Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
03-10-2022 05:12
General
-
Target
7581b5505360b3ae579999f56dc32db653085b16a60e298e52fea588cbd834e0.exe
-
Size
160KB
-
MD5
64d8d85300eaea6410a43584b1747018
-
SHA1
2f5e114a3203671fc3549528cc6ee7dfcd6c325b
-
SHA256
7581b5505360b3ae579999f56dc32db653085b16a60e298e52fea588cbd834e0
-
SHA512
600c8332f0f64edaaad532f63f6f5e48eb9842fcda284ce6b3051903672cb13ded27252cb2774120e1d372f26f2d8ecfa95ebeeb5cd0177ca1d137f9f1859e30
-
SSDEEP
3072:5tP08CuBFKCLtNgEBf+xwzEqJ+8+tOAZgwC03fOwYSS4qeO8hk8jb7QSQ:5t8zuBFTsEh+KBJ+OAvPBBS4j/zn0f
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 36 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 27 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7581b5505360b3ae579999f56dc32db653085b16a60e298e52fea588cbd834e0.exe"C:\Users\Admin\AppData\Local\Temp\7581b5505360b3ae579999f56dc32db653085b16a60e298e52fea588cbd834e0.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2292972927-2705560509-2768824231-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2292972927-2705560509-2768824231-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
284KB
MD5e439430997faf032bb90db4cb3cfb85d
SHA1f5faec3b5a9b6a72e3434ed146fe1cf6fbf692a8
SHA256d15fafd0644267bcef470fe5eb5b87aac659560e973ed4843881b06f644afddb
SHA51298f9d641157b47abf6a5046488da7c77a4a80875265267bd18395926ff167635c24a0c73e8979e9614a2b28a6126bafbc5364c9da43b6a242b9e7133c380801c
-
Filesize
1.2MB
MD58174bc516ba6943da8e0f2daec453f27
SHA1414db3d2b6875d529a290517033fbf8002a4b319
SHA256f4a842742e5554defbac5cefa75c8d8313191d0ec0b7d6a3ddeb7a1dfbb1364a
SHA512a9b0a6951aa76a1cc37b470a9089237652e2c1c6f6dc9aa0200f1356e2653b0a216bc3082c14659be59657323ee890ae92338129837add13dc12e0bbdbafcb96
-
Filesize
284KB
MD5cf2f6e82e96d05a9f5a0b279188f0b0b
SHA1c4e931d58fef33b8809d8364560243abd71b7522
SHA256185d7fee3ffc31f5c35385322c402cb428250fc6b193ae011bc08ce9356f74ad
SHA512a9e14561b6636bcb27286f3e520d877e20765672b62d59f91b05f740fec0a4d04fe0b37b71effb36d983988f77217429e5428b6b7e95081d1234a2b61ad18617
-
Filesize
203KB
MD54b7fc345b224e5a0537568c1d2beca3b
SHA1a81607b0a5cfb14bd365b2a7e73ee77007834807
SHA256cf8ec0d1f5fd1943067ca317d4cc8cea3ee4986db49f45841ce2c5cbef5f230d
SHA512a39b0a7792133c43fe8c7125d1802a9611ecb62059df2ec082c41700b3f19d5652876069ad8b4aecfd3113b5a1d91baf14a5c39a552a2ee8f8b06e3b9e29c339
-
Filesize
203KB
MD54b7fc345b224e5a0537568c1d2beca3b
SHA1a81607b0a5cfb14bd365b2a7e73ee77007834807
SHA256cf8ec0d1f5fd1943067ca317d4cc8cea3ee4986db49f45841ce2c5cbef5f230d
SHA512a39b0a7792133c43fe8c7125d1802a9611ecb62059df2ec082c41700b3f19d5652876069ad8b4aecfd3113b5a1d91baf14a5c39a552a2ee8f8b06e3b9e29c339
-
Filesize
234KB
MD56c25b0d1c686225b649572d5d6f8a324
SHA1b9c8abee5a78e8357e11390378dd5a3019d29072
SHA2562f535ea63b438d7ae0f6c98864f14b81b858a97f698486e93c3dcf7ccf720be4
SHA512e33d9374c01c8026a3f897dcb8deb53640772e607b38f80cfb8de0c76519faf5a540070ba20330a1f7d9bcc5803e31c5fec363697891b4f8e0910b3e0c4c1ce3
-
Filesize
29.7MB
MD5e7f281ff3574f4322a402cdc5e95662d
SHA19a2a5b0c826072b2491553f0c58ec65ba6a718ea
SHA256b7a3eb3cfa2cede3f94dea58e373805ea1ec887fe0b7ac93b1742b466a0737b6
SHA5125c9d372509c91ab2b452998292da4ce1fd349484ca752e586e1a8cd53f3a86d8cef68869f30c835a65c0714ca42e56fbcb939a3eaf59e5effe4018ab8826a071
-
Filesize
562KB
MD5955c18fbdbb406c21ce39154f3749c02
SHA1e3d174420ac8c031dab50d4289e36bec5cec83d8
SHA256664fabdad44872f0254568a24cb2cd6654ce42e906898fceb4977f832e393770
SHA512a3f35ece6f3c900d5800132dbcfa22541f50aafb19178e152cd04e883e81fd1fcd03201203c2f7cd7b65a5ed65e33d736f18161b06faaae2cf428479505f3c79
-
Filesize
164KB
MD5bbb550756c27e816de3353da389e639b
SHA18c2db9198889e23112f8c5d62aca79b0f7602fea
SHA256f91ea3582b5bb7a26902c2e2bc4cabde09481043aab5789c531d9e3c2e1d2d0c
SHA5129f1ea9ed0c5a53c135e8f95212f0e2560177a12d64620fe7826fb46b94ed748e9f73b701ab2be22433a6627dc262b0e442fde41cff3c65c679dd252209684002
-
Filesize
234KB
MD56c25b0d1c686225b649572d5d6f8a324
SHA1b9c8abee5a78e8357e11390378dd5a3019d29072
SHA2562f535ea63b438d7ae0f6c98864f14b81b858a97f698486e93c3dcf7ccf720be4
SHA512e33d9374c01c8026a3f897dcb8deb53640772e607b38f80cfb8de0c76519faf5a540070ba20330a1f7d9bcc5803e31c5fec363697891b4f8e0910b3e0c4c1ce3
-
Filesize
8KB
-
Filesize
404KB
-
Filesize
404KB
-
-
-
Filesize
448KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
484KB