9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d

Analysis

max time kernel
161s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
Size

887KB
MD5

498d5b0dae4bb89ce636a3f000bc3360
SHA1

d813622863215be48af5f29eb0465480b7009779
SHA256

9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d
SHA512

5b1dff856127930f23d70315740eaf2e9f4877d9f673759c24d46542c119f6e41ade62def91163efce983bdbaa969ecf42a1083dc3d3689b3ad9d6e13a504716
SSDEEP

12288:cQyN/7YkrWBfWhvRhQUkcVS15NkiM6aOvYsRzBtHnwi/AXwnKRh4e2Y0Xp:cQyN/7DSBfWhkcVQ+6aOvYs1+0X

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
4220	elevation_service.exe
1968	elevation_service.exe
3736	maintenanceservice.exe
4876	OSE.EXE
60	ssh-agent.exe
4284	AgentService.exe
2064	wbengine.exe
1920	TrustedInstaller.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\E:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\F:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\G:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\H:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\L:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\O:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\Z:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\I:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\K:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\P:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\T:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\X:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\Y:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\J:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\U:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\W:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\M:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\N:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\R:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\S:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened (read-only)	\??\V:	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\alg.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	\??\c:\windows\system32\wbengine.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	\??\c:\windows\system32\msdtc.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	\??\c:\windows\system32\Appvclient.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\locator.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	\??\c:\windows\system32\snmptrap.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	\??\c:\windows\system32\fxssvc.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\vds.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	\??\c:\windows\system32\Agentservice.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	\??\c:\windows\system32\msiexec.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	\??\c:\windows\system32\openssh\ssh-agent.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	\??\c:\program files\windows media player\wmpnetwk.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\Internet Explorer\iexplore.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\7-Zip\7zFM.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\7-Zip\7zG.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.vir	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3632	4220	WerFault.exe	82
3528	1968	WerFault.exe	86
1252	3736	WerFault.exe	89
312	4876	WerFault.exe	92
3560	60	WerFault.exe	95
4412	4284	WerFault.exe	98
4152	2064	WerFault.exe	101

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4984	9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe

C:\Users\Admin\AppData\Local\Temp\9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe
"C:\Users\Admin\AppData\Local\Temp\9fdddaed0e2f035c30a1d43c9cf9b48e5c2aa1e8803bd542c1152beca59b4b3d.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4220
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4220 -s 392
  2⤵
  - Program crash
  PID:3632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 4220 -ip 4220
1⤵
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1968
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1968 -s 116
  2⤵
  - Program crash
  PID:3528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 1968 -ip 1968
1⤵
PID:2388

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3736
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3736 -s 400
  2⤵
  - Program crash
  PID:1252

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3736 -ip 3736
1⤵
PID:2108

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4876
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4876 -s 176
  2⤵
  - Program crash
  PID:312

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 4876 -ip 4876
1⤵
PID:4380

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:60
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 60 -s 232
  2⤵
  - Program crash
  PID:3560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 60 -ip 60
1⤵
PID:4228

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:4284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4284 -s 392
  2⤵
  - Program crash
  PID:4412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 4284 -ip 4284
1⤵
PID:5092

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:2064
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2064 -s 492
  2⤵
  - Program crash
  PID:4152

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 2064 -ip 2064
1⤵
PID:4484

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3c2bfc06eb0ba16046938f2b0c166291

SHA1
371df559268cbb0d1facfe2b1a8b82ffb03b765d

SHA256
3bcb6f1669dadc367265ca0b47df304876ece5c3c18f3c79d1791f33f5de62ac

SHA512
e3bd62fd5bab5ecfb764e8e50a9a6dd1bff56b42429c0fdaaab1807fb39ee681709a03ec842c34ed4a2b4f4e6972546234192104300fa86fc97b4af0ba6b6e0d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
738KB

MD5
a7ebec44bff3f47dcc5a17f898013f81

SHA1
91a8288e049a5cb6d1e23fe85e9303c11e39bb46

SHA256
b06847a5742b1378f72158750bdd4c9de97076318a9744bc2b643eac9286fc3a

SHA512
bebf2aed92038928b885de01434574a2646bb7a3d772f9928ffd82a46b417e34f3025b39f863d2fe1c1de70365a2de745b50d1e44bb401dbf1af8ed5fbdf4812

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
748KB

MD5
2b70f338c542f58f73790cc7d24ec9df

SHA1
04941b7e1a9fd04ba39cbccbc9aa995816518a65

SHA256
cd643dd1ecf6d7d627361b6fbfd9d6aea83561108805ffc4efe4b610ad04b047

SHA512
846b014c12595d92f0309fc97bcd798fff4462337dbcec8db4be1f9f542554113aa617cc74ef50ea0a5bc26be21d604bbdf51148af292a9157229fac01cc471b

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
1.9MB

MD5
0e8a771532f6779f2994762074b8f4e4

SHA1
355b95194ce44502f9f223d1b2ed6da0976af4e0

SHA256
f05d28b0b2e2dba52067e2aba5345de5b56d2221580659c7085e7add729d049d

SHA512
60d4405f8c4f5bfc0afa32d92f30fa722b83372dfb827795894bd0a0629ab550ec86d16a45bbe93ab215a3ed1bf0644de423dad3fe954085f1af150c89b6356d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
db8265eac64864fca2a8dd3291fa96c0

SHA1
39eb07319cfcf6787e70e3646c793d48613af0e7

SHA256
619715e874e2c275771bd6490d760d6a8a462ffa53187bb9bfbbddf5aeeed218

SHA512
d81e27edceb0dfaa0e7d3bbe8360011c91e7fb976f049b51e43d35e5b7c6564a772d118cd6e2c9f68012088b1a2d232968e79125734a1b047801d4447859c187

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
882KB

MD5
9db107950778b0850ad07adcad646ac8

SHA1
1790a5c9155414cdd6facfd6eb0344b5720d3f36

SHA256
5d4c1cc5e9aebd9bb01bacda8d6f928a3ecaf09b420b3e87db5f8dcb336976cd

SHA512
fdbda1f65a5a3dac18d7b2c20a5b27061dc0f2ef8afdc27eb710bcdfa0eddd9709d3479c9dcf26264d547b851a4d5bf95737d53500557de3831de42ee86c6fb1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
882KB

MD5
9db107950778b0850ad07adcad646ac8

SHA1
1790a5c9155414cdd6facfd6eb0344b5720d3f36

SHA256
5d4c1cc5e9aebd9bb01bacda8d6f928a3ecaf09b420b3e87db5f8dcb336976cd

SHA512
fdbda1f65a5a3dac18d7b2c20a5b27061dc0f2ef8afdc27eb710bcdfa0eddd9709d3479c9dcf26264d547b851a4d5bf95737d53500557de3831de42ee86c6fb1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
7669358407ea4ce95e002f8cb63ae056

SHA1
dc7333c1a08d12fcd7e97893c98004fdcde5b899

SHA256
6563377ba295357fe3d690b6bdee0f64b67bf099af27e61a04eb0fef89668357

SHA512
9499d8e0ba66a23449cb90eb864b38b9211439ac7537558e7e38eb82828a0f41865d668fcaa20e89caf1dd3d7a9e286300f73dc587814bf131b35de5bea06155

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
memory/60-145-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/1968-138-0x0000000140000000-0x000000014035F000-memory.dmp

Filesize
3.4MB

Download
memory/2064-151-0x0000000140000000-0x000000014034A000-memory.dmp

Filesize
3.3MB

Download
memory/2064-150-0x0000000140000000-0x000000014034A000-memory.dmp

Filesize
3.3MB

Download
memory/3736-140-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/4220-136-0x0000000140000000-0x0000000140342000-memory.dmp

Filesize
3.3MB

Download
memory/4220-135-0x0000000140000000-0x0000000140342000-memory.dmp

Filesize
3.3MB

Download
memory/4284-147-0x0000000140000000-0x00000001402F4000-memory.dmp

Filesize
3.0MB

Download
memory/4284-148-0x0000000140000000-0x00000001402F4000-memory.dmp

Filesize
3.0MB

Download
memory/4876-142-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/4984-132-0x000000004AD00000-0x000000004AEF9000-memory.dmp

Filesize
2.0MB

Download
memory/4984-133-0x000000004AD00000-0x000000004AEF9000-memory.dmp

Filesize
2.0MB

Download