Analysis
-
max time kernel
153s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-02-2022 22:22
General
-
Target
09637f910840cebb2f1e2524414c8d62.exe
-
Size
5.9MB
-
MD5
09637f910840cebb2f1e2524414c8d62
-
SHA1
f31516f4e0008dd5dea7f85722488a9db7007e43
-
SHA256
58484d3924b8c496a925660742b55da793ec4048765edf87c3116e5fb34ebeae
-
SHA512
9498b20333ca822c88358aa773475bd7604b2e1905417d078014ed41b084e2ab28a1ce197bc4e74aa49b3f2659d051cf803fd98ce9115442654c20b96c837a2c
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\09637f910840cebb2f1e2524414c8d62.exe"C:\Users\Admin\AppData\Local\Temp\09637f910840cebb2f1e2524414c8d62.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /Q /C move /Y C:\Users\Admin\AppData\Local\Temp\09637f910840cebb2f1e2524414c8d62.exe C:\Windows\wscntfy.exe2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\system32\cmd.execmd /C "netsh advfirewall firewall add rule name=\"wscntfy\" dir=in action=allow program=\"C:\Users\Admin\AppData\Local\Temp\09637f910840cebb2f1e2524414c8d62.exe\" enable=yes"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name=\"wscntfy\" dir=in action=allow program=\"C:\Users\Admin\AppData\Local\Temp\09637f910840cebb2f1e2524414c8d62.exe\" enable=yes3⤵
-
C:\Windows\system32\cmd.execmd /C "ipconfig //flushdns"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exeipconfig //flushdns3⤵
- Gathers network information
-
C:\Windows\system32\cmd.execmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Mystic Entertainment" /f3⤵
-
C:\Windows\system32\cmd.execmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "attrib +S +H C:\Windows\wscntfy.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +S +H C:\Windows\wscntfy.exe3⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
7ed82fb4c4ccc2f1754735a420d6a695
SHA1a8164f1f58eeedb8df82f26789d5550b4294e286
SHA2569654a4359e8cbc8cdabb2d6136acae5c9fc5c20bdb119491c53ad02893e582af
SHA512edd54b6266659ee4e96dd5a260e88274663550f3d848bd513158626433f23802792060550b7c92cc1724e35a01c7d3503d20ef40e701d2255c4ad4b06c2f56aa
-
memory/704-61-0x000000001B730000-0x000000001BA2F000-memory.dmpFilesize
3.0MB
-
memory/704-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmpFilesize
8KB
-
memory/704-58-0x00000000023C2000-0x00000000023C4000-memory.dmpFilesize
8KB
-
memory/704-59-0x00000000023C4000-0x00000000023C7000-memory.dmpFilesize
12KB
-
memory/704-55-0x000007FEF36B0000-0x000007FEF420D000-memory.dmpFilesize
11.4MB
-
memory/704-56-0x000007FEF5DDE000-0x000007FEF5DDF000-memory.dmpFilesize
4KB
-
memory/704-57-0x00000000023C0000-0x00000000023C2000-memory.dmpFilesize
8KB
-
memory/704-71-0x00000000023CB000-0x00000000023EA000-memory.dmpFilesize
124KB
-
memory/1632-66-0x0000000002030000-0x0000000002032000-memory.dmpFilesize
8KB
-
memory/1632-67-0x0000000002032000-0x0000000002034000-memory.dmpFilesize
8KB
-
memory/1632-68-0x0000000002034000-0x0000000002037000-memory.dmpFilesize
12KB
-
memory/1632-64-0x000007FEF36B0000-0x000007FEF420D000-memory.dmpFilesize
11.4MB
-
memory/1632-69-0x000000001B760000-0x000000001BA5F000-memory.dmpFilesize
3.0MB
-
memory/1632-65-0x000007FEF5DDE000-0x000007FEF5DDF000-memory.dmpFilesize
4KB
-
memory/1632-70-0x000000000203B000-0x000000000205A000-memory.dmpFilesize
124KB