Overview

overview

9

Static

static

f30c46e059...81.exe

windows7_x64

8

f30c46e059...81.exe

windows10_x64

9

Analysis

  • max time kernel
    138s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    06-11-2020 10:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f30c46e059ef7bf3382e27f6e6745c5e64682ba9fbb60a61c087c3f1cc1ba081.exe

  • Size

    194KB

  • MD5

    7d2dc7966620bcd8bdb04e33bea3486a

  • SHA1

    6c2a2bdd4250696a15af3e58a560763daffa0a63

  • SHA256

    f30c46e059ef7bf3382e27f6e6745c5e64682ba9fbb60a61c087c3f1cc1ba081

  • SHA512

    ca4fc950e69c16c328932571935509931aa40cf803e34ad03b54045887e69beec4bd0b7f821dbfd70f0ebd0b1f233b4133d018bea843001d17342cb47fc09d5a

Score
9/10
discoveryspywarestealer

Malware Config

Signatures

  • ServiceHost packer 10 IoCs

    Detects ServiceHost packer used for .NET malware

  • Executes dropped EXE 3 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f30c46e059ef7bf3382e27f6e6745c5e64682ba9fbb60a61c087c3f1cc1ba081.exe
    "C:\Users\Admin\AppData\Local\Temp\f30c46e059ef7bf3382e27f6e6745c5e64682ba9fbb60a61c087c3f1cc1ba081.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:492
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\f30c46e059ef7bf3382e27f6e6745c5e64682ba9fbb60a61c087c3f1cc1ba081.exe' -Destination 'C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe
        "C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3968
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $shell = New-Object -ComObject WScript.Shell;$shortcut = $shell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiedxx.lnk');$shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe';$shortcut.Save()
          4⤵
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3108
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
          Powershell Set-MpPreference -DisableRealtimeMonitoring 1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2180
        • C:\Users\Admin\AppData\Local\Temp\1604213635_Tausuus.exe
          "C:\Users\Admin\AppData\Local\Temp\1604213635_Tausuus.exe" 0
          4⤵
          • Executes dropped EXE
          PID:204
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 1296
            5⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3636
        • C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe
          /scomma C:\Users\Admin\AppData\Local\dxetiax\1.log
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3112
        • C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe
          /scomma C:\Users\Admin\AppData\Local\dxetiax\2.log
          4⤵
            PID:4076

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      MD5

      e71a0a7e48b10bde0a9c54387762f33e

      SHA1

      fed75947f1163b00096e24a46e67d9c21e7eeebd

      SHA256

      83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

      SHA512

      394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      MD5

      c2d06c11dd1f1a8b1dedc1a311ca8cdc

      SHA1

      75c07243f9cb80a9c7aed2865f9c5192cc920e7e

      SHA256

      91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

      SHA512

      db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      2f5184e716cc9bd1b99680bea85ac056

      SHA1

      0238fb03b38e07bdf5cdce091713effc96ad6dee

      SHA256

      b1086a273ac5c22a385d704e82ca4c8580ce1ab4bfa1e125b802938ea1ca897c

      SHA512

      bb1fc441b7b51b6a709f0bf4c9c96b72e1b3f36416132a857846ecd9bfef48f78481a0ee2aded1fcacb8d4d769c779e0d225874e7de94cc8b75aa0dcbd002ee1

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      f2f0ccf7279e90dd37015dbd93641c67

      SHA1

      3ab6d540c1d10d31ea98461a276bef00f0b7ae48

      SHA256

      82c4c4a56de984efbaa41f8ce1fc4bfee567188cd3b305488ef903b4e4c80d79

      SHA512

      adc3a5082879b7d03967cf034aa05fb573982e36b540eb861bec52868311f621951b4a71781cd5c6adf257151a28be4fa7679b39980c80b5b1e889912e8d5020

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\1604213635_Tausuus.exe
      MD5

      d649d10622adb5868707a316a202ef82

      SHA1

      c5c39f10b5c49f3b7a241dde29e3a1addff5e65a

      SHA256

      db7e6c40305d5b8563fb4ae8cf0397fb5ebe4d3912712a943e6679052f39d4bc

      SHA512

      0c88b28c59fd9eb13494889b6d0ffff807252119aeedf2614395f9f9d00509673d60b7b89ddc491fd1300e494eef14883a0e45a2bce27461d04d11a518ec1bcb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\1604213635_Tausuus.exe
      MD5

      d649d10622adb5868707a316a202ef82

      SHA1

      c5c39f10b5c49f3b7a241dde29e3a1addff5e65a

      SHA256

      db7e6c40305d5b8563fb4ae8cf0397fb5ebe4d3912712a943e6679052f39d4bc

      SHA512

      0c88b28c59fd9eb13494889b6d0ffff807252119aeedf2614395f9f9d00509673d60b7b89ddc491fd1300e494eef14883a0e45a2bce27461d04d11a518ec1bcb

      Download Submit
    • C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe
      MD5

      7d2dc7966620bcd8bdb04e33bea3486a

      SHA1

      6c2a2bdd4250696a15af3e58a560763daffa0a63

      SHA256

      f30c46e059ef7bf3382e27f6e6745c5e64682ba9fbb60a61c087c3f1cc1ba081

      SHA512

      ca4fc950e69c16c328932571935509931aa40cf803e34ad03b54045887e69beec4bd0b7f821dbfd70f0ebd0b1f233b4133d018bea843001d17342cb47fc09d5a

      Download Submit
    • C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe
      MD5

      7d2dc7966620bcd8bdb04e33bea3486a

      SHA1

      6c2a2bdd4250696a15af3e58a560763daffa0a63

      SHA256

      f30c46e059ef7bf3382e27f6e6745c5e64682ba9fbb60a61c087c3f1cc1ba081

      SHA512

      ca4fc950e69c16c328932571935509931aa40cf803e34ad03b54045887e69beec4bd0b7f821dbfd70f0ebd0b1f233b4133d018bea843001d17342cb47fc09d5a

      Download Submit
    • C:\Users\Admin\AppData\Local\dxetiax\atiedxx.exe
      MD5

      7d2dc7966620bcd8bdb04e33bea3486a

      SHA1

      6c2a2bdd4250696a15af3e58a560763daffa0a63

      SHA256

      f30c46e059ef7bf3382e27f6e6745c5e64682ba9fbb60a61c087c3f1cc1ba081

      SHA512

      ca4fc950e69c16c328932571935509931aa40cf803e34ad03b54045887e69beec4bd0b7f821dbfd70f0ebd0b1f233b4133d018bea843001d17342cb47fc09d5a

      Download Submit
    • memory/204-78-0x0000000000000000-mapping.dmp
      Download
    • memory/204-77-0x0000000000000000-mapping.dmp
      Download
    • memory/204-62-0x0000000000000000-mapping.dmp
      Download
    • memory/204-73-0x0000000000000000-mapping.dmp
      Download
    • memory/204-74-0x0000000000000000-mapping.dmp
      Download
    • memory/204-75-0x0000000000000000-mapping.dmp
      Download
    • memory/204-76-0x0000000000000000-mapping.dmp
      Download
    • memory/204-79-0x0000000000000000-mapping.dmp
      Download
    • memory/204-80-0x0000000000000000-mapping.dmp
      Download
    • memory/204-82-0x0000000000000000-mapping.dmp
      Download
    • memory/204-81-0x0000000000000000-mapping.dmp
      Download
    • memory/1180-12-0x00000000087A0000-0x00000000087A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1180-2-0x0000000000000000-mapping.dmp
      Download
    • memory/1180-10-0x0000000007E80000-0x0000000007E81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1180-7-0x0000000007E10000-0x0000000007E11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1180-8-0x0000000008060000-0x0000000008061000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1180-6-0x00000000075B0000-0x00000000075B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1180-9-0x00000000080D0000-0x00000000080D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1180-5-0x0000000007770000-0x0000000007771000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1180-11-0x0000000007EB0000-0x0000000007EB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1180-4-0x0000000004C50000-0x0000000004C51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1180-17-0x000000000A8B0000-0x000000000A8B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1180-16-0x0000000009D30000-0x0000000009D31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1180-15-0x00000000094B0000-0x00000000094B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1180-14-0x0000000009460000-0x0000000009461000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1180-13-0x0000000009710000-0x0000000009711000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1180-3-0x00000000731F0000-0x00000000738DE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2180-39-0x0000000000000000-mapping.dmp
      Download
    • memory/2180-40-0x0000000072940000-0x000000007302E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2180-67-0x0000000009730000-0x0000000009731000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2180-65-0x0000000009740000-0x0000000009741000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2180-60-0x00000000095D0000-0x00000000095D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2180-59-0x0000000009270000-0x0000000009271000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2180-52-0x0000000009290000-0x00000000092C3000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2180-49-0x0000000008200000-0x0000000008201000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2180-46-0x0000000007E30000-0x0000000007E31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3108-34-0x00000000080C0000-0x00000000080C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3108-31-0x0000000007750000-0x0000000007751000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3108-25-0x0000000072A20000-0x000000007310E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3108-23-0x0000000000000000-mapping.dmp
      Download
    • memory/3112-93-0x0000000000447D8A-mapping.dmp
      Download
    • memory/3112-92-0x0000000000400000-0x0000000000477000-memory.dmp
      Filesize

      476KB

      Download
    • memory/3112-95-0x0000000000400000-0x0000000000477000-memory.dmp
      Filesize

      476KB

      Download
    • memory/3636-72-0x0000000004630000-0x0000000004631000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3636-83-0x0000000004D70000-0x0000000004D71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3968-18-0x0000000000000000-mapping.dmp
      Download