Overview

overview

8

Static

static

2295742285...c8.exe

windows7_x64

8

2295742285...c8.exe

windows10_x64

7

Analysis

  • max time kernel
    124s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-04-2021 07:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2295742285186ecb7ff7c4634d31bdc8.exe

  • Size

    1.3MB

  • MD5

    2295742285186ecb7ff7c4634d31bdc8

  • SHA1

    f76643300796393b1e616f7e2d925644faae5caf

  • SHA256

    0cd1346813ea66e5ecb353180f0f01d9b2e53b230ccb5aece10e4366d632df25

  • SHA512

    102a852a9f4b9513dd41935c96cda22647151f06f3f10601f1e1d65f938e539e0447eae4029de0c5a88762a2c6e29afccf14e5f10447f3cd5df75acfb9be605c

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2295742285186ecb7ff7c4634d31bdc8.exe
    "C:\Users\Admin\AppData\Local\Temp\2295742285186ecb7ff7c4634d31bdc8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\AppData\Local\Temp\2295742285186ecb7ff7c4634d31bdc8.exe
      "{path}"
      2⤵
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Users\Admin\AppData\Local\Temp\servs.exe
        "C:\Users\Admin\AppData\Local\Temp\servs.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:916
        • C:\Users\Admin\AppData\Local\Temp\is-9KFLL.tmp\servs.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-9KFLL.tmp\servs.tmp" /SL5="$60130,10541093,724480,C:\Users\Admin\AppData\Local\Temp\servs.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1752
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /C ""C:\ProgramData\uacwev.bat""
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1216
            • C:\Windows\system32\timeout.exe
              TIMEOUT /T 8
              6⤵
              • Delays execution with timeout.exe
              PID:1360
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1x8vh7
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:324
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:324 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\pass.exe
    MD5

    a5e2bb848405dfc3a56fc892b691b614

    SHA1

    7bc55828682e93191d6ee4c20e727308d0eeac6d

    SHA256

    ea5982c7dd3396d89d54ba0f0269b96807ab59111c22503ca5f9e593b78660f3

    SHA512

    0502630b436079ab2660134e6545ef18fc4b0927073b274e3fc4c706f49c417ad36ddd8f166c4a016ac0fa0065b88f75a921bee3e7029a9a5cb051a5faa7a954

    Download Submit
  • C:\ProgramData\uacwev.bat
    MD5

    ace1a6c2ea9446d1bd4b645d00bc2c46

    SHA1

    a9c41e189775db5a507785c1c527ff9fb7a07bd6

    SHA256

    2b875f4d5f0722425969fd5963fa0276a101ce63ddb91e5960f2860ab0aedbf4

    SHA512

    1fba8400d354a46fe3e1b19f8a4d817df1ef4c1289d42a8a2257af45838b6b468a0632b9f31239fc45de11771aa9d9fb0b803a6cda359b14c24fb05f71bddbb2

    Download Submit
  • C:\ProgramData\uxtheme.dll
    MD5

    531fcc0848cf13fa300600df16a71a87

    SHA1

    20bff8b5030d74afba1b4c20b5c8cc6f75011b62

    SHA256

    5b192bbc069b8aef74dabb1dd5459bda8ea2a64a7336db54e57afb38569ece68

    SHA512

    af8b8bbc666ce3c57e248acf056a3c65b2e4eea244c3c8dbb2d3765964407af93478a3d452a08862501f61994c964dd6048720742413506952395143841673e3

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    MD5

    61a03d15cf62612f50b74867090dbe79

    SHA1

    15228f34067b4b107e917bebaf17cc7c3c1280a8

    SHA256

    f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d

    SHA512

    5fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    c8856f1bfa55208e0e0360c5c2527192

    SHA1

    6f8841869425b035018714dda305c75e450cf53f

    SHA256

    d1653b3e1bb80efafa7a7d0c30210f0670c834e3fd57ea92636030f2e7420beb

    SHA512

    afb80776f2a24e7105e55c3b0777949510ed2a6fc51f2bdb847a1fc002766bf346c5bd9d38fca264695caae04d4fc4bdd6cc93a570d6f8b1f61fe1ac96fe2e8e

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    348a7c5122a50dd3bd13e6dff4171496

    SHA1

    b99a4792da15351b9e295867f8298100817cc792

    SHA256

    060042911e7225ae2b42a544202ff74e8f2ce7ac53ca3fd77152dce33a692d3d

    SHA512

    a7fdceabb00c03818dbec1519cb89d9d8ff424fa18dbd25d2a65539927be41d6257dd150f5766be608b6e56605dd870a4938a623201e38a11de92138379dfd96

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
    MD5

    1ca2ce464873fd66b3eea4c1630f9db2

    SHA1

    599e6810975215a1e4e308d6228082bbbd3e1888

    SHA256

    4cd2f3ac29ca059d716ceecd1887c939fa9ccc728a9217c06fd25c2363b32cc8

    SHA512

    c417e5b87d15d3592b4d15bc5024a87c008efaa1d9901cac75a0b9e47cf883552be5119bc2c84c08e156092060bb035dcc3214ad484ce18b0098c17e1b0d9965

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-9KFLL.tmp\servs.tmp
    MD5

    c1b49299eb51afa1264d69fc022bb49b

    SHA1

    8126de1c2b2ec7d2ddd83735067aef2eefa77b37

    SHA256

    03b49d8261ed6fbfd23c6f1233e6c7fa131ff067d059fde696be60105286a895

    SHA512

    893e32f9a13c7b2b4e260c8acb6027fa3aa74c8268666012240aacbae2cbbf045b33cb256958a9ab230f0654c5452e4c3e114727e853431f63ec5d47719a9f60

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\servs.exe
    MD5

    6df7008811f88eeb253064a99c79f234

    SHA1

    41744103d74456cb63397841ef25945ca9e553bf

    SHA256

    4be7dd4ecb8434b14e36f0f747eddd8b98435e98f3d664f6206223e54d212a1a

    SHA512

    1f26e014ea7382c5d61c8f758d4afb428af096a10a8795bf7cfe7d1221dd73a8d56b18b033d4fe82f178dc7ce309ceaad83bf0178db300bec5f6fd42d1952482

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\servs.exe
    MD5

    6df7008811f88eeb253064a99c79f234

    SHA1

    41744103d74456cb63397841ef25945ca9e553bf

    SHA256

    4be7dd4ecb8434b14e36f0f747eddd8b98435e98f3d664f6206223e54d212a1a

    SHA512

    1f26e014ea7382c5d61c8f758d4afb428af096a10a8795bf7cfe7d1221dd73a8d56b18b033d4fe82f178dc7ce309ceaad83bf0178db300bec5f6fd42d1952482

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9KKQEY5F.txt
    MD5

    cefbd9ed3affd582ef93f49fae716ea2

    SHA1

    2957b64a4dd3aa3ae6fd3585e585f0bcc36299cf

    SHA256

    0a5dc0685afa9b7a4f2a3fdef74ffbfa7bb83ef3d83494d3518741f3c0febd11

    SHA512

    82b070f70ff343469a7a96f7d71d85d5a8294f9ed753c5782234e05237873cc80c70f83b0155ffd2b6775f7a1b6e8e71dc5a2a007415ce85f917e39ba5d433c4

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-9KFLL.tmp\servs.tmp
    MD5

    c1b49299eb51afa1264d69fc022bb49b

    SHA1

    8126de1c2b2ec7d2ddd83735067aef2eefa77b37

    SHA256

    03b49d8261ed6fbfd23c6f1233e6c7fa131ff067d059fde696be60105286a895

    SHA512

    893e32f9a13c7b2b4e260c8acb6027fa3aa74c8268666012240aacbae2cbbf045b33cb256958a9ab230f0654c5452e4c3e114727e853431f63ec5d47719a9f60

    Download Submit
  • \Users\Admin\AppData\Local\Temp\servs.exe
    MD5

    6df7008811f88eeb253064a99c79f234

    SHA1

    41744103d74456cb63397841ef25945ca9e553bf

    SHA256

    4be7dd4ecb8434b14e36f0f747eddd8b98435e98f3d664f6206223e54d212a1a

    SHA512

    1f26e014ea7382c5d61c8f758d4afb428af096a10a8795bf7cfe7d1221dd73a8d56b18b033d4fe82f178dc7ce309ceaad83bf0178db300bec5f6fd42d1952482

    Download Submit
  • memory/324-19-0x0000000000000000-mapping.dmp
    Download
  • memory/556-30-0x0000000000000000-mapping.dmp
    Download
  • memory/916-25-0x0000000000401000-0x00000000004A9000-memory.dmp
    Filesize

    672KB

    Download
  • memory/916-16-0x0000000000000000-mapping.dmp
    Download
  • memory/916-18-0x0000000076641000-0x0000000076643000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1056-11-0x0000000074BA0000-0x000000007528E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1056-14-0x0000000004ED0000-0x0000000004ED1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1056-12-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1056-9-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1056-10-0x000000000041653A-mapping.dmp
    Download
  • memory/1216-29-0x0000000000000000-mapping.dmp
    Download
  • memory/1360-33-0x0000000000000000-mapping.dmp
    Download
  • memory/1752-26-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1752-28-0x000000006D1F1000-0x000000006D1F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1752-22-0x0000000000000000-mapping.dmp
    Download
  • memory/1932-27-0x000007FEF7B20000-0x000007FEF7D9A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/2008-2-0x0000000074BA0000-0x000000007528E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2008-8-0x0000000002040000-0x0000000002096000-memory.dmp
    Filesize

    344KB

    Download
  • memory/2008-7-0x00000000057D0000-0x0000000005873000-memory.dmp
    Filesize

    652KB

    Download
  • memory/2008-6-0x00000000003F0000-0x00000000003F5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/2008-5-0x0000000004C40000-0x0000000004C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2008-3-0x0000000000900000-0x0000000000901000-memory.dmp
    Filesize

    4KB

    Download