ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5

General

Target

ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe
Size

545KB
MD5

a115478a0b50daa5f7769fdac306c4f9
SHA1

ccf4c3fb97e766825731b758a004b315ae984a85
SHA256

ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5
SHA512

f849f4aa57637f48de6ee9eb1afa5f27f423222fef3e432a1e67c517211ad28619c9e8e7ed0bc26d09683c55c4685413196e9a7d6a66078662f087886307986f
SSDEEP

12288:G9vE+VF9mOx9ukEv3g6drKcXrCf/QOKx/KjWFY:+vE+V3mOGk+dddCf3klY

Score

9^/10

collection discovery spyware stealer

Malware Config

Signatures

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/files/0x00070000000235a3-23.dat	Nirsoft
behavioral2/files/0x00070000000235a5-30.dat	Nirsoft
behavioral2/files/0x000300000000070b-35.dat	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/files/0x000300000000070b-35.dat	MailPassView

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe

Executes dropped EXE 4 IoCs

pid	Process
2852	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe
5056	passwordfox.exe
2368	iepv.exe
1588	mailpv.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	mailpv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	passwordfox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iepv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mailpv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	iepv.exe
Token: SeRestorePrivilege	2368	iepv.exe
Token: SeBackupPrivilege	2368	iepv.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2408	2488	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	89
PID 2488 wrote to memory of 2408	2488	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	89
PID 2488 wrote to memory of 2408	2488	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	89
PID 2488 wrote to memory of 2852	2488	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	91
PID 2488 wrote to memory of 2852	2488	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	91
PID 2488 wrote to memory of 5056	2488	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	94
PID 2488 wrote to memory of 5056	2488	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	94
PID 2488 wrote to memory of 5056	2488	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	94
PID 2488 wrote to memory of 2368	2488	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	95
PID 2488 wrote to memory of 2368	2488	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	95
PID 2488 wrote to memory of 2368	2488	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	95
PID 2488 wrote to memory of 1588	2488	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	97
PID 2488 wrote to memory of 1588	2488	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	97
PID 2488 wrote to memory of 1588	2488	ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe	97

C:\Users\Admin\AppData\Local\Temp\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe
"C:\Users\Admin\AppData\Local\Temp\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe "C:\Users\Admin\AppData\Roaming\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.il"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2408
- C:\Users\Admin\AppData\Roaming\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe
  C:\Users\Admin\AppData\Roaming\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\passwordfox.exe
  C:\Users\Admin\AppData\Local\Temp\passwordfox.exe /stext C:\Users\Admin\AppData\Local\Temp\firefox.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5056
- C:\Users\Admin\AppData\Local\Temp\iepv.exe
  C:\Users\Admin\AppData\Local\Temp\iepv.exe /stext C:\Users\Admin\AppData\Local\Temp\ie.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Users\Admin\AppData\Local\Temp\mailpv.exe
  C:\Users\Admin\AppData\Local\Temp\mailpv.exe /stext C:\Users\Admin\AppData\Local\Temp\mail.txt
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook accounts
  - System Location Discovery: System Language Discovery
  PID:1588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\firefox.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ie.txt

Filesize
1KB

MD5
d70913819f8f59ed27d9b3e795244b09

SHA1
a240a934d289e177612f419421cbc8ad61603e18

SHA256
eac08ebd3d06b7bf9f20fb4856d81364b7a54f6ee141b151e4b2369fd28328e4

SHA512
3a92ec8181ec40adc729ef0fa08d3555e7011bbe681bcd50830ca6dd6ca8d2f14839eb81a89d51f883231039d86b41b2ea81efd497b0e4f3d974ceda4a22521a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iepv.exe

Filesize
88KB

MD5
96eaf707a7f5e252e0ef640a9f9a41e9

SHA1
1db028b8e2dad98ab25abfa498ffd0e344b8178c

SHA256
9bf3183768ab8133f686e9d59adf9ac7f157a6442026d00fcd49c177deca6de2

SHA512
12f7a815f141c125a50941bace6256de41eb6459f5dae49def6a5d150b816b48b054efa3ef0370d87b546098edb4f6ad2e1d6ebea835eb233bd98f7d225d13c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mailpv.exe

Filesize
96KB

MD5
3f5aca02abb16dbf86748596e4fa0258

SHA1
1588bfd4e090d3d194879899c02dcc207d5ca257

SHA256
10f703168cc43f60bfd54c69242d3db63d2d60e1114de74956a2439b8a8b3ed0

SHA512
bb96706ec69bee65e94fd5cc5a112e3e50f12d6895444144f7c5190e298960b02a2c922ac249deb2e3fd5f3d23e52b95058cf6262e5599823b576f849fe4b420

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwordfox.exe

Filesize
88KB

MD5
09b98d668124d3894814f57e84da1b25

SHA1
13e3ede7c513d7e6853f99309b83ca01a1de41fd

SHA256
432a3ec81735e216dc8a1d637b92158f261b841155960c621c9c149875de4512

SHA512
2f028fe6333a2a7604d919b11172960623f11acccc03626fb85888cf5c5b3e6eb69850baa1e8088ef2d29b4cef9334d2f6496290946e3309f9b1c0b9e1075615

Download Submit
C:\Users\Admin\AppData\Roaming\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.exe

Filesize
2KB

MD5
095cc4a4334e6ee3519cdfffdd770ea8

SHA1
8ea6d25e59f26abf31b7e98e188b0afca852e131

SHA256
201591434889d501c8ca3fd0db0c5afed2dce75c25571572f5f4e822be158469

SHA512
27629881c9a5517a09c2228738aacd8680a2bda557ed8dd3562805b7cfe5d9d9b01eea6a2a12cd33778a57210f7d1cec5fc5eac4926690c27ef92e19ee962968

Download Submit
C:\Users\Admin\AppData\Roaming\ec17c87657c179cf67a732f1e21542bbf7ed3a1042b686118f42ec8ca61beea5.il

Filesize
953B

MD5
62c4315b5f4e146ab5df0e140510d808

SHA1
b21764e06f0ddf1e619ac3cced12fdcf5a263840

SHA256
ebf04b0daf55819eb23925e693c6310abbbbe5ce8895bd91442efc761c5741e9

SHA512
91b055e9f3da0f2cbf9611aec9dbb080fdc8a30ef0d0c2bb1ec0e3f86db44ee58b5a6dde90bccbc63b7131a1ff64b26ece68a5332a3fdff4a8419fd29aad613f

Download Submit
memory/2408-6-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/2488-5-0x00007FFC74FA0000-0x00007FFC75941000-memory.dmp

Filesize
9.6MB

Download
memory/2488-25-0x000000001C360000-0x000000001C368000-memory.dmp

Filesize
32KB

Download
memory/2488-42-0x00007FFC74FA0000-0x00007FFC75941000-memory.dmp

Filesize
9.6MB

Download
memory/2488-19-0x00007FFC74FA0000-0x00007FFC75941000-memory.dmp

Filesize
9.6MB

Download
memory/2488-3-0x000000001C2A0000-0x000000001C346000-memory.dmp

Filesize
664KB

Download
memory/2488-40-0x00007FFC74FA0000-0x00007FFC75941000-memory.dmp

Filesize
9.6MB

Download
memory/2488-15-0x000000001C3E0000-0x000000001C442000-memory.dmp

Filesize
392KB

Download
memory/2488-0-0x00007FFC75255000-0x00007FFC75256000-memory.dmp

Filesize
4KB

Download
memory/2488-20-0x000000001D830000-0x000000001D8CC000-memory.dmp

Filesize
624KB

Download
memory/2488-2-0x000000001BD20000-0x000000001C1EE000-memory.dmp

Filesize
4.8MB

Download
memory/2488-1-0x00007FFC74FA0000-0x00007FFC75941000-memory.dmp

Filesize
9.6MB

Download
memory/2488-38-0x00007FFC75255000-0x00007FFC75256000-memory.dmp

Filesize
4KB

Download
memory/2488-39-0x00007FFC74FA0000-0x00007FFC75941000-memory.dmp

Filesize
9.6MB

Download
memory/2852-14-0x00007FFC75255000-0x00007FFC75256000-memory.dmp

Filesize
4KB

Download
memory/2852-41-0x00007FFC74FA0000-0x00007FFC75941000-memory.dmp

Filesize
9.6MB

Download
memory/2852-18-0x00007FFC74FA0000-0x00007FFC75941000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing