53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0

Resubmissions

29-11-2022 17:56

221129-wjef9aeh81 10

07-07-2022 12:21

220707-pjry1sabg2 10

21-08-2021 14:02

210821-e56bctg12a 8

Analysis

max time kernel
295s
max time network
314s
platform
windows10_x64
resource
win10v20210410
submitted
21-08-2021 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exe
Size

6.2MB
MD5

a56fea310f3cf5e724ee4a9990047b78
SHA1

d697340615fdb8eedd29cffd0de9ad64fef6c9c9
SHA256

53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0
SHA512

6eabf12efaae5a0493298d44cfb6bf07646064569e055c5e88b61637b97742d7b98105f1e4da6304101db9659b427e64eb0a8646cfaab674e3b607fae46abf2e

Score

8^/10

discovery spyware stealer vmprotect

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Get-Variable.exeGet-Variable.exeSpotifySetup1.exe

pid process

3004 Get-Variable.exe
2732 Get-Variable.exe
3076 SpotifySetup1.exe

pid	process
3004	Get-Variable.exe
2732	Get-Variable.exe
3076	SpotifySetup1.exe

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/3916-120-0x0000000000400000-0x00000000015C7000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe	vmprotect
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe	vmprotect
behavioral1/memory/3004-133-0x0000000000400000-0x00000000015C7000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe	vmprotect
behavioral1/memory/2732-184-0x0000000000400000-0x00000000015C7000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\SpotifySetup1.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\SpotifySetup1.exe	vmprotect
behavioral1/memory/3076-196-0x0000000000400000-0x00000000015AF000-memory.dmp	vmprotect

Loads dropped DLL 5 IoCs

Processes:

SpotifySetup1.exe

pid process

3076 SpotifySetup1.exe
3076 SpotifySetup1.exe
3076 SpotifySetup1.exe
3076 SpotifySetup1.exe
3076 SpotifySetup1.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

192 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2764 PING.EXE

pid	process
3076	SpotifySetup1.exe
3076	SpotifySetup1.exe
3076	SpotifySetup1.exe
3076	SpotifySetup1.exe
3076	SpotifySetup1.exe

pid	process
192	schtasks.exe

pid	process
2764	PING.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exeGet-Variable.exepowershell.exeGet-Variable.exeSpotifySetup1.exe

pid	process
3916	53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exe
3916	53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exe
3916	53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exe
3916	53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exe
3004	Get-Variable.exe
3004	Get-Variable.exe
3004	Get-Variable.exe
3004	Get-Variable.exe
3600	powershell.exe
3600	powershell.exe
3600	powershell.exe
2732	Get-Variable.exe
2732	Get-Variable.exe
2732	Get-Variable.exe
2732	Get-Variable.exe
3076	SpotifySetup1.exe
3076	SpotifySetup1.exe
3076	SpotifySetup1.exe
3076	SpotifySetup1.exe
3076	SpotifySetup1.exe
3076	SpotifySetup1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3600 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3600	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exepowershell.exeGet-Variable.exeSpotifySetup1.execmd.exe

description	pid	process	target process
PID 3916 wrote to memory of 192	3916	53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exe	schtasks.exe
PID 3916 wrote to memory of 192	3916	53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exe	schtasks.exe
PID 3916 wrote to memory of 192	3916	53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exe	schtasks.exe
PID 3916 wrote to memory of 3004	3916	53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exe	Get-Variable.exe
PID 3916 wrote to memory of 3004	3916	53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exe	Get-Variable.exe
PID 3916 wrote to memory of 3004	3916	53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exe	Get-Variable.exe
PID 3600 wrote to memory of 2732	3600	powershell.exe	Get-Variable.exe
PID 3600 wrote to memory of 2732	3600	powershell.exe	Get-Variable.exe
PID 3600 wrote to memory of 2732	3600	powershell.exe	Get-Variable.exe
PID 3004 wrote to memory of 3076	3004	Get-Variable.exe	SpotifySetup1.exe
PID 3004 wrote to memory of 3076	3004	Get-Variable.exe	SpotifySetup1.exe
PID 3004 wrote to memory of 3076	3004	Get-Variable.exe	SpotifySetup1.exe
PID 3076 wrote to memory of 2156	3076	SpotifySetup1.exe	cmd.exe
PID 3076 wrote to memory of 2156	3076	SpotifySetup1.exe	cmd.exe
PID 3076 wrote to memory of 2156	3076	SpotifySetup1.exe	cmd.exe
PID 2156 wrote to memory of 1764	2156	cmd.exe	chcp.com
PID 2156 wrote to memory of 1764	2156	cmd.exe	chcp.com
PID 2156 wrote to memory of 1764	2156	cmd.exe	chcp.com
PID 2156 wrote to memory of 2764	2156	cmd.exe	PING.EXE
PID 2156 wrote to memory of 2764	2156	cmd.exe	PING.EXE
PID 2156 wrote to memory of 2764	2156	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exe
"C:\Users\Admin\AppData\Local\Temp\53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\schtasks.exe
/create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"
2⤵
- Creates scheduled task(s)
PID:192

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004

C:\Users\Admin\AppData\Local\Temp\SpotifySetup1.exe
"C:\Users\Admin\AppData\Local\Temp\SpotifySetup1.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\SpotifySetup1.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:1764

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:2764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
MD5
a56fea310f3cf5e724ee4a9990047b78

SHA1
d697340615fdb8eedd29cffd0de9ad64fef6c9c9

SHA256
53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0

SHA512
6eabf12efaae5a0493298d44cfb6bf07646064569e055c5e88b61637b97742d7b98105f1e4da6304101db9659b427e64eb0a8646cfaab674e3b607fae46abf2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
MD5
a56fea310f3cf5e724ee4a9990047b78

SHA1
d697340615fdb8eedd29cffd0de9ad64fef6c9c9

SHA256
53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0

SHA512
6eabf12efaae5a0493298d44cfb6bf07646064569e055c5e88b61637b97742d7b98105f1e4da6304101db9659b427e64eb0a8646cfaab674e3b607fae46abf2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
MD5
a56fea310f3cf5e724ee4a9990047b78

SHA1
d697340615fdb8eedd29cffd0de9ad64fef6c9c9

SHA256
53e982e656f91d263494170d71228e6d98c026a23293fbb70176531794d149c0

SHA512
6eabf12efaae5a0493298d44cfb6bf07646064569e055c5e88b61637b97742d7b98105f1e4da6304101db9659b427e64eb0a8646cfaab674e3b607fae46abf2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpotifySetup1.exe
MD5
032cde793d12bf504106586c1019963c

SHA1
fd59bdfdf91b80954abb9d2fb88530db29ead6c5

SHA256
7d51fbe4468edf5e8eb101790656053954061b6b1866726250b851d7c52555ec

SHA512
686c77f98b7c6ff22c6cc91d380c0ac052faf8699cf838f5bcc2848655041417f3451cefc8df3e9a918105f8566ebe0ebb99c564901f2c27744add1414f7b9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpotifySetup1.exe
MD5
032cde793d12bf504106586c1019963c

SHA1
fd59bdfdf91b80954abb9d2fb88530db29ead6c5

SHA256
7d51fbe4468edf5e8eb101790656053954061b6b1866726250b851d7c52555ec

SHA512
686c77f98b7c6ff22c6cc91d380c0ac052faf8699cf838f5bcc2848655041417f3451cefc8df3e9a918105f8566ebe0ebb99c564901f2c27744add1414f7b9e7

Download Submit
\Users\Admin\AppData\Local\Temp\$Zip$nfzHxqP83IGA0hqJOAjO\mozglue.dll
MD5
001e59835b6b76529be2a26d14c3be22

SHA1
eaafc2fe3e6c84afbb35e37801e36f6f5fdf7bcb

SHA256
9dc148ff7cfaf269025df8bb9ddba5a485b4326ad8726b6007bd5415e46e1d38

SHA512
ff3f6ff85171b0125dfa52e707605dffb3e66d59ef1e39e437c566cd59600adf8a8e1e511f07531c8fc8437739b8d29c3113d9cf6e639feada1865c3abbb174b

Download Submit
\Users\Admin\AppData\Local\Temp\$Zip$nfzHxqP83IGA0hqJOAjO\nss3.dll
MD5
01596adbda40189da509305f816ba084

SHA1
cadc705e33f88f26ce4773d082e91fb884dac00e

SHA256
340f01aafd90903767bf391bbf2bddf1360ebfcc66a011e0322fe0f1487fa0bb

SHA512
a0856da7ede030fcdc8e7344d7c6c534a43c6d9ebba08b965ec6c7b892d0fc3cbc2d116b6d9ab453fd7558b78a11178661a9d1e4fae87aeb25f336bf8d06b031

Download Submit
\Users\Admin\AppData\Local\Temp\$Zip$nfzHxqP83IGA0hqJOAjO\sqlite3.dll
MD5
27b43fd0844dff5b07f117a9074491da

SHA1
41c132b6515c22411a9c6397f37d7e777ba7efc9

SHA256
f75e9d6f867155379740bf4b39654549661fc13c4aa58254b016f20f23c5781d

SHA512
b5d335cdce25c12ae049b5ab00393e0ff0523fec8517c797524c745391cf1c3c2e78109f11599b4f237cbedaedcba978377b96c99712b58f71c981fad4e39796

Download Submit
\Users\Admin\AppData\Local\Temp\$Zip$nfzHxqP83IGA0hqJOAjO\twain_32.dll
MD5
650ef10656768f008f9b22d4ec15b81e

SHA1
943e593feb6e69e4f5db02ac23d32120d4cd6b06

SHA256
6c165000b5c1d15e35e664e8e730b6e7884862dbcb85fcfaa03b77bb75959904

SHA512
1946dac2b77b048d7eb85912d11bb8e07ad178fca08b7b72b42d46fe2ed48d7f76d14de240201c61cf44aa5c901148f2a191144e0e9f9a6361ccb422d98da3c1

Download Submit
\Users\Admin\AppData\Local\Temp\$Zip$nfzHxqP83IGA0hqJOAjO\zip.dll
MD5
7e78002f1c1c3b39309519074a91d7fe

SHA1
fac0ed3e187b4b4565bb3d2e2720993aa2c6af68

SHA256
dc62e7f9b027f94d61a6d8f5068047c7dfb4fa34e6eee98a1cd681452dc17a31

SHA512
7051b9d54a69b672f0dfc572c632530e35bce6bec91e6f37739b5ed40ed2de3c8bdb1d15b855d200dac4750fa4457110fba156318d43882f34f2695b1e4ac345

Download Submit
memory/192-123-0x0000000000000000-mapping.dmp

Download
memory/1764-205-0x0000000000000000-mapping.dmp

Download
memory/2156-204-0x0000000000000000-mapping.dmp

Download
memory/2732-184-0x0000000000400000-0x00000000015C7000-memory.dmp

Filesize
17.8MB

Download
memory/2732-185-0x0000000001870000-0x0000000001876000-memory.dmp

Filesize
24KB

Download
memory/2732-183-0x0000000001860000-0x0000000001861000-memory.dmp

Filesize
4KB

Download
memory/2732-182-0x0000000001850000-0x0000000001851000-memory.dmp

Filesize
4KB

Download
memory/2732-181-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2732-180-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2732-179-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2732-178-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2732-174-0x0000000000000000-mapping.dmp

Download
memory/2764-206-0x0000000000000000-mapping.dmp

Download
memory/3004-128-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/3004-131-0x0000000001870000-0x0000000001871000-memory.dmp

Filesize
4KB

Download
memory/3004-124-0x0000000000000000-mapping.dmp

Download
memory/3004-127-0x0000000001810000-0x0000000001811000-memory.dmp

Filesize
4KB

Download
memory/3004-129-0x0000000001840000-0x0000000001841000-memory.dmp

Filesize
4KB

Download
memory/3004-130-0x0000000001850000-0x0000000001851000-memory.dmp

Filesize
4KB

Download
memory/3004-134-0x0000000001890000-0x0000000001896000-memory.dmp

Filesize
24KB

Download
memory/3004-133-0x0000000000400000-0x00000000015C7000-memory.dmp

Filesize
17.8MB

Download
memory/3004-132-0x0000000001880000-0x0000000001881000-memory.dmp

Filesize
4KB

Download
memory/3076-190-0x00000000018D0000-0x00000000018D1000-memory.dmp

Filesize
4KB

Download
memory/3076-193-0x0000000001920000-0x0000000001921000-memory.dmp

Filesize
4KB

Download
memory/3076-197-0x0000000001950000-0x0000000001962000-memory.dmp

Filesize
72KB

Download
memory/3076-187-0x0000000000000000-mapping.dmp

Download
memory/3076-196-0x0000000000400000-0x00000000015AF000-memory.dmp

Filesize
17.7MB

Download
memory/3076-195-0x0000000001940000-0x0000000001941000-memory.dmp

Filesize
4KB

Download
memory/3076-194-0x0000000001930000-0x0000000001931000-memory.dmp

Filesize
4KB

Download
memory/3076-191-0x00000000018E0000-0x00000000018E1000-memory.dmp

Filesize
4KB

Download
memory/3076-192-0x0000000001910000-0x0000000001911000-memory.dmp

Filesize
4KB

Download
memory/3600-173-0x000001D2B43D3000-0x000001D2B43D5000-memory.dmp

Filesize
8KB

Download
memory/3600-140-0x000001D2B3F60000-0x000001D2B3F61000-memory.dmp

Filesize
4KB

Download
memory/3600-171-0x000001D2B43D0000-0x000001D2B43D2000-memory.dmp

Filesize
8KB

Download
memory/3600-160-0x000001D2B43E0000-0x000001D2B43E1000-memory.dmp

Filesize
4KB

Download
memory/3600-172-0x000001D2CD430000-0x000001D2CD431000-memory.dmp

Filesize
4KB

Download
memory/3916-114-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/3916-121-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/3916-120-0x0000000000400000-0x00000000015C7000-memory.dmp

Filesize
17.8MB

Download
memory/3916-119-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3916-118-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3916-117-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/3916-116-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/3916-115-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download