a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a

General

Target

a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
Size

1.6MB
MD5

aa1101d3c7afdb51d8520ead1e690c9a
SHA1

f385e25cbc51dd820a87f9c0f4618a9e92f4090b
SHA256

a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a
SHA512

3671850bad614f34d6e6f818e4fdb15b7651b121c264758e083796aed957d008982b5605b9e5ac33512641c510ac568e073e0ea9214f92577ae8c53aaf4fbf98

Score

8^/10

spyware ransomware

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\UndoUnprotect.tiff.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Users\Admin\Pictures\ExportDisconnect.tif.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Users\Admin\Pictures\RepairEdit.tif.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Users\Admin\Pictures\SkipClose.tif.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Users\Admin\Pictures\StepRead.tiff.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Users\Admin\Pictures\UnblockFind.png.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Users\Admin\Pictures\ImportComplete.png.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Users\Admin\Pictures\RequestResize.png.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Users\Admin\Pictures\SelectRestore.tif.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe

Drops file in Program Files directory 8 IoCs

Processes:

a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe

description	ioc	process
File created	C:\Program Files\PushSelect.tiff.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Program Files\ResetShow.dotm.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Program Files\ShowRemove.gif.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Program Files\StartPublish.potm.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Program Files\UnpublishGroup.sql.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Program Files\DisconnectPing.txt.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Program Files\EnterResize.bmp.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
File created	C:\Program Files\GrantPush.avi.Sil3nt5pring	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe

description	pid	process	target process
PID 1464 wrote to memory of 1508	1464	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe	cmd.exe
PID 1464 wrote to memory of 1508	1464	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe	cmd.exe
PID 1464 wrote to memory of 1508	1464	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe	cmd.exe
PID 1464 wrote to memory of 1508	1464	a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe
"C:\Users\Admin\AppData\Local\Temp\a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a.bin.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
2⤵
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1508-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads