c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb

Analysis

max time kernel
6s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
Size

6.2MB
MD5

95e661012d34b52fb7e8373a40c7ca68
SHA1

10626926b31d603ee17931de6abff60c8b827b1e
SHA256

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb
SHA512

c625567451518d1d960233169b32af31fa9833431081ffb6017b2a0c4e1b9ea0376d30dc881709b47940e4ce8b254510f212b0e835ae678210714a75ba47af87

Score

8^/10

spyware stealer upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\cqtqtdi\vbbhczk.exe	upx
C:\Users\Admin\AppData\Local\Temp\cqtqtdi\vbbhczk.exe	upx
C:\Users\Admin\AppData\Local\Temp\pkrtwrf.exe	upx
C:\Users\Admin\AppData\Local\Temp\pkrtwrf.exe	upx
C:\Users\Admin\AppData\Local\Temp\oxmnyqv.exe	upx
C:\Users\Admin\AppData\Local\Temp\oxmnyqv.exe	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2192 PING.EXE
3360 PING.EXE
4716 PING.EXE

pid	process
2192	PING.EXE
3360	PING.EXE
4716	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

pid	process
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

description pid process

Token: SeDebugPrivilege 4200 c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

description	pid	process
Token: SeDebugPrivilege	4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

pid	process
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

pid	process
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

description	pid	process	target process
PID 4200 wrote to memory of 2336	4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
PID 4200 wrote to memory of 2336	4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
PID 4200 wrote to memory of 2336	4200	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe	c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe

C:\Users\Admin\AppData\Local\Temp\c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
"C:\Users\Admin\AppData\Local\Temp\c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Local\Temp\c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe
C:\Users\Admin\AppData\Local\Temp\c11891614a0d3aab500833e1fb4b0fbf1cec8225bb2f7624bce7e52e526cbebb.exe /nstart
2⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\cqtqtdi\vbbhczk.exe
C:\Users\Admin\AppData\Local\Temp\cqtqtdi\vbbhczk.exe /nys
2⤵
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ZNAs2UN.bat
3⤵
PID:1560

C:\Windows\system32\PING.EXE
ping -n 3 127.0.0.1
4⤵
- Runs ping.exe
PID:4716

C:\Users\Admin\AppData\Local\Temp\pkrtwrf.exe
C:\Users\Admin\AppData\Local\Temp\pkrtwrf.exe /HomeRegAccess10
2⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\~qctumxi.exe
C:\Users\Admin\AppData\Local\Temp\~qctumxi.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn setowner -ownr "n:Administrators"
2⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\~qctumxi.exe
C:\Users\Admin\AppData\Local\Temp\~qctumxi.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no
2⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\oxmnyqv.exe
C:\Users\Admin\AppData\Local\Temp\oxmnyqv.exe /HomeRegAccess10
2⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\~qctumxi.exe
C:\Users\Admin\AppData\Local\Temp\~qctumxi.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no
2⤵
PID:2024

C:\Windows\system32\PING.EXE
ping -n 3 127.0.0.1
1⤵
- Runs ping.exe
PID:2192

C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
1⤵
- Runs ping.exe
PID:3360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZNAs2UN.bat
Filesize
493B

MD5
cdb69e987bd9c31297e53905f0bd8673

SHA1
2c4348f17eda01cb18c464b416349c50d24927b7

SHA256
27770035d6d23d8504c078c8aeff751e5ab8b13893df5e233e0f364eac76d3be

SHA512
6c350d3222b4310d2e3010067c1695544c75a8b1bf67c5b76d703f2736bf10f019896d2b32a40ac6cf4c214003e4df5c30a6f644963431bab139d2da4c4e4543

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqtqtdi\vbbhczk.exe
Filesize
236KB

MD5
55547e0cd6b935ff494788efb99aaefe

SHA1
e5d29d17a27c6df95fb74e43e6b00356117e2bff

SHA256
27ade26365b137789b66778b1aa73b018aa1806408d39b338ef5f2d33b7bc5e2

SHA512
ef1f8b8f816872902f3535fd56124500121dd3bac4630cfdd5ee2abc55f0438a557dd103dfcf84194b6155c5cadedd6e01bc4b9fa386692e8428d3de517427e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqtqtdi\vbbhczk.exe
Filesize
203KB

MD5
bb8a3e3595812b95166b2681b5b81d94

SHA1
5cad57f2635ea85ed3ced28a6aa14d2a443f536f

SHA256
778c0c5dd9b479e2d468ed01291df9b58e063da8b1a4033b68a44689cd300a49

SHA512
ff186439b2ad713096fc158f1c99c914e1b161289890634485757f39980b870ed93febdb704ebabd4f7be4a4ef624fc946c47d1ee54d76d1dc2b61dd3af08f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxmnyqv.exe
Filesize
175KB

MD5
d2e55105e6420581fb0450494d064a69

SHA1
3ac9b165b66a5aca74d900184178d7ddebc27d60

SHA256
96fe84bff1261ae68ad8758f6a9c1cbf329b6bdb277e735913c078b6ffb5e344

SHA512
2090ba579f985ee6439bf64afebddb8f92d4c6e553d277720f455129af8011d5b1782f3224ed2562227bfe80d41e6938f052b1d79ae52968adfda08d1b09ceb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxmnyqv.exe
Filesize
138KB

MD5
601b861f24bf4be184b116aa45c24844

SHA1
881e0ab8110575a3509ad4c0969d0918d4d86176

SHA256
fe21b1969419b3a2bdd0a230474cbe44103229353513544202349d5404aba83e

SHA512
0b948fd135482972d71117792e897467f6d361d9ba2184e67e62ac16bfdd4dfe9d22e7b32142314ff4f7bc4ca546fad67ddec8f1dfac4a80b8f963f1c3082146

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkrtwrf.exe
Filesize
115KB

MD5
e04c81e43d5a10334103c15f661535e6

SHA1
20be91b5329523a966343cb3af946d137311a861

SHA256
e4b4a8da1691cc861211c6daa3e006801867ed5b423dda8b3fc3641a63ee4480

SHA512
fd07038908fe468516077b6f3a682f65d16f927db18f6a9df845f6ed898e79d85207cbb173fac555350c98a735a137949918c4754eb33bd04b017964eb327498

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkrtwrf.exe
Filesize
152KB

MD5
7da71ea4b2e878085dadbc734ba8e7fe

SHA1
0d215214d372da6c6ed0d2e0888ca98596de6c8f

SHA256
d83a17278a646e011beae24461cd23b0ae7ec1a303386375c2894c89ef85d985

SHA512
ba1f8e2ebbae27e54e1679ebac3890968b74c52e080abdd843ffe41164813c0e9ee82337d97fa17c184a6fa437c56eac4ab12f430902c09c05bfbcd2a07d3cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\~qctumxi.exe
Filesize
187KB

MD5
6b00bdbb6e37bd2f9689f34d692fce4f

SHA1
c75d7d718c1f033fc828119cd4a59714eb764196

SHA256
08b91454c5642fb38d0acf1fed777645283691c6fe88af92f3933bb5618de086

SHA512
cda80d349bc754da292f8300dcdf2e1a821d0a8066333a0c99c9063bcbda92a79333457b69eb143bfbd976e5ad4e0b003993a4a93346a242b7dd2dea6664dc2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~qctumxi.exe
Filesize
154KB

MD5
1ca43452f491127fc49110bc2771bfbe

SHA1
de0106026431d182715ab42c73b82254202500c7

SHA256
07085b304ce92fb5906313b648d6a519f02e9d34465fb0e2ae16dfb68096c828

SHA512
c116b944af5813f8085fc31d933e1fdc2638541314be92a9a39e242b42efdedf6bb040614907939593c8c2494c6198e7d11d0c28047ed8586016d100c0b209c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~qctumxi.exe
Filesize
155KB

MD5
5704107fd421a7f3e583964652c2bb4e

SHA1
7759dbd56315d2268575c051254ccfe02441858d

SHA256
5ee7004f5f62d7dcd5a88afb6e5981a093bc2fd73131f0c54a6bfe5c2fddf90b

SHA512
00d661227b817ff2c5102f8fb774b5552e33ddd0e60459b52dd925ef65d80ab59d9f6c9a75b3ff0b006dc21c6f3a4d1b7c23e9225f43eeb83d9874c08e4daf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~qctumxi.exe
Filesize
113KB

MD5
c73fbc90145fe5ea5e4bbdbef0abef6c

SHA1
9383094279f32cfe4f8229ddda0e1e74185ce0d2

SHA256
f9fac29a9e38ca9871af9b967ada82e92c2c45154c6723a66645b83f0a6e2b73

SHA512
ccaadb83791031c1ace6c5b0c6485d47a8f8ef12b1dfc366f220abc0c09cb4402e9e03d24f931297e117ae49accce90cc323f6e3885fd615e6c29c92af9164e4

Download Submit
memory/1560-147-0x0000000000000000-mapping.dmp

Download
memory/2024-145-0x0000000000000000-mapping.dmp

Download
memory/2192-150-0x0000000000000000-mapping.dmp

Download
memory/2336-130-0x0000000000000000-mapping.dmp

Download
memory/2940-137-0x0000000000000000-mapping.dmp

Download
memory/3360-149-0x0000000000000000-mapping.dmp

Download
memory/4424-131-0x0000000000000000-mapping.dmp

Download
memory/4628-140-0x0000000000000000-mapping.dmp

Download
memory/4660-142-0x0000000000000000-mapping.dmp

Download
memory/4716-151-0x0000000000000000-mapping.dmp

Download
memory/4848-134-0x0000000000000000-mapping.dmp

Download