dbbbcaf5c6f835feb0fee8af174ba42e3b569fdc18452098bcb47a3d9c3a0031

General

Target

download(1).exe
Size

482KB
MD5

739c71736f8e8efd9028e4a3aaaf5e55
SHA1

e8b7e270bbd435022246b417576257bd3f2743c0
SHA256

dbbbcaf5c6f835feb0fee8af174ba42e3b569fdc18452098bcb47a3d9c3a0031
SHA512

99dffa567d8189066fff53bf58d77c0fd3eb9fb7d0a352e3dbb123193bb6bf5cf75c3eb2d7e0a55200109dea82f4b9ec987f12e28391cb437489fcc4aa93fb8c
SSDEEP

12288:J13ak/mBXTG4/1v08KI7ZnMEF76JqmsvZQHfS:bak/mBXTV/R0nEF76gFZ8f

Score

9^/10

collection discovery spyware stealer

Malware Config

Signatures

Detected Nirsoft tools 9 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4440-9-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4336-11-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2204-21-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4440-25-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4336-20-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4440-15-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2204-14-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2204-13-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4336-27-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2204-21-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/2204-14-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/2204-13-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4336-11-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4336-20-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4336-27-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Downloads MZ/PE file 1 IoCs

flow	pid	Process
38	412	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	download(1).exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5104 set thread context of 4336	5104	download(1).exe	97
PID 5104 set thread context of 2204	5104	download(1).exe	98
PID 5104 set thread context of 4440	5104	download(1).exe	99

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	download(1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	download(1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	download(1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	download(1).exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2304	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4336	download(1).exe
4336	download(1).exe
4440	download(1).exe
4440	download(1).exe
4336	download(1).exe
4336	download(1).exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5104	download(1).exe
5104	download(1).exe
5104	download(1).exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	download(1).exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 4336	5104	download(1).exe	97
PID 5104 wrote to memory of 4336	5104	download(1).exe	97
PID 5104 wrote to memory of 4336	5104	download(1).exe	97
PID 5104 wrote to memory of 2204	5104	download(1).exe	98
PID 5104 wrote to memory of 2204	5104	download(1).exe	98
PID 5104 wrote to memory of 2204	5104	download(1).exe	98
PID 5104 wrote to memory of 4440	5104	download(1).exe	99
PID 5104 wrote to memory of 4440	5104	download(1).exe	99
PID 5104 wrote to memory of 4440	5104	download(1).exe	99

C:\Users\Admin\AppData\Local\Temp\download(1).exe
"C:\Users\Admin\AppData\Local\Temp\download(1).exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\download(1).exe
  C:\Users\Admin\AppData\Local\Temp\download(1).exe /stext "C:\Users\Admin\AppData\Local\Temp\gdtyxcvtbjhussdbeakhqyvidsqbovwo"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4336
- C:\Users\Admin\AppData\Local\Temp\download(1).exe
  C:\Users\Admin\AppData\Local\Temp\download(1).exe /stext "C:\Users\Admin\AppData\Local\Temp\ixzj"
  2⤵
  - Accesses Microsoft Outlook accounts
  - System Location Discovery: System Language Discovery
  PID:2204
- C:\Users\Admin\AppData\Local\Temp\download(1).exe
  C:\Users\Admin\AppData\Local\Temp\download(1).exe /stext "C:\Users\Admin\AppData\Local\Temp\tzebynro"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4440

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzEzQ0UzNkItOTk5Qi00RjMyLTlCOEUtMDk2RTdFMDlFNEZFfSIgdXNlcmlkPSJ7QTNCNzQzM0ItNjc0MC00MzlFLUJEM0EtOTkzRTVDRTg2M0REfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTFCNjMyMTctOThGQy00MkVCLTkzMjUtODRCQ0JBRjhBMUZDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0Nzc4NTU0MTQzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gdtyxcvtbjhussdbeakhqyvidsqbovwo

Filesize
4KB

MD5
1245837766859f06aee4c1a35664d3cb

SHA1
4809d98a23028796edc24c9db3626badf3945f89

SHA256
ec854b9d35627d8c681f1b8996fccd647913629bc493385123a9ec724970a955

SHA512
773abe92bd9e38f71d8b994467729dffedfac7a6b97a730083698a45a221e6e11790b18f270b4dafd569337ea3363f923fec009e1a7d7ec62bbec411ff55075c

Download Submit
memory/2204-13-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2204-21-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2204-14-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2204-12-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2204-4-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4336-11-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4336-27-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4336-2-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4336-20-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4336-5-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4440-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4440-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4440-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4440-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4440-22-0x0000000000430000-0x00000000004F9000-memory.dmp

Filesize
804KB

Download
memory/4440-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5104-30-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5104-34-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5104-33-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing