817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a

General

Target

817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe
Size

345KB
MD5

fc01e536eb60eb27a3f954ccfb7cdc5a
SHA1

7355be1ed9bf00067e84f8207345923325fd7d32
SHA256

817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a
SHA512

12ce88e18be740d705b2f4305252943322d0578194947bf1f595e3b5a22df708b9abfbe321d8a5422830f49b8692b003f78e85a5d0271a94bf4a74d8c63220e7
SSDEEP

6144:+PtFqR7FDwaIJGIDHO4Il8Uc/IX9rER13dLeeWEXTFI1tEnnbGQVNXv9uOS9U:6jqRxJlsu4j2Ngtee/TFI1tEnnbGqNXF

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file 2 IoCs

flow	pid	Process
13	2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe
17	2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe

Executes dropped EXE 3 IoCs

pid	Process
2004	0CUUFTCSJEOGKM8GLWKW7ES7MQAY2SD.exe
3232	NK3B1IIVUWW0SFL0.exe
3748	atkexComSvc.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3457531954-2054407110-1019940402-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\atkexComSvc = "C:\\ProgramData\\atkexComSvc.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4288	2004	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0CUUFTCSJEOGKM8GLWKW7ES7MQAY2SD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NK3B1IIVUWW0SFL0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atkexComSvc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4192	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe
2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe
2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe
2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe
2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe
2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe
2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe
2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe
3232	NK3B1IIVUWW0SFL0.exe
3232	NK3B1IIVUWW0SFL0.exe
3748	atkexComSvc.exe
3748	atkexComSvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe
Token: SeImpersonatePrivilege	2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2004	2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe	81
PID 2104 wrote to memory of 2004	2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe	81
PID 2104 wrote to memory of 2004	2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe	81
PID 2104 wrote to memory of 3232	2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe	85
PID 2104 wrote to memory of 3232	2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe	85
PID 2104 wrote to memory of 3232	2104	817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe	85
PID 3232 wrote to memory of 3656	3232	NK3B1IIVUWW0SFL0.exe	86
PID 3232 wrote to memory of 3656	3232	NK3B1IIVUWW0SFL0.exe	86
PID 3232 wrote to memory of 3656	3232	NK3B1IIVUWW0SFL0.exe	86
PID 3656 wrote to memory of 4192	3656	cmd.exe	88
PID 3656 wrote to memory of 4192	3656	cmd.exe	88
PID 3656 wrote to memory of 4192	3656	cmd.exe	88
PID 4004 wrote to memory of 3748	4004	cmd.exe	91
PID 4004 wrote to memory of 3748	4004	cmd.exe	91
PID 4004 wrote to memory of 3748	4004	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe
"C:\Users\Admin\AppData\Local\Temp\817a988946844440df765ab64052f276470e3081294a4dc4d5d19adb74b3aa8a.exe"
1⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\0CUUFTCSJEOGKM8GLWKW7ES7MQAY2SD.exe
  "C:\Users\Admin\AppData\Local\Temp\0CUUFTCSJEOGKM8GLWKW7ES7MQAY2SD.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 696
    3⤵
    - Program crash
    PID:4288
- C:\Users\Admin\AppData\Local\Temp\NK3B1IIVUWW0SFL0.exe
  "C:\Users\Admin\AppData\Local\Temp\NK3B1IIVUWW0SFL0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v atkexComSvc /t REG_SZ /d C:\ProgramData\atkexComSvc.exe /f"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v atkexComSvc /t REG_SZ /d C:\ProgramData\atkexComSvc.exe /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2004 -ip 2004
1⤵
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\atkexComSvc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4004
- C:\ProgramData\atkexComSvc.exe
  C:\ProgramData\atkexComSvc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3748

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0CUUFTCSJEOGKM8GLWKW7ES7MQAY2SD.exe

Filesize
10.8MB

MD5
b4f95c0def652145e9a081896c1ff0b3

SHA1
96e18c8e8e7d6548d4551038951a3231867f9ba3

SHA256
6f0c30497c42675d68a4dfcddbb8b4a4699a28bbd05fc0feea91dc3c537c4ed6

SHA512
200cc62bf1c9dcc48723b252e6c4abeab45e7e20346fa6da8b4aa58d47bfa1af3e47ac397df1ae96c8c6a6d4c2f3cbf856d583d275f4c06501c2961be8a32fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NK3B1IIVUWW0SFL0.exe

Filesize
10.5MB

MD5
957e7d44b235699be79351c274cd8b99

SHA1
e10f2b728fd02e49c80591241b239a96a029c6be

SHA256
2e0a299e318a9a6928bc24b228e976a09c5322343bf0449620d42d04b615c739

SHA512
baed1a2ea2d0476f61e5c10389998a5335ca18d790377c27330a91700078bb09b1f93d2e7457afa045c41b866ce732903f1b1a18038b72ca8579ab62a5bf5c35

Download Submit
memory/2004-7-0x0000000000C10000-0x00000000016DD000-memory.dmp

Filesize
10.8MB

Download
memory/2004-8-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/2004-12-0x0000000000C10000-0x00000000016DD000-memory.dmp

Filesize
10.8MB

Download
memory/3232-21-0x0000000003B20000-0x00000000040D0000-memory.dmp

Filesize
5.7MB

Download
memory/3232-24-0x0000000000400000-0x0000000000CA6000-memory.dmp

Filesize
8.6MB

Download
memory/3232-16-0x0000000000E80000-0x0000000000E83000-memory.dmp

Filesize
12KB

Download
memory/3232-17-0x0000000003B20000-0x00000000040D0000-memory.dmp

Filesize
5.7MB

Download
memory/3232-22-0x0000000003B20000-0x00000000040D0000-memory.dmp

Filesize
5.7MB

Download
memory/3232-13-0x0000000002BF0000-0x0000000002F16000-memory.dmp

Filesize
3.1MB

Download
memory/3232-23-0x0000000003B20000-0x00000000040D0000-memory.dmp

Filesize
5.7MB

Download
memory/3232-14-0x0000000002BF0000-0x0000000002F16000-memory.dmp

Filesize
3.1MB

Download
memory/3232-31-0x0000000003B20000-0x00000000040D0000-memory.dmp

Filesize
5.7MB

Download
memory/3232-47-0x0000000003B20000-0x00000000040D0000-memory.dmp

Filesize
5.7MB

Download
memory/3748-35-0x0000000003B50000-0x0000000004100000-memory.dmp

Filesize
5.7MB

Download
memory/3748-40-0x0000000003B50000-0x0000000004100000-memory.dmp

Filesize
5.7MB

Download
memory/3748-39-0x0000000003B50000-0x0000000004100000-memory.dmp

Filesize
5.7MB

Download
memory/3748-41-0x0000000003B50000-0x0000000004100000-memory.dmp

Filesize
5.7MB

Download
memory/3748-44-0x0000000000400000-0x0000000000CA6000-memory.dmp

Filesize
8.6MB

Download
memory/3748-34-0x0000000001010000-0x0000000001013000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads