792a7e3d90b110f71d0c6e67a70866b72d06dd65189f4e3ba96a90813e093df8

General

Target

mor.exe
Size

1.8MB
MD5

8047e6794185e04962dd0129578ad5fb
SHA1

eec92485bde641aaf2284c5bf39c2684a229af7c
SHA256

792a7e3d90b110f71d0c6e67a70866b72d06dd65189f4e3ba96a90813e093df8
SHA512

53599cf3a81dd33fa98aefb0ed9836fa2177f7c5eb72ca8deb3f79af18d6af583180eef2d58ef3aff5db09b2594e3ae818e913d4d3ed477f20e282979e57dd6a

Score

7^/10

spyware

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 34 IoCs

Processes:

mor.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IQD6DIKV\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	mor.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	mor.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	mor.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	mor.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	mor.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	mor.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	mor.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZDAW0I3Y\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	mor.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	mor.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	mor.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5Q8AAMSB\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	mor.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	mor.exe
File opened for modification	C:\Users\Public\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\LUBVL9MG\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	mor.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	mor.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	mor.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	mor.exe

Drops startup file 1 IoCs

Processes:

mor.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\# M0rphine Help #.hta mor.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\# M0rphine Help #.hta	mor.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

mor.exe

description	pid	process	target process
PID 1064 wrote to memory of 1392	1064	mor.exe	cmd.exe
PID 1064 wrote to memory of 1392	1064	mor.exe	cmd.exe
PID 1064 wrote to memory of 1392	1064	mor.exe	cmd.exe
PID 1064 wrote to memory of 1392	1064	mor.exe	cmd.exe
PID 1064 wrote to memory of 1812	1064	mor.exe	cmd.exe
PID 1064 wrote to memory of 1812	1064	mor.exe	cmd.exe
PID 1064 wrote to memory of 1812	1064	mor.exe	cmd.exe
PID 1064 wrote to memory of 1812	1064	mor.exe	cmd.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1812 cmd.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

mshta.exe

pid process

276 mshta.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
1812	cmd.exe

pid	process
276	mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Makes http(s) request 2 IoCs

Contacts server via http/https, possibly for C2 communication.

Processes:

description	flow	ioc
HTTP URL	4	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
HTTP URL	6	http://extreme-ip-lookup.com/json/

Go-http-client UserAgent 1 IoCs

Processes:

description flow ioc

HTTP User-Agent header 6 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	6	Go-http-client/1.1

C:\Users\Admin\AppData\Local\Temp\mor.exe
"C:\Users\Admin\AppData\Local\Temp\mor.exe"
1⤵
- Drops desktop.ini file(s)
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\cmd.exe
cmd /c ver
2⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\mor.exe
2⤵
- Deletes itself
PID:1812

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\Desktop\# M0rphine Help #.hta"
1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
PID:276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Desktop\# M0rphine Help #.hta

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads