39f1a98ab29664ef492b052c44f6ea76148d75baaf55b7b037cc0575eb8b25d4

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-06-2022 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a29c2bf29259cca10e60041001b343cb.exe
Size

266KB
MD5

a29c2bf29259cca10e60041001b343cb
SHA1

9f193df4a262989c24d7c212c2fd0c986829468c
SHA256

39f1a98ab29664ef492b052c44f6ea76148d75baaf55b7b037cc0575eb8b25d4
SHA512

c3f7a2f0ae60064b66ce872db59454709e73c2dadeb456993434c6ca940dc6584b68adba0f0b683bfdac28d4781dedced6966512d2ef9fc6c21cc02366003b25

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

BC063.exeAH0M3.exeDG4FC8ECA5EKM6F.exe

pid process

3916 BC063.exe
4752 AH0M3.exe
3940 DG4FC8ECA5EKM6F.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

AH0M3.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation AH0M3.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3484 rundll32.exe
3484 rundll32.exe
3560 rundll32.exe
3560 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3916	BC063.exe
4752	AH0M3.exe
3940	DG4FC8ECA5EKM6F.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	AH0M3.exe

pid	process
3484	rundll32.exe
3484	rundll32.exe
3560	rundll32.exe
3560	rundll32.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1008	2360	WerFault.exe	a29c2bf29259cca10e60041001b343cb.exe
4932	2360	WerFault.exe	a29c2bf29259cca10e60041001b343cb.exe
1964	3916	WerFault.exe	BC063.exe
3656	2360	WerFault.exe	a29c2bf29259cca10e60041001b343cb.exe

Modifies registry class 1 IoCs

Processes:

AH0M3.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings AH0M3.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

BC063.exe

pid process

3916 BC063.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

BC063.exe

description pid process

Token: SeDebugPrivilege 3916 BC063.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

DG4FC8ECA5EKM6F.exe

pid process

3940 DG4FC8ECA5EKM6F.exe
3940 DG4FC8ECA5EKM6F.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	AH0M3.exe

pid	process
3916	BC063.exe

description	pid	process
Token: SeDebugPrivilege	3916	BC063.exe

pid	process
3940	DG4FC8ECA5EKM6F.exe
3940	DG4FC8ECA5EKM6F.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

a29c2bf29259cca10e60041001b343cb.exeAH0M3.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 2360 wrote to memory of 3916	2360	a29c2bf29259cca10e60041001b343cb.exe	BC063.exe
PID 2360 wrote to memory of 3916	2360	a29c2bf29259cca10e60041001b343cb.exe	BC063.exe
PID 2360 wrote to memory of 3916	2360	a29c2bf29259cca10e60041001b343cb.exe	BC063.exe
PID 2360 wrote to memory of 4752	2360	a29c2bf29259cca10e60041001b343cb.exe	AH0M3.exe
PID 2360 wrote to memory of 4752	2360	a29c2bf29259cca10e60041001b343cb.exe	AH0M3.exe
PID 2360 wrote to memory of 4752	2360	a29c2bf29259cca10e60041001b343cb.exe	AH0M3.exe
PID 4752 wrote to memory of 176	4752	AH0M3.exe	control.exe
PID 4752 wrote to memory of 176	4752	AH0M3.exe	control.exe
PID 4752 wrote to memory of 176	4752	AH0M3.exe	control.exe
PID 2360 wrote to memory of 3940	2360	a29c2bf29259cca10e60041001b343cb.exe	DG4FC8ECA5EKM6F.exe
PID 2360 wrote to memory of 3940	2360	a29c2bf29259cca10e60041001b343cb.exe	DG4FC8ECA5EKM6F.exe
PID 176 wrote to memory of 3484	176	control.exe	rundll32.exe
PID 176 wrote to memory of 3484	176	control.exe	rundll32.exe
PID 176 wrote to memory of 3484	176	control.exe	rundll32.exe
PID 3484 wrote to memory of 3580	3484	rundll32.exe	RunDll32.exe
PID 3484 wrote to memory of 3580	3484	rundll32.exe	RunDll32.exe
PID 3580 wrote to memory of 3560	3580	RunDll32.exe	rundll32.exe
PID 3580 wrote to memory of 3560	3580	RunDll32.exe	rundll32.exe
PID 3580 wrote to memory of 3560	3580	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a29c2bf29259cca10e60041001b343cb.exe
"C:\Users\Admin\AppData\Local\Temp\a29c2bf29259cca10e60041001b343cb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\BC063.exe
"C:\Users\Admin\AppData\Local\Temp\BC063.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1884
3⤵
- Program crash
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 488
2⤵
- Program crash
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 324
2⤵
- Program crash
PID:4932

C:\Users\Admin\AppData\Local\Temp\AH0M3.exe
"C:\Users\Admin\AppData\Local\Temp\AH0M3.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\eKSNV.CPl",
3⤵
- Suspicious use of WriteProcessMemory
PID:176

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\eKSNV.CPl",
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\eKSNV.CPl",
5⤵
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\eKSNV.CPl",
6⤵
- Loads dropped DLL
PID:3560

C:\Users\Admin\AppData\Local\Temp\DG4FC8ECA5EKM6F.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 436
2⤵
- Program crash
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2360 -ip 2360
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2360 -ip 2360
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3916 -ip 3916
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2360 -ip 2360
1⤵
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AH0M3.exe
Filesize
1.4MB

MD5
7ffadc18c2a83f1aded134f264151734

SHA1
d753a6e0520942e6e8f6522026c7b6ebce0b0adc

SHA256
9e5ba91201d3d2b83a0fc4620964504ab202bdb4ef96ed12d11c9f370758b428

SHA512
469a5a8ae1d153dc189a8799a54d55092413eeff4842d632372b8e207659c4251006deea28fac8ee57741db1dc4fbd8926bce27893a042e8a14b2c635d4c2299

Download Submit
C:\Users\Admin\AppData\Local\Temp\AH0M3.exe
Filesize
1.4MB

MD5
7ffadc18c2a83f1aded134f264151734

SHA1
d753a6e0520942e6e8f6522026c7b6ebce0b0adc

SHA256
9e5ba91201d3d2b83a0fc4620964504ab202bdb4ef96ed12d11c9f370758b428

SHA512
469a5a8ae1d153dc189a8799a54d55092413eeff4842d632372b8e207659c4251006deea28fac8ee57741db1dc4fbd8926bce27893a042e8a14b2c635d4c2299

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC063.exe
Filesize
378KB

MD5
01a0434cba47d4f424b2924c48cd6d56

SHA1
44c3062784c4d77afa61d47cd98b0eb79474fcdc

SHA256
b8c90a81ee898924e3859beab8a3d01de6b30e2e61f9a84f67a63b0807f1a6f9

SHA512
5ba990669c3599091af5850e5c3d4055fe3e437258aff6a074d218037642640f688807678de012d2e4bef84ddc8a522f560ea15220cba3f9b4b6aac37f7e7a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC063.exe
Filesize
378KB

MD5
01a0434cba47d4f424b2924c48cd6d56

SHA1
44c3062784c4d77afa61d47cd98b0eb79474fcdc

SHA256
b8c90a81ee898924e3859beab8a3d01de6b30e2e61f9a84f67a63b0807f1a6f9

SHA512
5ba990669c3599091af5850e5c3d4055fe3e437258aff6a074d218037642640f688807678de012d2e4bef84ddc8a522f560ea15220cba3f9b4b6aac37f7e7a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\DG4FC8ECA5EKM6F.exe
Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\DG4FC8ECA5EKM6F.exe
Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKSNV.CPl
Filesize
31.3MB

MD5
3f56ad7be146d8e69654c618cba9df09

SHA1
eb0f1ff5ad0893d4fcf5b70e1ae6dfb19d69b6ef

SHA256
1b38716ae06e03903c21dc1d2bb253233c5378683228682516583bd029eaf23f

SHA512
2847fdfffd059b4e1ab70342411f4c9bcb6c87f62b8c0657549f16d420cfe9fd47e5666abbd5020a5514b818a1850e9c062d5fe425660080ee26a3f3ebfe9f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKSNV.cpl
Filesize
32.8MB

MD5
1b09be85c7a660f79ab93efa539b1d02

SHA1
76da14feab13d788dbef939dd8309dc3922e594f

SHA256
8c13492a9df25e3549fbbc2f35a5cb431df0568f795ee0204c9471cc9d414dcb

SHA512
9c5b2eb3cef0d26cf4b79b61a6496dd92dba4375a2d95185850a83c3a17d8af36fed663ea201176f2ab7d09478f920681efeedf1b326da3c0a8c7f004e89ae55

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKSNV.cpl
Filesize
30.7MB

MD5
d4d2f436d4bd5ee4b1dd74ce17f61471

SHA1
d491a861b48e5b44f2a89e87ff9512a6770c074d

SHA256
86ac04c1a58cae79b059041bfe6b0ba073e973cf164e28c6b802749fed1864b1

SHA512
526668fee747d1f4051c73f071271bc0e6c0a699d16f544899b0bb12b7bacae31860fe3e0609fce313f6e481ddbbce07b9a36520564f45cec5e702e73f303e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKSNV.cpl
Filesize
25.5MB

MD5
a9eca61c6a65ca48fe19fab19a05453e

SHA1
f3ac25dfb3a62e086512031c631c00807eaa7063

SHA256
22461c82b650ef04e556fc69bb81295326d9e1b9ff9f48bc42d9c87668c6dba6

SHA512
d4ff13a645635fab6f1f84fc41ee52e9a041de17b9af04875f76df601aacd53a8fda85f8d4878b70b182a378203754b964c2d1e746e90d52bcdb60b19fe01af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKSNV.cpl
Filesize
27.0MB

MD5
b524625c27f9ed4f1aba2328e0091e0c

SHA1
6a89ea47be7589a217badb9cef18cb8641043c51

SHA256
78ad5321398f33d0ab6b50f4a71faff6f91e28244ded1ab88d3660940897dc4d

SHA512
96f5b1226ffe996920615db80a99e4de9bf1b211ba5667829140708576dcdf9faaa94896823b02a62d24f8a020ff737ddf8aa7910c13281833fd89ef196d18e8

Download Submit
memory/176-160-0x0000000000000000-mapping.dmp

Download
memory/2360-171-0x0000000002FA2000-0x0000000002FB2000-memory.dmp

Filesize
64KB

Download
memory/2360-130-0x0000000002FA2000-0x0000000002FB2000-memory.dmp

Filesize
64KB

Download
memory/2360-173-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/2360-134-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/2360-133-0x0000000002FA2000-0x0000000002FB2000-memory.dmp

Filesize
64KB

Download
memory/2360-132-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/2360-131-0x0000000002F40000-0x0000000002F5F000-memory.dmp

Filesize
124KB

Download
memory/3484-172-0x000000002EEC0000-0x000000002EF7D000-memory.dmp

Filesize
756KB

Download
memory/3484-165-0x0000000000000000-mapping.dmp

Download
memory/3484-187-0x000000002F040000-0x000000002F0FC000-memory.dmp

Filesize
752KB

Download
memory/3484-176-0x000000002D8E0000-0x000000002D981000-memory.dmp

Filesize
644KB

Download
memory/3484-175-0x000000002D810000-0x000000002D8C5000-memory.dmp

Filesize
724KB

Download
memory/3484-174-0x000000002F040000-0x000000002F0FC000-memory.dmp

Filesize
752KB

Download
memory/3484-169-0x0000000002C40000-0x0000000003C40000-memory.dmp

Filesize
16.0MB

Download
memory/3560-180-0x0000000000000000-mapping.dmp

Download
memory/3560-189-0x000000002F300000-0x000000002F3A1000-memory.dmp

Filesize
644KB

Download
memory/3560-188-0x000000002F240000-0x000000002F2F5000-memory.dmp

Filesize
724KB

Download
memory/3560-186-0x000000002F180000-0x000000002F23C000-memory.dmp

Filesize
752KB

Download
memory/3560-185-0x000000002F000000-0x000000002F0BD000-memory.dmp

Filesize
756KB

Download
memory/3560-183-0x0000000002EA0000-0x0000000003EA0000-memory.dmp

Filesize
16.0MB

Download
memory/3580-179-0x0000000000000000-mapping.dmp

Download
memory/3916-141-0x0000000000400000-0x0000000002DD4000-memory.dmp

Filesize
41.8MB

Download
memory/3916-135-0x0000000000000000-mapping.dmp

Download
memory/3916-145-0x00000000081B0000-0x00000000082BA000-memory.dmp

Filesize
1.0MB

Download
memory/3916-144-0x0000000008190000-0x00000000081A2000-memory.dmp

Filesize
72KB

Download
memory/3916-143-0x0000000007B70000-0x0000000008188000-memory.dmp

Filesize
6.1MB

Download
memory/3916-156-0x0000000000400000-0x0000000002DD4000-memory.dmp

Filesize
41.8MB

Download
memory/3916-149-0x00000000085E0000-0x0000000008646000-memory.dmp

Filesize
408KB

Download
memory/3916-142-0x00000000075C0000-0x0000000007B64000-memory.dmp

Filesize
5.6MB

Download
memory/3916-148-0x0000000003140000-0x000000000317A000-memory.dmp

Filesize
232KB

Download
memory/3916-155-0x000000000AC10000-0x000000000AC60000-memory.dmp

Filesize
320KB

Download
memory/3916-140-0x0000000003140000-0x000000000317A000-memory.dmp

Filesize
232KB

Download
memory/3916-154-0x0000000009320000-0x000000000984C000-memory.dmp

Filesize
5.2MB

Download
memory/3916-153-0x0000000009150000-0x0000000009312000-memory.dmp

Filesize
1.8MB

Download
memory/3916-152-0x0000000008F50000-0x0000000008F6E000-memory.dmp

Filesize
120KB

Download
memory/3916-151-0x0000000008E30000-0x0000000008EA6000-memory.dmp

Filesize
472KB

Download
memory/3916-139-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/3916-150-0x0000000008D80000-0x0000000008E12000-memory.dmp

Filesize
584KB

Download
memory/3916-146-0x00000000082D0000-0x000000000830C000-memory.dmp

Filesize
240KB

Download
memory/3916-147-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/3940-161-0x0000000000000000-mapping.dmp

Download
memory/3940-184-0x00007FFAB7430000-0x00007FFAB7EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3940-164-0x00000292A5A80000-0x00000292A5A86000-memory.dmp

Filesize
24KB

Download
memory/3940-170-0x00007FFAB7430000-0x00007FFAB7EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4752-157-0x0000000000000000-mapping.dmp

Download