac

SHA512
3511bfb57dbfd44c3e5d92cc407623d0d09825ada7095e1cab7a517ee3134764d026fcc37a833f1d5eb7c6658dcef5313983cabf908eaf3268e7c03cce2f38cf

Download Submit
C:\Users\Admin\AppData\Roaming\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.il

Filesize
953B

MD5
62c4315b5f4e146ab5df0e140510d808

SHA1
b21764e06f0ddf1e619ac3cced12fdcf5a263840

SHA256
ebf04b0daf55819eb23925e693c6310abbbbe5ce8895bd91442efc761c5741e9

SHA512
91b055e9f3da0f2cbf9611aec9dbb080fdc8a30ef0d0c2bb1ec0e3f86db44ee58b5a6dde90bccbc63b7131a1ff64b26ece68a5332a3fdff4a8419fd29aad613f

Download Submit
memory/1832-5-0x0000000000810000-0x0000000000850000-memory.dmp

Filesize
256KB

Download
memory/2908-0-0x000007FEF679E000-0x000007FEF679F000-memory.dmp

Filesize
4KB

Download
memory/2908-2-0x000007FEF64E0000-0x000007FEF6E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2908-3-0x000007FEF64E0000-0x000007FEF6E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2908-31-0x000007FEF64E0000-0x000007FEF6E7D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing