Overview

overview

10

Static

static

a4863b8da0...3f.exe

windows7_x64

10

a4863b8da0...3f.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    05-12-2021 00:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4863b8da0f8b001d7c28b956139e23f.exe

  • Size

    1.3MB

  • MD5

    a4863b8da0f8b001d7c28b956139e23f

  • SHA1

    7d1d9bca4bf89e00e465f98f759f6d5b958fe4e4

  • SHA256

    c2452b97cff633876bc788ac4f72eb39f459a6c58f2a44f8443de1049b66d181

  • SHA512

    8b2fb4c0ec99bc92ad2c6081fc84fd6e83ca7b01f46fe87469bbf506ea8323d680f72edbd633396c0f2fd3d550ad0740a36c52c4af2457aefd27fe23b3781f1d

Score
10/10
discoverypersistencespywarestealersuricata

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE DCRAT Activity (GET)

    suricata: ET MALWARE DCRAT Activity (GET)

    suricata
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 15 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4863b8da0f8b001d7c28b956139e23f.exe
    "C:\Users\Admin\AppData\Local\Temp\a4863b8da0f8b001d7c28b956139e23f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:524
    • C:\Users\Admin\AppData\Local\Temp\a4863b8da0f8b001d7c28b956139e23f.exe
      "C:\Users\Admin\AppData\Local\Temp\a4863b8da0f8b001d7c28b956139e23f.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Recovery\467657e2-3dd5-11ec-a0d6-f2080972ab74\services.exe
        "C:\Recovery\467657e2-3dd5-11ec-a0d6-f2080972ab74\services.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:12145/
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1688
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "a4863b8da0f8b001d7c28b956139e23f" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\a4863b8da0f8b001d7c28b956139e23f.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\DXPTaskRingtone\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1228
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\fc\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1136
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\perfc011\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\467657e2-3dd5-11ec-a0d6-f2080972ab74\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:956
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\467657e2-3dd5-11ec-a0d6-f2080972ab74\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1724
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\RacWmiProv\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\PerfLogs\Admin\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:568
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:1948

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\467657e2-3dd5-11ec-a0d6-f2080972ab74\services.exe
      MD5

      a4863b8da0f8b001d7c28b956139e23f

      SHA1

      7d1d9bca4bf89e00e465f98f759f6d5b958fe4e4

      SHA256

      c2452b97cff633876bc788ac4f72eb39f459a6c58f2a44f8443de1049b66d181

      SHA512

      8b2fb4c0ec99bc92ad2c6081fc84fd6e83ca7b01f46fe87469bbf506ea8323d680f72edbd633396c0f2fd3d550ad0740a36c52c4af2457aefd27fe23b3781f1d

      Download Submit
    • C:\Recovery\467657e2-3dd5-11ec-a0d6-f2080972ab74\services.exe
      MD5

      a4863b8da0f8b001d7c28b956139e23f

      SHA1

      7d1d9bca4bf89e00e465f98f759f6d5b958fe4e4

      SHA256

      c2452b97cff633876bc788ac4f72eb39f459a6c58f2a44f8443de1049b66d181

      SHA512

      8b2fb4c0ec99bc92ad2c6081fc84fd6e83ca7b01f46fe87469bbf506ea8323d680f72edbd633396c0f2fd3d550ad0740a36c52c4af2457aefd27fe23b3781f1d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\a4863b8da0f8b001d7c28b956139e23f.exe
      MD5

      a4863b8da0f8b001d7c28b956139e23f

      SHA1

      7d1d9bca4bf89e00e465f98f759f6d5b958fe4e4

      SHA256

      c2452b97cff633876bc788ac4f72eb39f459a6c58f2a44f8443de1049b66d181

      SHA512

      8b2fb4c0ec99bc92ad2c6081fc84fd6e83ca7b01f46fe87469bbf506ea8323d680f72edbd633396c0f2fd3d550ad0740a36c52c4af2457aefd27fe23b3781f1d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MYNZF0CA.txt
      MD5

      7b868505e0ffbd5055835d7f2d83ce60

      SHA1

      08cc6ed145f96e297c1bd12c883adf3941c18afa

      SHA256

      c93e46c6b183d8a5304725e1fd5a43c37557f173e0702a967210b005ceb3f3eb

      SHA512

      2b281f6edf2e8e5ac1fa01530cdfe887555a4122206a22fb44bde11edbc1faec842ece67b9105845c54ae88cc1ced49267efbd4a4163e6cdc551d15563c5b54f

      Download Submit
    • memory/524-62-0x0000000000590000-0x0000000000595000-memory.dmp
      Filesize

      20KB

      Download
    • memory/524-67-0x00000000005E0000-0x00000000005E6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/524-55-0x0000000000F50000-0x0000000000F51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/524-63-0x00000000005A0000-0x00000000005A2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/524-64-0x0000000000580000-0x0000000000585000-memory.dmp
      Filesize

      20KB

      Download
    • memory/524-65-0x00000000005C0000-0x00000000005C5000-memory.dmp
      Filesize

      20KB

      Download
    • memory/524-66-0x00000000005D0000-0x00000000005D2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/524-58-0x00000000003C0000-0x00000000003CA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/524-68-0x00000000005F0000-0x00000000005F4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/524-57-0x000000001AFE0000-0x000000001AFE2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/524-60-0x0000000000570000-0x0000000000577000-memory.dmp
      Filesize

      28KB

      Download
    • memory/524-61-0x00000000005B0000-0x00000000005B7000-memory.dmp
      Filesize

      28KB

      Download
    • memory/524-59-0x0000000000560000-0x0000000000561000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1688-102-0x0000000000000000-mapping.dmp
      Download
    • memory/1812-98-0x000000001ADE0000-0x000000001ADE2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1812-88-0x0000000000810000-0x0000000000811000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1812-85-0x0000000000000000-mapping.dmp
      Download
    • memory/1812-103-0x000000001ADE6000-0x000000001AE05000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1992-73-0x000000001AF50000-0x000000001AF52000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1992-69-0x0000000000000000-mapping.dmp
      Download
    • memory/2040-104-0x0000000000000000-mapping.dmp
      Download