d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Size

169KB
MD5

74ad3dbab7b576bd840c61e016d00280
SHA1

d460cb06b278508295c766a7ae5aebb8efde99a1
SHA256

d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15
SHA512

77576e21fbf715baaf9d91498cbc14a44193fc9e8aa7792bd9e68599b4903064eca0c65fb480947e586e7dfaecdfaa5a6216a9c576a25ef4d5df597b287787f5
SSDEEP

3072:+Inn9Ai/sRQ4FIn80TZMBNxyBDfH+hiSfERRJprCRAUlKEbkxcKXt7vP09DaIEPJ:YIn80FGNxyE5fExMAUlKCEcK97vc9DBg

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1532	wininit32.exe
2328	wininit32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\zldrv\DefaultIcon\ = "%1"	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\zldrv\shell\open\command\IsolatedCommand = "\"%1\" %*"	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\zldrv\shell\runas\command\ = "\"%1\" %*"	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.exe\DefaultIcon	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.exe\DefaultIcon\ = "%1"	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\zldrv\Content-Type = "application/x-msdownload"	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\zldrv\shell\open	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.exe\shell	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\zldrv	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\zldrv\DefaultIcon	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.exe\ = "zldrv"	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.exe\shell\open	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\zldrv\shell\open\command	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\zldrv\shell	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\zldrv\shell\runas	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.exe\shell\runas\command	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.exe\shell\runas	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\zldrv\shell\runas\command	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.exe\Content-Type = "application/x-msdownload"	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.exe\shell\open\command	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SDL\\wininit32.exe\" /START \"%1\" %*"	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\zldrv\shell\runas\command\IsolatedCommand = "\"%1\" %*"	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.exe	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\zldrv\ = "Application"	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\zldrv\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SDL\\wininit32.exe\" /START \"%1\" %*"	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1532	wininit32.exe
1532	wininit32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1532	wininit32.exe
Token: 33	5028	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5028	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1532	wininit32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 1532	5016	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe	82
PID 5016 wrote to memory of 1532	5016	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe	82
PID 5016 wrote to memory of 1532	5016	d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe	82
PID 1532 wrote to memory of 2328	1532	wininit32.exe	83
PID 1532 wrote to memory of 2328	1532	wininit32.exe	83
PID 1532 wrote to memory of 2328	1532	wininit32.exe	83

C:\Users\Admin\AppData\Local\Temp\d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe
"C:\Users\Admin\AppData\Local\Temp\d4f3728db4d0293148cb2380aa6033283293cf3a804e6e27f30576b61d0d1c15.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Roaming\Microsoft\SDL\wininit32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SDL\wininit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SDL\wininit32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Users\Admin\AppData\Roaming\Microsoft\SDL\wininit32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SDL\wininit32.exe"
    3⤵
    - Executes dropped EXE
    PID:2328

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e8 0x2cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SDL\wininit32.exe

Filesize
169KB

MD5
11eb1a2a989d6ac5fa9380fb8171c73f

SHA1
b60a77aa471b69cb02c039f99bdaa5f60fa493ba

SHA256
85d0c338975df636807494d181b301b7699eb678890e716f712f9708c741b782

SHA512
57b7b5e9c6bc36b31f0fa8ee981ef1ab2c38047ad3c97f24b50e7152453e6a791a01079734914e3f5fd83a7efe909757112f371b658971cf2046bdd98b0921f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SDL\wininit32.exe

Filesize
169KB

MD5
11eb1a2a989d6ac5fa9380fb8171c73f

SHA1
b60a77aa471b69cb02c039f99bdaa5f60fa493ba

SHA256
85d0c338975df636807494d181b301b7699eb678890e716f712f9708c741b782

SHA512
57b7b5e9c6bc36b31f0fa8ee981ef1ab2c38047ad3c97f24b50e7152453e6a791a01079734914e3f5fd83a7efe909757112f371b658971cf2046bdd98b0921f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SDL\wininit32.exe

Filesize
169KB

MD5
11eb1a2a989d6ac5fa9380fb8171c73f

SHA1
b60a77aa471b69cb02c039f99bdaa5f60fa493ba

SHA256
85d0c338975df636807494d181b301b7699eb678890e716f712f9708c741b782

SHA512
57b7b5e9c6bc36b31f0fa8ee981ef1ab2c38047ad3c97f24b50e7152453e6a791a01079734914e3f5fd83a7efe909757112f371b658971cf2046bdd98b0921f3

Download Submit