6e765cbef6d47cb4e9ed599b360156c700e5f9f38eae31cb081595e1791c54af

Resubmissions

16-11-2022 10:41

221116-mq9fjaeb31 8

07-09-2020 18:51

200907-pl7ygfpqxs 7

Analysis

max time kernel
77s
max time network
112s
platform
windows10_x64
resource
win10v200722
submitted
07-09-2020 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d62b8ff3de422cdacdc3bc804990c2c12a0b3675c9c98e38f5788b693ec5ff35.exe
Size

76KB
MD5

a4782bbfe7300e51e2e3f962fe9ea33f
SHA1

9b5facdba4a5dc8395874e3fd91b983048157f28
SHA256

d62b8ff3de422cdacdc3bc804990c2c12a0b3675c9c98e38f5788b693ec5ff35
SHA512

544a15f6039d1cac735f15d9c1a6504e8ac9836b2c5fa02f2620ed570bbe98c87950d389928927c0fa42b6c3223709db52af869ba491930370cd9757538d66d9

Score

7^/10

spyware persistence

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d62b8ff3de422cdacdc3bc804990c2c12a0b3675c9c98e38f5788b693ec5ff35.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	d62b8ff3de422cdacdc3bc804990c2c12a0b3675c9c98e38f5788b693ec5ff35.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinWord64 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d62b8ff3de422cdacdc3bc804990c2c12a0b3675c9c98e38f5788b693ec5ff35.exe\" "	d62b8ff3de422cdacdc3bc804990c2c12a0b3675c9c98e38f5788b693ec5ff35.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 3d0cd41b5885d601	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeShutdownPrivilege 2628 svchost.exe
Token: SeCreatePagefilePrivilege 2628 svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2628	svchost.exe
Token: SeCreatePagefilePrivilege	2628	svchost.exe

C:\Users\Admin\AppData\Local\Temp\d62b8ff3de422cdacdc3bc804990c2c12a0b3675c9c98e38f5788b693ec5ff35.exe
"C:\Users\Admin\AppData\Local\Temp\d62b8ff3de422cdacdc3bc804990c2c12a0b3675c9c98e38f5788b693ec5ff35.exe"
1⤵
- Adds Run key to start application
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads