8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92

Analysis

max time kernel
35s
max time network
86s
platform
windows7_x64
resource
win7v20210408
submitted
27-07-2021 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92.exe
Size

327KB
MD5

a6ff10bf67216daf5ab754766452ffe7
SHA1

32ad072c26e0deeffd71de36e45d6c3505cce3ea
SHA256

8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92
SHA512

a2b0c9110588f19670390ce1ab9281a019c400e3a83b046afd55951cf24624217a035d921bda28e908a720a0afb2592f5d52258f1369bef887588cf67a4636d0

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Injector.exesbvc.exeSvc_host.exe

pid process

468 Injector.exe
1504 sbvc.exe
1876 Svc_host.exe

pid	process
468	Injector.exe
1504	sbvc.exe
1876	Svc_host.exe

Loads dropped DLL 9 IoCs

Processes:

8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92.exeInjector.exesbvc.exe

pid	process
1984	8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92.exe
1984	8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92.exe
1984	8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92.exe
1984	8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92.exe
468	Injector.exe
1504	sbvc.exe
1504	sbvc.exe
1504	sbvc.exe
1504	sbvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Injector.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	Injector.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Injector.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 checkip.dyndns.org
9 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeSvc_host.exe

pid process

1020 powershell.exe
1020 powershell.exe
1876 Svc_host.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeInjector.exeSvc_host.exe

description pid process

Token: SeDebugPrivilege 1020 powershell.exe
Token: SeDebugPrivilege 468 Injector.exe
Token: SeDebugPrivilege 1876 Svc_host.exe

flow	ioc
7	checkip.dyndns.org
9	ipinfo.io

pid	process
1020	powershell.exe
1020	powershell.exe
1876	Svc_host.exe

description	pid	process
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	468	Injector.exe
Token: SeDebugPrivilege	1876	Svc_host.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92.exeInjector.exesbvc.exe

description	pid	process	target process
PID 1984 wrote to memory of 468	1984	8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92.exe	Injector.exe
PID 1984 wrote to memory of 468	1984	8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92.exe	Injector.exe
PID 1984 wrote to memory of 468	1984	8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92.exe	Injector.exe
PID 1984 wrote to memory of 468	1984	8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92.exe	Injector.exe
PID 468 wrote to memory of 1020	468	Injector.exe	powershell.exe
PID 468 wrote to memory of 1020	468	Injector.exe	powershell.exe
PID 468 wrote to memory of 1020	468	Injector.exe	powershell.exe
PID 468 wrote to memory of 1020	468	Injector.exe	powershell.exe
PID 468 wrote to memory of 1504	468	Injector.exe	sbvc.exe
PID 468 wrote to memory of 1504	468	Injector.exe	sbvc.exe
PID 468 wrote to memory of 1504	468	Injector.exe	sbvc.exe
PID 468 wrote to memory of 1504	468	Injector.exe	sbvc.exe
PID 1504 wrote to memory of 1876	1504	sbvc.exe	Svc_host.exe
PID 1504 wrote to memory of 1876	1504	sbvc.exe	Svc_host.exe
PID 1504 wrote to memory of 1876	1504	sbvc.exe	Svc_host.exe
PID 1504 wrote to memory of 1876	1504	sbvc.exe	Svc_host.exe

C:\Users\Admin\AppData\Local\Temp\8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92.exe
"C:\Users\Admin\AppData\Local\Temp\8baef64e7e99be9eae669f1d2af78d40ec4a1807da7cdd7e80fb5a9787dadc92.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Users\Admin\AppData\Local\Temp\sbvc.exe
"C:\Users\Admin\AppData\Local\Temp\sbvc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Svc_host.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Svc_host.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe
MD5
b7c6098b0b6e306ef36777b41b559658

SHA1
4c3a571b606bc0afecc8b6f3aa08defe3a377634

SHA256
bc1b3e71e09eeaf3f325c101ca3804153fa7f8da50b27c288ad5ac357b89a9fb

SHA512
512e7f90dc7976935901525264cb085edd4adcb952e2e3732e1f0fc09cae83514e359f45877a6e2299446692a9619f129eb816990007962d2b0c42b88fd43e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe
MD5
b7c6098b0b6e306ef36777b41b559658

SHA1
4c3a571b606bc0afecc8b6f3aa08defe3a377634

SHA256
bc1b3e71e09eeaf3f325c101ca3804153fa7f8da50b27c288ad5ac357b89a9fb

SHA512
512e7f90dc7976935901525264cb085edd4adcb952e2e3732e1f0fc09cae83514e359f45877a6e2299446692a9619f129eb816990007962d2b0c42b88fd43e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Newtonsoft.Json.dll
MD5
6815034209687816d8cf401877ec8133

SHA1
1248142eb45eed3beb0d9a2d3b8bed5fe2569b10

SHA256
7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814

SHA512
3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Svc_host.exe
MD5
f8afe900757786eee3e00a0c501dfee0

SHA1
493645aa60156dbf756f7986b457944dc7676b29

SHA256
b30b32e3308bc4576c2e1a5fa56e4684a7b60d8fecf5cb75c8e0518ec1f901ea

SHA512
eb0fdf63d5165a57206ba91f19eca6f7abb5b01724a9029abd3c6506d7482814e6a9a8321cf18ea5b919462d94a4fad61eaa0f3594edb1ebd246a9382e44e172

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Svc_host.exe
MD5
f8afe900757786eee3e00a0c501dfee0

SHA1
493645aa60156dbf756f7986b457944dc7676b29

SHA256
b30b32e3308bc4576c2e1a5fa56e4684a7b60d8fecf5cb75c8e0518ec1f901ea

SHA512
eb0fdf63d5165a57206ba91f19eca6f7abb5b01724a9029abd3c6506d7482814e6a9a8321cf18ea5b919462d94a4fad61eaa0f3594edb1ebd246a9382e44e172

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Svc_host.exe.config
MD5
c06f5086e023a7d6fb37e64e8255de3d

SHA1
eaac13e0bdb5faf32ad3f8919db6b9bcf7a85987

SHA256
362fa63d52a57f001971b68ab18beefa1c4517c3fc31b3c703a7bb8644aee0bf

SHA512
8501162c935523315d905f2ea80810236649aa7e96d091e5714daf9b207917100429643bf76abee9e67bdc1f424e078bcd06a35a29059772b138f6a52da1aefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\System.Data.SQLite.dll
MD5
83dfd2fe35efb2154bcdd3b475f378f2

SHA1
43eaf586250bf5c8b32eb832cf3479a8dbf7cca2

SHA256
7a4dde948b573b5a92cb1f63a2201006e61ea24107d9668a36efa378e8d48f08

SHA512
0fa675541530a02285d4144df0f85a838a415466f7ea08251297e062a1fa33c475fd29539fa83a62600f4df124dc80f786b4bed2b7aecccc07d9dc09c517b90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbvc.exe
MD5
2f49215b1984212fe4465288bda6a8a6

SHA1
128b5625c29559cf78caf7cb17dbce55ac6c9cba

SHA256
6aae470221ba1879a26af8172df018f07eafa1f26857a8b33092b7da5582317c

SHA512
0466ebc3c8b36c7ebc0857693ea02bf8e6a38d5812aaa3d17b9084d312eb103c745b7e35ee6d473b565a3860e989141228a7071e1bd57f39f46d9fda0f8aa97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbvc.exe
MD5
2f49215b1984212fe4465288bda6a8a6

SHA1
128b5625c29559cf78caf7cb17dbce55ac6c9cba

SHA256
6aae470221ba1879a26af8172df018f07eafa1f26857a8b33092b7da5582317c

SHA512
0466ebc3c8b36c7ebc0857693ea02bf8e6a38d5812aaa3d17b9084d312eb103c745b7e35ee6d473b565a3860e989141228a7071e1bd57f39f46d9fda0f8aa97f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe
MD5
b7c6098b0b6e306ef36777b41b559658

SHA1
4c3a571b606bc0afecc8b6f3aa08defe3a377634

SHA256
bc1b3e71e09eeaf3f325c101ca3804153fa7f8da50b27c288ad5ac357b89a9fb

SHA512
512e7f90dc7976935901525264cb085edd4adcb952e2e3732e1f0fc09cae83514e359f45877a6e2299446692a9619f129eb816990007962d2b0c42b88fd43e24

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe
MD5
b7c6098b0b6e306ef36777b41b559658

SHA1
4c3a571b606bc0afecc8b6f3aa08defe3a377634

SHA256
bc1b3e71e09eeaf3f325c101ca3804153fa7f8da50b27c288ad5ac357b89a9fb

SHA512
512e7f90dc7976935901525264cb085edd4adcb952e2e3732e1f0fc09cae83514e359f45877a6e2299446692a9619f129eb816990007962d2b0c42b88fd43e24

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe
MD5
b7c6098b0b6e306ef36777b41b559658

SHA1
4c3a571b606bc0afecc8b6f3aa08defe3a377634

SHA256
bc1b3e71e09eeaf3f325c101ca3804153fa7f8da50b27c288ad5ac357b89a9fb

SHA512
512e7f90dc7976935901525264cb085edd4adcb952e2e3732e1f0fc09cae83514e359f45877a6e2299446692a9619f129eb816990007962d2b0c42b88fd43e24

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe
MD5
b7c6098b0b6e306ef36777b41b559658

SHA1
4c3a571b606bc0afecc8b6f3aa08defe3a377634

SHA256
bc1b3e71e09eeaf3f325c101ca3804153fa7f8da50b27c288ad5ac357b89a9fb

SHA512
512e7f90dc7976935901525264cb085edd4adcb952e2e3732e1f0fc09cae83514e359f45877a6e2299446692a9619f129eb816990007962d2b0c42b88fd43e24

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Svc_host.exe
MD5
f8afe900757786eee3e00a0c501dfee0

SHA1
493645aa60156dbf756f7986b457944dc7676b29

SHA256
b30b32e3308bc4576c2e1a5fa56e4684a7b60d8fecf5cb75c8e0518ec1f901ea

SHA512
eb0fdf63d5165a57206ba91f19eca6f7abb5b01724a9029abd3c6506d7482814e6a9a8321cf18ea5b919462d94a4fad61eaa0f3594edb1ebd246a9382e44e172

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Svc_host.exe
MD5
f8afe900757786eee3e00a0c501dfee0

SHA1
493645aa60156dbf756f7986b457944dc7676b29

SHA256
b30b32e3308bc4576c2e1a5fa56e4684a7b60d8fecf5cb75c8e0518ec1f901ea

SHA512
eb0fdf63d5165a57206ba91f19eca6f7abb5b01724a9029abd3c6506d7482814e6a9a8321cf18ea5b919462d94a4fad61eaa0f3594edb1ebd246a9382e44e172

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Svc_host.exe
MD5
f8afe900757786eee3e00a0c501dfee0

SHA1
493645aa60156dbf756f7986b457944dc7676b29

SHA256
b30b32e3308bc4576c2e1a5fa56e4684a7b60d8fecf5cb75c8e0518ec1f901ea

SHA512
eb0fdf63d5165a57206ba91f19eca6f7abb5b01724a9029abd3c6506d7482814e6a9a8321cf18ea5b919462d94a4fad61eaa0f3594edb1ebd246a9382e44e172

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Svc_host.exe
MD5
f8afe900757786eee3e00a0c501dfee0

SHA1
493645aa60156dbf756f7986b457944dc7676b29

SHA256
b30b32e3308bc4576c2e1a5fa56e4684a7b60d8fecf5cb75c8e0518ec1f901ea

SHA512
eb0fdf63d5165a57206ba91f19eca6f7abb5b01724a9029abd3c6506d7482814e6a9a8321cf18ea5b919462d94a4fad61eaa0f3594edb1ebd246a9382e44e172

Download Submit
\Users\Admin\AppData\Local\Temp\sbvc.exe
MD5
2f49215b1984212fe4465288bda6a8a6

SHA1
128b5625c29559cf78caf7cb17dbce55ac6c9cba

SHA256
6aae470221ba1879a26af8172df018f07eafa1f26857a8b33092b7da5582317c

SHA512
0466ebc3c8b36c7ebc0857693ea02bf8e6a38d5812aaa3d17b9084d312eb103c745b7e35ee6d473b565a3860e989141228a7071e1bd57f39f46d9fda0f8aa97f

Download Submit
memory/468-64-0x0000000000000000-mapping.dmp

Download
memory/468-71-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/468-67-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1020-95-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/1020-76-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1020-109-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/1020-110-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/1020-94-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1020-69-0x0000000000000000-mapping.dmp

Download
memory/1020-93-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/1020-86-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/1020-85-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/1020-80-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/1020-77-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/1020-72-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/1020-73-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1020-75-0x00000000049A2000-0x00000000049A3000-memory.dmp

Filesize
4KB

Download
memory/1020-74-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1504-112-0x0000000000000000-mapping.dmp

Download
memory/1876-124-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/1876-120-0x0000000000000000-mapping.dmp

Download
memory/1876-126-0x0000000000B80000-0x0000000000B82000-memory.dmp

Filesize
8KB

Download
memory/1876-127-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1876-129-0x000000001B000000-0x000000001B001000-memory.dmp

Filesize
4KB

Download
memory/1876-131-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1984-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download