090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8

Analysis

max time kernel
37s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe
Size

533KB
MD5

60bf216bd89b6faeb8f52aa8b73b4e08
SHA1

85795a51b062861f11e059a97aaf5fa46e9e68d3
SHA256

090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8
SHA512

d550e091b7853d9557c18750d5e10342efc2c731db7d56a71421d29934f8c205490bfdc624b8a9bb45072be0618a1077d7ed1614b73f9c6fb74decd9e8ae7c80
SSDEEP

12288:gXsVa0LWyNkUK8drvf+5pnFYGq6O881MS+Nkz1hH3F1T:WmW7oNO5pFYyO88KRO1J

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2012	kar.exe

Loads dropped DLL 1 IoCs

pid	Process
1504	090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	1504	090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe
Token: SeIncBasePriorityPrivilege	1504	090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe
Token: 33	1504	090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe
Token: SeIncBasePriorityPrivilege	1504	090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe
Token: 33	1504	090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe
Token: SeIncBasePriorityPrivilege	1504	090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe
Token: 33	1504	090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe
Token: SeIncBasePriorityPrivilege	1504	090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe
Token: 33	2012	kar.exe
Token: SeIncBasePriorityPrivilege	2012	kar.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2012	1504	090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe	26
PID 1504 wrote to memory of 2012	1504	090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe	26
PID 1504 wrote to memory of 2012	1504	090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe	26
PID 1504 wrote to memory of 2012	1504	090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe	26

C:\Users\Admin\AppData\Local\Temp\090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe
"C:\Users\Admin\AppData\Local\Temp\090390c056a8ede941bd4f6bf3a3d3f631688fd34b9b14cb9941cd1525030eb8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2011.08.15T21.55\Virtual\STUBEXE\@APPDATALOCAL@\Temp\kar.exe
  "C:\Users\Admin\AppData\Local\Temp\kar.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2011.08.15T21.55\Virtual\STUBEXE\@APPDATALOCAL@\Temp\kar.exe

Filesize
17KB

MD5
ee3ac6f4f5e134ea31f6a0e65c1c210c

SHA1
68af40f0e524e3583913286bcc91b75e6ebc9c10

SHA256
ee8b196b526366dc8a4372e90be9f63cec1d037e47083fb0ed981b942d3848c5

SHA512
91cb3ad70a2d6408a78763f2af0a6b0ffc0448f0f7357b7fe5fe061e13712ea11da8d4c2b4c0d01ba8c7ffef8255022ed41cb3e599ba0780f7b41a0e0514ffe0

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2011.08.15T21.55\Virtual\STUBEXE\@APPDATALOCAL@\Temp\kar.exe

Filesize
17KB

MD5
ee3ac6f4f5e134ea31f6a0e65c1c210c

SHA1
68af40f0e524e3583913286bcc91b75e6ebc9c10

SHA256
ee8b196b526366dc8a4372e90be9f63cec1d037e47083fb0ed981b942d3848c5

SHA512
91cb3ad70a2d6408a78763f2af0a6b0ffc0448f0f7357b7fe5fe061e13712ea11da8d4c2b4c0d01ba8c7ffef8255022ed41cb3e599ba0780f7b41a0e0514ffe0

Download Submit
memory/1504-90-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-100-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-63-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-61-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-65-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-67-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-69-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-71-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-73-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-75-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-77-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-79-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-81-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-83-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-86-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-88-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-92-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-94-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-54-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-96-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-59-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-104-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-98-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-102-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-106-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-110-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-108-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-112-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-114-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-116-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-118-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-363-0x000000000026B000-0x000000000026D000-memory.dmp

Filesize
8KB

Download
memory/1504-57-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-677-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1504-55-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2012-672-0x0000000000460000-0x00000000004CC000-memory.dmp

Filesize
432KB

Download
memory/2012-673-0x00000000004AB000-0x00000000004AD000-memory.dmp

Filesize
8KB

Download
memory/2012-674-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2012-675-0x0000000000460000-0x00000000004CC000-memory.dmp

Filesize
432KB

Download
memory/2012-676-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download