d89f8d317cf5f8600cc5abe52846f38bf191ecbfb841817696d89d59dbca03c1

General

Target

other malware cuz why not/[email protected]
Size

2.0MB
MD5

c7e9746b1b039b8bd1106bca3038c38f
SHA1

cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256

b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512

cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
SSDEEP

49152:FH/1Fdq0wneDrEoYxWFjmYMcKabLVp3diY7kp:FH/1Fdq0nIo2YAcl/NisA

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus = "\"C:\\Program Files (x86)\\AnVi\\avt.exe\" -noscan"	[email protected]

Drops file in Program Files directory 2 IoCs

Processes:

[email protected]

description	ioc	process
File created	C:\Program Files (x86)\AnVi\splash.mp3	[email protected]
File created	C:\Program Files (x86)\AnVi\virus.mp3	[email protected]

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

[email protected]net.exenet.exenet.exenet1.exenet1.exenet1.exemofcomp.exenet.exenet1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mofcomp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

[email protected]

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes"	[email protected]

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

[email protected]

pid	process
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

mofcomp.exe

description pid process

Token: SeSecurityPrivilege 2724 mofcomp.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

[email protected]

pid process

2080 [email protected]
2080 [email protected]
2080 [email protected]
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

[email protected]

pid process

2080 [email protected]
2080 [email protected]
2080 [email protected]

description	pid	process
Token: SeSecurityPrivilege	2724	mofcomp.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

[email protected]

pid	process
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]
2080	[email protected]

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

[email protected]net.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2080 wrote to memory of 3052	2080	[email protected]	net.exe
PID 2080 wrote to memory of 3052	2080	[email protected]	net.exe
PID 2080 wrote to memory of 3052	2080	[email protected]	net.exe
PID 2080 wrote to memory of 3052	2080	[email protected]	net.exe
PID 2080 wrote to memory of 872	2080	[email protected]	net.exe
PID 2080 wrote to memory of 872	2080	[email protected]	net.exe
PID 2080 wrote to memory of 872	2080	[email protected]	net.exe
PID 2080 wrote to memory of 872	2080	[email protected]	net.exe
PID 2080 wrote to memory of 804	2080	[email protected]	net.exe
PID 2080 wrote to memory of 804	2080	[email protected]	net.exe
PID 2080 wrote to memory of 804	2080	[email protected]	net.exe
PID 2080 wrote to memory of 804	2080	[email protected]	net.exe
PID 2080 wrote to memory of 612	2080	[email protected]	net.exe
PID 2080 wrote to memory of 612	2080	[email protected]	net.exe
PID 2080 wrote to memory of 612	2080	[email protected]	net.exe
PID 2080 wrote to memory of 612	2080	[email protected]	net.exe
PID 2080 wrote to memory of 2724	2080	[email protected]	mofcomp.exe
PID 2080 wrote to memory of 2724	2080	[email protected]	mofcomp.exe
PID 2080 wrote to memory of 2724	2080	[email protected]	mofcomp.exe
PID 2080 wrote to memory of 2724	2080	[email protected]	mofcomp.exe
PID 3052 wrote to memory of 2856	3052	net.exe	net1.exe
PID 3052 wrote to memory of 2856	3052	net.exe	net1.exe
PID 3052 wrote to memory of 2856	3052	net.exe	net1.exe
PID 3052 wrote to memory of 2856	3052	net.exe	net1.exe
PID 804 wrote to memory of 3068	804	net.exe	net1.exe
PID 804 wrote to memory of 3068	804	net.exe	net1.exe
PID 804 wrote to memory of 3068	804	net.exe	net1.exe
PID 804 wrote to memory of 3068	804	net.exe	net1.exe
PID 872 wrote to memory of 2888	872	net.exe	net1.exe
PID 872 wrote to memory of 2888	872	net.exe	net1.exe
PID 872 wrote to memory of 2888	872	net.exe	net1.exe
PID 872 wrote to memory of 2888	872	net.exe	net1.exe
PID 612 wrote to memory of 2804	612	net.exe	net1.exe
PID 612 wrote to memory of 2804	612	net.exe	net1.exe
PID 612 wrote to memory of 2804	612	net.exe	net1.exe
PID 612 wrote to memory of 2804	612	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\other malware cuz why not\[email protected]
"C:\Users\Admin\AppData\Local\Temp\other malware cuz why not\[email protected]"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\net.exe
  net stop wscsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wscsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Windows\SysWOW64\net.exe
  net stop winmgmt /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- C:\Windows\SysWOW64\net.exe
  net start winmgmt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start winmgmt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
- C:\Windows\SysWOW64\net.exe
  net start wscsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start wscsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- C:\Windows\SysWOW64\Wbem\mofcomp.exe
  mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof

Filesize
443B

MD5
7fad92afda308dca8acfc6ff45c80c24

SHA1
a7fa35e7f90f772fc943c2e940737a48b654c295

SHA256
76e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f

SHA512
49eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads