Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 00:25
Static task
static1
Behavioral task
behavioral1
Sample
573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe
Resource
win10v2004-20220722-en
General
-
Target
573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe
-
Size
164KB
-
MD5
4ab7f450124b7b4400bf866243d41a19
-
SHA1
37d2b935cfb5424f675aa707efc29e0a526a59f9
-
SHA256
573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f
-
SHA512
cc13ce5852f6297820f59114135f0cfbe0131a4542761b6f3a875d6ed501086257406faa31f16e1e4521d06814e1720a6abe3b270c39aeb4dc6b94a6eb71b42c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1328 SyncSend.exe -
Deletes itself 1 IoCs
pid Process 608 cmd.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\WINE 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe -
Loads dropped DLL 2 IoCs
pid Process 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\SyncSend.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SyncSend.exe\"" svchost.exe Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\Currentversion\Run svchost.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSecurityPrivilege 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1536 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1976 wrote to memory of 1328 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 27 PID 1976 wrote to memory of 1328 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 27 PID 1976 wrote to memory of 1328 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 27 PID 1976 wrote to memory of 1328 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 27 PID 1976 wrote to memory of 608 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 28 PID 1976 wrote to memory of 608 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 28 PID 1976 wrote to memory of 608 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 28 PID 1976 wrote to memory of 608 1976 573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe 28 PID 1328 wrote to memory of 1536 1328 SyncSend.exe 30 PID 1328 wrote to memory of 1536 1328 SyncSend.exe 30 PID 1328 wrote to memory of 1536 1328 SyncSend.exe 30 PID 1328 wrote to memory of 1536 1328 SyncSend.exe 30 PID 1328 wrote to memory of 1536 1328 SyncSend.exe 30 PID 1328 wrote to memory of 1536 1328 SyncSend.exe 30 PID 1328 wrote to memory of 1536 1328 SyncSend.exe 30 PID 1328 wrote to memory of 1536 1328 SyncSend.exe 30 PID 1328 wrote to memory of 696 1328 SyncSend.exe 31 PID 1328 wrote to memory of 696 1328 SyncSend.exe 31 PID 1328 wrote to memory of 696 1328 SyncSend.exe 31 PID 1328 wrote to memory of 696 1328 SyncSend.exe 31 PID 1328 wrote to memory of 696 1328 SyncSend.exe 31 PID 1328 wrote to memory of 696 1328 SyncSend.exe 31 PID 1328 wrote to memory of 696 1328 SyncSend.exe 31 PID 1328 wrote to memory of 696 1328 SyncSend.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe"C:\Users\Admin\AppData\Local\Temp\573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f.exe"1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SyncSend.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SyncSend.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1536
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵PID:696
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd49cfacbe.bat"2⤵
- Deletes itself
PID:608
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
313B
MD5701405b0911e8ca1ca58e56d07b0c46e
SHA19699811ce303af356f9c061021821b4b8b83a72d
SHA256926032b2e65e8a94e8a81040b04209781fc8111c173d6bdf17a26360672c6685
SHA512658c9690766e075dce9c4d5d920871286b04aad45d476022a92b20b9c3c63ce6aba1dbad8628435d6d84ddbcf0faea903e357f27270209dd67c98b045ba822ea
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SyncSend.exe
Filesize164KB
MD54ab7f450124b7b4400bf866243d41a19
SHA137d2b935cfb5424f675aa707efc29e0a526a59f9
SHA256573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f
SHA512cc13ce5852f6297820f59114135f0cfbe0131a4542761b6f3a875d6ed501086257406faa31f16e1e4521d06814e1720a6abe3b270c39aeb4dc6b94a6eb71b42c
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SyncSend.exe
Filesize164KB
MD54ab7f450124b7b4400bf866243d41a19
SHA137d2b935cfb5424f675aa707efc29e0a526a59f9
SHA256573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f
SHA512cc13ce5852f6297820f59114135f0cfbe0131a4542761b6f3a875d6ed501086257406faa31f16e1e4521d06814e1720a6abe3b270c39aeb4dc6b94a6eb71b42c
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SyncSend.exe
Filesize164KB
MD54ab7f450124b7b4400bf866243d41a19
SHA137d2b935cfb5424f675aa707efc29e0a526a59f9
SHA256573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f
SHA512cc13ce5852f6297820f59114135f0cfbe0131a4542761b6f3a875d6ed501086257406faa31f16e1e4521d06814e1720a6abe3b270c39aeb4dc6b94a6eb71b42c
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SyncSend.exe
Filesize164KB
MD54ab7f450124b7b4400bf866243d41a19
SHA137d2b935cfb5424f675aa707efc29e0a526a59f9
SHA256573032a583013a819dc46f1040e37506f700ddec7ac92f4292ce79a83d48c92f
SHA512cc13ce5852f6297820f59114135f0cfbe0131a4542761b6f3a875d6ed501086257406faa31f16e1e4521d06814e1720a6abe3b270c39aeb4dc6b94a6eb71b42c